Malware Analysis Report

2024-12-07 04:12

Sample ID 241110-1jl9bawank
Target 457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f
SHA256 457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f
Tags
redline ruma discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f

Threat Level: Known bad

The file 457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f was found to be: Known bad.

Malicious Activity Summary

redline ruma discovery infostealer persistence

RedLine payload

Redline family

RedLine

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 21:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 21:40

Reported

2024-11-10 21:43

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe
PID 4780 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe
PID 4780 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe
PID 1700 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe
PID 1700 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe
PID 1700 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe
PID 4848 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe
PID 4848 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe
PID 4848 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe

Processes

C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe

"C:\Users\Admin\AppData\Local\Temp\457b786aba33f4350498c9a8644a5764f7ec1e6adc79a5182c61180dc3f21d6f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxb95.exe

MD5 b114060a6ddc413737ad19a2f49a282b
SHA1 63d4a34062e0954338682998ea55d52044b68880
SHA256 d9537c10109cec72ea01fc5ebad52f80d100b0774f63bc409a16085a04fc64ac
SHA512 c3653a50c252fc0d88babf26936b8d7fa91d5feef5d3364fbc0251ccbeb0358f9c9c0053de4b069143c5a626b48ad85473213ee7aae942af8f9d654061d2faa8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vAx09.exe

MD5 0e498d9d822eb4e5d018dc5357819e17
SHA1 511a949f31f6368ebd5ad89d91098cd22cbfbaa4
SHA256 a45432d2e400de589b7f9005b3168f48bd8d3230fa0221346baa270e3fc92bd0
SHA512 448274db0a672203c09255295ffc7d28df9914a626317737d85a747902acf7bf3c9f5fee4c0c9aaeb86124bdc6a9dca169d6d1101825c1a8b60bda922bfed55e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dAg06.exe

MD5 fb82c4087f33ef1500be09b2c64edd7e
SHA1 f3bc3a8bc794198f45c88e4e7f209301a7319247
SHA256 a49071caacb938f2602eab78925d1cb38ce8fe180d3db37a91a58b49c912f265
SHA512 f0692f8a1c5c835c600ea33bfaa38246970db8ec2c82b49bdcdbf57423c7e220aa48e8f03c107fbc69b4826e4a7f8723e614f7cfa0642f9231677c9a20065184

memory/1668-22-0x0000000002650000-0x0000000002696000-memory.dmp

memory/1668-23-0x0000000004D70000-0x0000000005314000-memory.dmp

memory/1668-24-0x0000000005320000-0x0000000005364000-memory.dmp

memory/1668-42-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-44-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-88-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-87-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-84-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-82-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-80-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-78-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-76-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-74-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-72-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-70-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-66-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-64-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-60-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-58-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-54-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-52-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-50-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-48-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-46-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-40-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-38-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-36-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-32-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-30-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-68-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-62-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-56-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-34-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-28-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-26-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-25-0x0000000005320000-0x000000000535E000-memory.dmp

memory/1668-931-0x00000000053A0000-0x00000000059B8000-memory.dmp

memory/1668-932-0x0000000005A40000-0x0000000005B4A000-memory.dmp

memory/1668-933-0x0000000005B80000-0x0000000005B92000-memory.dmp

memory/1668-934-0x0000000005BA0000-0x0000000005BDC000-memory.dmp

memory/1668-935-0x0000000005CF0000-0x0000000005D3C000-memory.dmp