Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-11-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe
Resource
win10v2004-20241007-en
General
-
Target
d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe
-
Size
700.0MB
-
MD5
9a2c573e882d31251e1bcd07ba90585f
-
SHA1
d46878f2ad28df08972371a617bce73ae623523c
-
SHA256
d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e
-
SHA512
40ac3d1cca6bb8eb7ccfb0d1ae0467423b0355ee5cded84b1095a284f08cecbd70325b808df933d47a7af60081470ad71ee1021e724759227379052302ff3894
-
SSDEEP
98304:h9eCUTzzphq1G/jxZIo0YYUOJimJJQYts5JcyTcvg6BtufkCJ:PefTzVhqpP9JvgpTcvf7ufz
Malware Config
Extracted
redline
Notepad_2
194.36.177.124:39456
-
auth_value
37464cc4dd294b9925a8c1092e1c72a9
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/2072-12-0x0000000005670000-0x0000000005AFA000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Purecrypter family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2400-27-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2400-31-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2400-33-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2400-30-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2400-25-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 2 IoCs
pid Process 2072 DRIVER~1.EXE 2612 Mppzqonpp.8.4.1.installer.x64.exe -
Loads dropped DLL 6 IoCs
pid Process 2072 DRIVER~1.EXE 2612 Mppzqonpp.8.4.1.installer.x64.exe 2612 Mppzqonpp.8.4.1.installer.x64.exe 2612 Mppzqonpp.8.4.1.installer.x64.exe 2612 Mppzqonpp.8.4.1.installer.x64.exe 2612 Mppzqonpp.8.4.1.installer.x64.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2072 set thread context of 2400 2072 DRIVER~1.EXE 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DRIVER~1.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mppzqonpp.8.4.1.installer.x64.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2792 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2072 DRIVER~1.EXE 2072 DRIVER~1.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2612 Mppzqonpp.8.4.1.installer.x64.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2072 DRIVER~1.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2072 2124 d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe 30 PID 2124 wrote to memory of 2072 2124 d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe 30 PID 2124 wrote to memory of 2072 2124 d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe 30 PID 2124 wrote to memory of 2072 2124 d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe 30 PID 2072 wrote to memory of 2480 2072 DRIVER~1.EXE 32 PID 2072 wrote to memory of 2480 2072 DRIVER~1.EXE 32 PID 2072 wrote to memory of 2480 2072 DRIVER~1.EXE 32 PID 2072 wrote to memory of 2480 2072 DRIVER~1.EXE 32 PID 2480 wrote to memory of 2792 2480 cmd.exe 34 PID 2480 wrote to memory of 2792 2480 cmd.exe 34 PID 2480 wrote to memory of 2792 2480 cmd.exe 34 PID 2480 wrote to memory of 2792 2480 cmd.exe 34 PID 2072 wrote to memory of 2612 2072 DRIVER~1.EXE 36 PID 2072 wrote to memory of 2612 2072 DRIVER~1.EXE 36 PID 2072 wrote to memory of 2612 2072 DRIVER~1.EXE 36 PID 2072 wrote to memory of 2612 2072 DRIVER~1.EXE 36 PID 2072 wrote to memory of 2612 2072 DRIVER~1.EXE 36 PID 2072 wrote to memory of 2612 2072 DRIVER~1.EXE 36 PID 2072 wrote to memory of 2612 2072 DRIVER~1.EXE 36 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37 PID 2072 wrote to memory of 2400 2072 DRIVER~1.EXE 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe"C:\Users\Admin\AppData\Local\Temp\d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 103⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\timeout.exetimeout 104⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2792
-
-
-
C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe"C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2612
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54111964458518aba78a005836fd71df0
SHA1c5499db5e598647dee69758bd81f6733f4f02769
SHA256020aaa2d2db7d0d138c4e7967c19621332379d99a2162d121dc33babc46edc82
SHA5124a089c7a1b0a3b02fa3bdbf2fd7bfb4c1c683c003e42c9e25c5d1f36e3e2b766d24ab9e70ceaa0e8b846a9ef53791ae7b985db5f5daae795536abe0a030b9ef9
-
Filesize
4.3MB
MD5542c0f910db312aa76c75d5cdbf76844
SHA118f608b6220c392ddde0194352b3faf7a10608d1
SHA2566d80dcfdb5a979eb11de1ebbf5733a101fbe4cd8f7c1ac10f651e71fadf52e4a
SHA512087f415c20d485cc322be24ae43f730ae7edfa6f64fe78828727a8cf47a0207d18a9b45769f9f3228cd5012c7d34244ccc7edb3e93ba0cc263c4370153fe4a0d
-
Filesize
15KB
MD5ece25721125d55aa26cdfe019c871476
SHA1b87685ae482553823bf95e73e790de48dc0c11ba
SHA256c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA5124e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480
-
Filesize
5KB
MD568b287f4067ba013e34a1339afdb1ea8
SHA145ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA25618e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA51206c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
9KB
MD56c3f8c94d0727894d706940a8a980543
SHA10d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA25656b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA5122094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355