Malware Analysis Report

2025-04-03 13:25

Sample ID 241109-2gvy4steqg
Target 2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N
SHA256 2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929

Threat Level: Known bad

The file 2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine payload

Redline family

RedLine

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:33

Reported

2024-11-09 22:35

Platform

win10v2004-20241007-en

Max time kernel

106s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe
PID 4928 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe
PID 4928 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe
PID 3652 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe
PID 3652 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe
PID 3652 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe
PID 2428 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe
PID 2428 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe
PID 2428 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe
PID 1380 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe
PID 1380 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe
PID 1380 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe
PID 1272 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe
PID 1272 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe
PID 1272 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe

"C:\Users\Admin\AppData\Local\Temp\2cdc2cf65c0b76e97dc8706727c5ca17e3a12ecdb9d650a3e48f93db466b6929N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i68651788.exe

MD5 6936e10d16bb27e8ea995b10330e6d82
SHA1 5b7ef7a2931ce1d3ff9a26dcd5c44d106259b668
SHA256 064cc79ec77d2d83a5e6b32d5fcff5aec0fe57c647c5cea18fc8e17b33af3efd
SHA512 52ba8628ae0eabbd0324b760317e0c159f78d5b91dd426e4585874785fa3d14956fe893a1303af2cd6bc4d89dbfb8341b2070161dbf333b5e67e7bb369ad85e1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i24870767.exe

MD5 72b5c64d627c51afb31095c2ec34abb5
SHA1 360a7218d4ae988efec1239a6f0fa426f99d416b
SHA256 eb4f1dad91cec99b60666a250c1e33d433b0ecc7f8ed0e33cf2ce071afcae96b
SHA512 5d9ad6101b9ccdef20096a522d767d948e0ef760f57fd60d9f27b6ec42b51275c3943dfe97f92542289b6c4a77446073e866179c57cd9c5f684b2b5792a2f818

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i13175462.exe

MD5 7b30aad55158f9b86b00477a9c02f37e
SHA1 11dbae8ad9dad171734e9f987d9ea88f176134b1
SHA256 f02a1f70b033a73aced257efb53ff063aa8323b02cd53c1f3123a6edec82da49
SHA512 f45d386cd44ba0aacd8021ae4b5b4d7a904df9ba53629bef56bac467dbcab07790c477b695323ee69d04f1cb1783e68425aec238bf2566b927f66154a5c2c397

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i69943212.exe

MD5 5cb5cd623e8f97a70524cea121b6741a
SHA1 233f805da864a96a2d8d79af518cdccaa09e2f98
SHA256 5cd7000325031c7dc7364713184571f206be7d74df78d70903012238dc022fd6
SHA512 013d114845fc4fe359599f09ac9e98c3982ef338591c69fb7150fdbc4ca3bd8b74703976a6ccd9b25a6d8c7f0ad66863354037129cd21cbb923941cb4784089c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a21074425.exe

MD5 d8aa03b25b1824599be2265db8293609
SHA1 dfea0dd07dafca78dc2a864cdfa7c6d635fef2d6
SHA256 76907d36619ef4fad7ed836fe81855af0533aff5d3187430f557cc18910e258d
SHA512 236cb50cba2b23285881bf7429f587b479125d4a50cb56cf13b96ec384d17ded7988ff9a180b1455de649e276bea5457442e5ac030f8ad3e57fcf19aab16b8fc

memory/4296-35-0x0000000000DE0000-0x0000000000E10000-memory.dmp

memory/4296-36-0x0000000005600000-0x0000000005606000-memory.dmp

memory/4296-37-0x0000000005D80000-0x0000000006398000-memory.dmp

memory/4296-38-0x0000000005870000-0x000000000597A000-memory.dmp

memory/4296-39-0x0000000005760000-0x0000000005772000-memory.dmp

memory/4296-40-0x00000000057C0000-0x00000000057FC000-memory.dmp

memory/4296-41-0x0000000005810000-0x000000000585C000-memory.dmp