Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
24-05-2024 15:01
General
-
Target
6f328c3e1d2f3ad40a09cd133e1964bbc4fc21dcbb7af8520e97006992426b2a.exe
-
Size
936KB
-
MD5
384142bba3fe5feebabb59a1013abf4e
-
SHA1
63005b7752afd90117e435958a088af26189f279
-
SHA256
6f328c3e1d2f3ad40a09cd133e1964bbc4fc21dcbb7af8520e97006992426b2a
-
SHA512
ef57a899e63b4311e98810cc9e998d8c3571699a959bb0b381905dc8313364c93ed7c051511078d4aa65d800ae5fc5ef0f81861adc423ecf889521979d097f4d
-
SSDEEP
24576:ky/TRNN+q1jO/oCxkTtJepAZU/4eWGgkQAdT0:z/F6ql/6kT7epAZUQwQ
Malware Config
Extracted
redline
horda
194.49.94.152:19053
Extracted
risepro
194.49.94.152
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f328c3e1d2f3ad40a09cd133e1964bbc4fc21dcbb7af8520e97006992426b2a.exe"C:\Users\Admin\AppData\Local\Temp\6f328c3e1d2f3ad40a09cd133e1964bbc4fc21dcbb7af8520e97006992426b2a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vb8gF87.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vb8gF87.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Vw8985.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Vw8985.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1484⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Po53uq.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Po53uq.exe3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST4⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:81⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4444 -ip 44441⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vb8gF87.exeFilesize
812KB
MD57657c88eae4d0432ed71184a0669b9b7
SHA14cbdbeb161797261e75b382d1b94868df170044d
SHA25676a6ad4f431353be132b7c4d03a364e1647fb475176098af59fa92d11c32cff2
SHA5125d5abc7a9f859a1e850af78185d54fdb1b3b61ce41f43ae1dc6311bdc1c3192eb5746c6e6aadbe530be35113ad3af41e3eaeef12c9896ba14a7df0665b002f95
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Vw8985.exeFilesize
432KB
MD5a9a6971dd545d36b0eb1b139cd49f2ca
SHA1bcd249c8f1993e8a015ff9a62d874424cdb8fe2e
SHA256a051e6a0aa2923bb10264d1769fc635193597f6104b0d653892c7f37e89a5af7
SHA5121422647c45ff3c4ed2b60d88f9f03cdf0b82f52c4057ce4dfd6e78d499475638518d5f5d826b6c4d533e60d068b4d23653885076f3ed0f8f33fd3ed08ef105db
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Po53uq.exeFilesize
1.3MB
MD536678dd4c57a0b051ae2d8d3e59b6084
SHA153f90dc0855c4a1f7a06251521beb29c0f31a1c3
SHA2563967b1109aa40ae878befa7d99d59364c67bef2ae53716ac71c7bf8327a7074a
SHA51295c393e273f64f066d0b5dc3c87248e14df0b1dd55e3c12298f8fe4226ab9e2d366f20e9e7f62f79007f2d38afb8f37fa3f9d5799388dbac1e5b289b38569425
-
memory/2284-18-0x0000000002F10000-0x0000000002F1A000-memory.dmpFilesize
40KB
-
memory/2284-16-0x0000000007F90000-0x0000000008534000-memory.dmpFilesize
5.6MB
-
memory/2284-17-0x00000000079E0000-0x0000000007A72000-memory.dmpFilesize
584KB
-
memory/2284-15-0x0000000073D8E000-0x0000000073D8F000-memory.dmpFilesize
4KB
-
memory/2284-14-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/2284-22-0x0000000008B60000-0x0000000009178000-memory.dmpFilesize
6.1MB
-
memory/2284-25-0x0000000007CF0000-0x0000000007DFA000-memory.dmpFilesize
1.0MB
-
memory/2284-26-0x0000000007B70000-0x0000000007B82000-memory.dmpFilesize
72KB
-
memory/2284-27-0x0000000007BE0000-0x0000000007C1C000-memory.dmpFilesize
240KB
-
memory/2284-28-0x0000000007C20000-0x0000000007C6C000-memory.dmpFilesize
304KB
-
memory/2284-34-0x0000000073D8E000-0x0000000073D8F000-memory.dmpFilesize
4KB