Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04-08-2024 09:50

General

  • Target

    REDLINE STEALER V20.2 - Edition 2022/Kurome.Builder/Mono.Cecil.Rocks.pdb

  • Size

    8KB

  • MD5

    4c98b54bf658db95dfb4d1ae6bed2565

  • SHA1

    c5a0035a75f52addeb730102fd67d3c63fe1c815

  • SHA256

    5fcf9491b8d73f1f90a83ee7bda9097043903ba18822f1f22eacf92338b0d619

  • SHA512

    72cf714bc20660f2ab18fbcd74b84e9aa7d85fe77482ebd3b135c5c6db0dc7ab2523c418ca3ff44f301eec66742cea3c11e6c9575bf9cec90906d60a156291b0

  • SSDEEP

    192:bAHD2V/OLaMD04CRS68yhpMqxauyKixCEyKKJA5es:bOC02bHR7ZpMqxnyZx90A0s

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\REDLINE STEALER V20.2 - Edition 2022\Kurome.Builder\Mono.Cecil.Rocks.pdb"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\REDLINE STEALER V20.2 - Edition 2022\Kurome.Builder\Mono.Cecil.Rocks.pdb
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1712
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\REDLINE STEALER V20.2 - Edition 2022\Kurome.Builder\Mono.Cecil.Rocks.pdb"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

    Filesize

    3KB

    MD5

    1e828c14ad49951613ab0cbebf793a1f

    SHA1

    0fa8ee52a1a09d1f85a7e5ce00920a7a1d8b98d0

    SHA256

    f694912ed37099317e6b21ace126479ce2eb7021ac2b59eb647a8825c05eea44

    SHA512

    949a9ef518ddf7fee26e42d1956ed5a5588c9fc73fc7ff5a3d999da7b67cd1d7bf2dc9e2ed77c29f0efa27339621f74be7b7ededa270b95f14a5bc47e6a2cbe3