Malware Analysis Report

2024-12-01 02:13

Sample ID 241110-bk2myswerh
Target 934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1
SHA256 934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1
Tags
redline romik discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1

Threat Level: Known bad

The file 934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1 was found to be: Known bad.

Malicious Activity Summary

redline romik discovery infostealer persistence

RedLine

Redline family

RedLine payload

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:12

Reported

2024-11-10 01:15

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe
PID 4724 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe
PID 4724 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe
PID 2028 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe
PID 2028 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe
PID 2028 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe
PID 4380 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe
PID 4380 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe
PID 4380 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe

Processes

C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe

"C:\Users\Admin\AppData\Local\Temp\934b82c55abe4a5f23c336200bd21b695b718df5d5ad501e7e167acec93607f1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnk76.exe

MD5 7daeacaf039d31faf12df639e1c988df
SHA1 b5d6576dafee6f860760c2154a95bc1e789524c3
SHA256 60f8cf69f8e1d28a45c3073477b0ac4ed90719d972eb18704eaf1d4fb952ed64
SHA512 0fe286e3d29db95734d7e8c3db692285637f44de0b899af0737d42a8435c9a097e88d3cdf3d817f5416e180ccf8f99677d01cff9fc74b148ec74d901e0d6a59c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vEh06.exe

MD5 666c0311502a1e366cbd6fa346ef7d70
SHA1 90d49fff94e3fe2a00141d3b125d817c89b76601
SHA256 19b36b0f715e7a191aaaa832232c01393f6b7bbc48d35bece1ad6b2e3dc95d43
SHA512 8252737c17c3bf8c53b891506e09ca68232d39b4f70b3ce2b9bd88929915e889a5aac5d61916e956e7bf9782161f4550aa43c606791bc066a31edd91d2d0ef76

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\duW94.exe

MD5 c76b024698fbf2e549cbc0515872a7b4
SHA1 6dd18e417c892a26a1b9eca8b4a07421e743f052
SHA256 c0171f0d598f860d522908c1247e21d1325ec3d14cfda22e181d642fe1d29c20
SHA512 48b8cd24779f46abd1769ac6453f4b22782b0ec34841b89e15f32e130d6b4d29eb5999f00afb9fdfc927fbc02f0ec0607c933163ff1794beba58fe3db5e3e19c

memory/2704-22-0x0000000002AC0000-0x0000000002B06000-memory.dmp

memory/2704-23-0x0000000004F00000-0x00000000054A4000-memory.dmp

memory/2704-24-0x00000000054B0000-0x00000000054F4000-memory.dmp

memory/2704-60-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-62-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-88-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-84-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-80-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-78-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-76-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-74-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-933-0x0000000005D00000-0x0000000005D12000-memory.dmp

memory/2704-932-0x0000000005BC0000-0x0000000005CCA000-memory.dmp

memory/2704-931-0x0000000005520000-0x0000000005B38000-memory.dmp

memory/2704-72-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-934-0x0000000005D20000-0x0000000005D5C000-memory.dmp

memory/2704-70-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-68-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-66-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-64-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-58-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-56-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-54-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-52-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-50-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-46-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-935-0x0000000005E70000-0x0000000005EBC000-memory.dmp

memory/2704-44-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-42-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-40-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-38-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-36-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-34-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-30-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-28-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-86-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-82-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-48-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-32-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-26-0x00000000054B0000-0x00000000054EE000-memory.dmp

memory/2704-25-0x00000000054B0000-0x00000000054EE000-memory.dmp