Malware Analysis Report

2024-12-01 02:15

Sample ID 241110-blawmawfje
Target ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f
SHA256 ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f
Tags
redline dork gena discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f

Threat Level: Known bad

The file ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f was found to be: Known bad.

Malicious Activity Summary

redline dork gena discovery infostealer persistence

Redline family

RedLine payload

RedLine

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:13

Reported

2024-11-10 01:15

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99963261.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe
PID 1344 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe
PID 1344 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe
PID 3140 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe
PID 3140 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe
PID 3140 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe
PID 3620 wrote to memory of 6000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe C:\Windows\Temp\1.exe
PID 3620 wrote to memory of 6000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe C:\Windows\Temp\1.exe
PID 3620 wrote to memory of 6000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe C:\Windows\Temp\1.exe
PID 3140 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99963261.exe
PID 3140 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99963261.exe
PID 3140 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99963261.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe

"C:\Users\Admin\AppData\Local\Temp\ecd1a78f447c7eecde696bef5248b7e21349ed55d5b4f9cbe459f84f59ec2c6f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3620 -ip 3620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 1372

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99963261.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99963261.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x19862815.exe

MD5 b6d5b21dccdbbc795c3a3d080226b46c
SHA1 89a3cb59cdad04f6b101e87f811f611eb6318a3f
SHA256 efe190e06cd1f326733dbf2e7b16ecf3eb897718ca4f4adc1b78249fa58d18fe
SHA512 83f3a18cd34a8bcd0bfbc284fd773f9022880a4f39eba2c6883a32c1d3132a29292671a78770358a691ffe45e817ac7f5be163dbfb739c7ae88bd65f3fd4e063

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m59168454.exe

MD5 e360dd0459760dcaec1b5a835f3655e5
SHA1 e64dcd5b4f3696343c3f62bcb9a5ef73ab96af08
SHA256 b65592d6befcac3d68a3cc1dd35b492378ad6d97c8adb039655feffd0531bfaa
SHA512 b78aba12b91cba5297b152e1fc84ab16ab4e67e95ef9cc8867b047fa52d59e4f226b60357275483e8a13c197cdb51c4e476f2deddad6a9ff352ea5ba405c5deb

memory/3620-16-0x0000000000C10000-0x0000000000C6B000-memory.dmp

memory/3620-15-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

memory/3620-17-0x0000000000400000-0x000000000045E000-memory.dmp

memory/3620-18-0x0000000000400000-0x0000000000A95000-memory.dmp

memory/3620-19-0x0000000002CB0000-0x0000000002D18000-memory.dmp

memory/3620-21-0x0000000005780000-0x00000000057E6000-memory.dmp

memory/3620-20-0x0000000005190000-0x0000000005734000-memory.dmp

memory/3620-33-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-35-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-85-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-83-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-81-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-79-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-75-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-71-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-69-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-68-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-65-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-63-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-59-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-57-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-55-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-53-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-51-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-49-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-47-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-45-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-41-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-39-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-37-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-31-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-29-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-27-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-25-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-77-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-73-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-61-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-43-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-23-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-22-0x0000000005780000-0x00000000057E0000-memory.dmp

memory/3620-2168-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

memory/3620-2169-0x00000000059C0000-0x00000000059F2000-memory.dmp

C:\Windows\Temp\1.exe

MD5 f16fb63d4e551d3808e8f01f2671b57e
SHA1 781153ad6235a1152da112de1fb39a6f2d063575
SHA256 8a34627d2a802a7222661926a21bfe7e05835d8dca23459a50c62ccac4619581
SHA512 fad96ade34ff0637238ebf22941dcf21d9ddbe41e10b04d32a904c6018e0c9914345fc86e0ef8c27b95e3813eb60af233b2e47a585c150b9d1c14d48906f78cf

memory/6000-2182-0x0000000000390000-0x00000000003BE000-memory.dmp

memory/6000-2183-0x0000000000A10000-0x0000000000A16000-memory.dmp

memory/6000-2184-0x0000000005320000-0x0000000005938000-memory.dmp

memory/6000-2185-0x0000000004E10000-0x0000000004F1A000-memory.dmp

memory/6000-2186-0x0000000004D20000-0x0000000004D32000-memory.dmp

memory/6000-2187-0x0000000004D80000-0x0000000004DBC000-memory.dmp

memory/6000-2188-0x0000000004DC0000-0x0000000004E0C000-memory.dmp

memory/3620-2190-0x0000000000C10000-0x0000000000C6B000-memory.dmp

memory/3620-2192-0x0000000000400000-0x0000000000A95000-memory.dmp

memory/3620-2191-0x0000000000400000-0x000000000045E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\n99963261.exe

MD5 070d329c22407c1cd4644549d796874e
SHA1 84bafb3fe66924333e928c5a01d7b5671e6f6fa9
SHA256 b52a2c4ad3906edb4dbabe5cc1d45ec93ff37c89246e7cccc7f02410d10c39cd
SHA512 12fb7f7e1e25d75db34ef32b0d19f9dec820f4c84d6e5e8867b09f43d81e85a0aad5f1a8ba6aabc3e25f5d9eb7330c3fa1a399086882f9c60a56cc015bb7e0a0

memory/4548-2196-0x0000000000310000-0x0000000000340000-memory.dmp

memory/4548-2197-0x0000000000960000-0x0000000000966000-memory.dmp