Malware Analysis Report

2025-04-03 09:06

Sample ID 241107-sr3bhavcrn
Target 62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9
SHA256 62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9
Tags
redline rodik discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9

Threat Level: Known bad

The file 62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9 was found to be: Known bad.

Malicious Activity Summary

redline rodik discovery infostealer persistence

RedLine payload

RedLine

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 15:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 15:22

Reported

2024-11-07 15:24

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 844 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe
PID 844 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe
PID 844 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe
PID 2784 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe
PID 2784 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe
PID 2784 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe
PID 4768 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe
PID 4768 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe
PID 4768 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe
PID 4200 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe
PID 4200 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe
PID 4200 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe
PID 112 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe
PID 112 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe
PID 112 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe

"C:\Users\Admin\AppData\Local\Temp\62b45d357531f3096032239b427e854dd5be63f39d663947b20ed99b207d7bc9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nGZ67DN.exe

MD5 a3e42245bd0ff4f7eed756f6c40155cd
SHA1 7c521632f4aade214aa2fbf0fb7a76a1b3de5a32
SHA256 f755f3734bc3c8978fff0c804b2a6e065d9ab3a2dd8be89751fb394132ece985
SHA512 7934e078760f74baa31a5687e4ecf16bfff3c3b03265e2c73ae8c6da5af80520d03af807f1c4d933e5e1214d05f42da938b8da5fe16e4703738726f05945cb8b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nHV70VB.exe

MD5 8bd3ef9e9749c9d1f9d444973aeb6c7a
SHA1 cf908e05eef32f7916a261f9c8a51992e42c2b99
SHA256 302afab6c6f622f55cada4b81a19776339957fae92133aa77e6fc00a6604aa30
SHA512 a251be390877e253c98dcaabeb3180a4b6451220884caf00e2ee7b5271e44a1992d99fb6cccda737094872406e5448b2830c2cf1b4772f6da63504d0ebefbe5a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nlw73vb.exe

MD5 8143a0b14eb5a9aebd96e540e2a0efd7
SHA1 9f5872f04a4120cf7a7c3e79a65b538f94845ae3
SHA256 eddb06692050138d237df3e26d0c95b3edbe7d8e62a5496c72c832f08dbd3e31
SHA512 71745ffbf36ae310e9837205994bf1c17ae579a3e28063797d99915fcee02d3d844ce7af7d18cac642a76faf90299b0603db6c2541f142cf40cd9df09454fec4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bjc43De59.exe

MD5 231430e854c098688aa6848702c5018e
SHA1 46a9be0ad282ff66b7de6586c6cf86ff5057651d
SHA256 c2c7ced4db7b7a5eb5960c2d518179b7798494fe893b5bb22c756a811460cdf9
SHA512 202a0ec01cdd18613c8fb423418ec0abf3382f2ea8d957c287324c23d083a7ab61fb5207c0e9c3bfb421a58f821daf81506e2ecb4d08fa2cfa993587e1e44217

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nHy41QE.exe

MD5 98835893d157b248b3ef2c0f351196d8
SHA1 21997d54eea66faff17f6722b30ac5b7f4c8014b
SHA256 a34628e0d573e47902ce8f1bbfd3ea13634a3fe2afd7cd365bde6e71f8ad8f6a
SHA512 7e0abb112b53a613d03f9c13e85667658a5d517096f73ba234993d365c2223e55496afc45601dcda4a22ceb45a476f461657b534ffadaa4f27444509cb0ad278

memory/3716-36-0x0000000004C30000-0x0000000004C76000-memory.dmp

memory/3716-37-0x0000000004D70000-0x0000000005314000-memory.dmp

memory/3716-38-0x0000000004CB0000-0x0000000004CF4000-memory.dmp

memory/3716-44-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-102-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-100-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-98-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-96-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-92-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-90-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-88-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-86-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-84-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-82-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-80-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-78-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-74-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-72-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-70-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-68-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-66-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-64-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-62-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-60-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-58-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-56-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-54-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-52-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-50-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-48-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-46-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-94-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-42-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-40-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-76-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-39-0x0000000004CB0000-0x0000000004CEF000-memory.dmp

memory/3716-945-0x0000000005320000-0x0000000005938000-memory.dmp

memory/3716-946-0x00000000059A0000-0x0000000005AAA000-memory.dmp

memory/3716-947-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

memory/3716-948-0x0000000005B00000-0x0000000005B3C000-memory.dmp

memory/3716-949-0x0000000005C50000-0x0000000005C9C000-memory.dmp