Malware Analysis Report

2025-05-06 01:19

Sample ID 241109-1gfzhsvrfq
Target cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2
SHA256 cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2

Threat Level: Known bad

The file cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2 was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:37

Reported

2024-11-09 21:39

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe
PID 1244 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe
PID 1244 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe
PID 1944 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe
PID 1944 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe
PID 1944 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe
PID 1164 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe
PID 1164 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe
PID 1164 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe
PID 3608 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe
PID 3608 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe
PID 3608 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe
PID 4548 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe
PID 4548 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe
PID 4548 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe

"C:\Users\Admin\AppData\Local\Temp\cecb0cde272847011dd2403f79e5cf2ab07b49f2b65d49ef5d00ffd9bb6a66e2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 72.208.201.84.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i31597883.exe

MD5 daab354c721fafd2ee243a05767c7468
SHA1 7f26ce46e73732f540a4269ac032c13cc99c8fae
SHA256 2da87139d7e667973f378d79d15e5699b408a8eb0db3ec5b067df58ef08c9c27
SHA512 fe2c8fd05ae113bae76c6acf5deb579fe4e1c060a9e9dffb871d526e0e09fc869ae4059bf6442097f9ee585995110b0f5c81de0cd060420d7f9cbfc657202de5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i36009917.exe

MD5 3a891891b1a5cad57b3989e090bf7a45
SHA1 23300df99171a8b3eccd3076d243eb928405b83b
SHA256 e05723334c15901fc9c49ec8fd360caafcfcac948b67f811dc0047f936a9ce70
SHA512 188d1d48fcbbd801781402822311af210e89b3dc9c0578d409b3c0655ca9081a2e5753cb3847919bb4b87cc916517b09a547502ab13e9a048eb371e0f752c930

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i22580956.exe

MD5 15afed7ad4a63230f5889cd16befcfcb
SHA1 2fc0406edb137d816ef78add3f1122405ab4a8e2
SHA256 3c406e69fe367ff17c3696ec00a295a9dbb2aa0b1d8a7a9fb935dd59761c43c3
SHA512 efc7fb2e2529a6be251b2e3b5cbd44d51d7fbe1297bcbb3c28e1979a0a33769ea4e74e2c008c71bebcf0bd10cafbf2b34953b7ed3d446d8e858db5f15958c481

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i67693533.exe

MD5 50e64249ab3e5c4357c0aa5b959486dd
SHA1 4dfc80849cdeaa991cfbaea1676d50116e49a78b
SHA256 dd2b61f7abbee9a2dd29f96d4a8beaf4e61839551745361e0eb5de342eafb923
SHA512 94611819189da460069e271dea11cfdc7998cb7ccc1ba74f79fad965ed30b5e3897a117a8c12a9d25b71b467b9e4ba7e7d59a961b357d8a0221d8d6b058cf2d0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a78241290.exe

MD5 e0a5330d1d105090f672424393566336
SHA1 3d00706858bcf31b8e7c796423e8ece447a49d03
SHA256 57d9202819648c6f2dec5ef6d39c678d2377e9daa06c85fa0cfc693258c141b0
SHA512 6436bf0241555ca37c82059b63417e4bafee4b75fc147302cf45e862913f665e61800f8c457715889922d3f06ac952c26340ba1b58a613cb727da10aaaabc988

memory/552-35-0x0000000000EF0000-0x0000000000F20000-memory.dmp

memory/552-36-0x0000000003110000-0x0000000003116000-memory.dmp

memory/552-37-0x0000000005E90000-0x00000000064A8000-memory.dmp

memory/552-38-0x0000000005980000-0x0000000005A8A000-memory.dmp

memory/552-39-0x0000000005870000-0x0000000005882000-memory.dmp

memory/552-40-0x00000000058D0000-0x000000000590C000-memory.dmp

memory/552-41-0x0000000005920000-0x000000000596C000-memory.dmp