Malware Analysis Report

2024-12-01 02:13

Sample ID 241110-blws4avqht
Target 31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3
SHA256 31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3

Threat Level: Known bad

The file 31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3 was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:14

Reported

2024-11-10 01:17

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe
PID 2064 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe
PID 2064 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe
PID 1304 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe
PID 1304 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe
PID 1304 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe
PID 3680 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe
PID 3680 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe
PID 3680 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe
PID 3888 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe
PID 3888 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe
PID 3888 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe
PID 3836 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe
PID 3836 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe
PID 3836 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe

Processes

C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe

"C:\Users\Admin\AppData\Local\Temp\31dc5d430142753e62e9f68764710536ea215acdf481daf94bd39a31fdc130d3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i01790874.exe

MD5 c1dbe2e17b308e340eb97be0acd63e31
SHA1 27fff37d305225b6f223a159539fdb0b07683fd6
SHA256 facc9886e9da60292840029fe64a63316f641150b34087c6dab789986f39be11
SHA512 4b282f1752dd53a993a31c4f89fcb0013e82a60dca82240710d7559dccec22f2de229352fd96b3e6740ba7bc3c99c5440813e785442fd125ee17584d61b35c67

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i44804119.exe

MD5 9f720c820cbde535803ac8a97ec198e7
SHA1 788dea0d1242930186b177097e13a6ccb0964561
SHA256 f5e393b8586d4a379cb1735d76b095f9097fe736f4f1b767c57d76544cec7c02
SHA512 7b9d81f6a986e2c1414a5a284dc3a2d31a6402cc8b54fc30608f394966a9c4fcd77626b3c737512f74ef881c97df189e349bfcfe42d9cfe506178e053968fa55

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i07970134.exe

MD5 d89e9d86295c132759c0f2ed8e6a0669
SHA1 661bbe97b1530db24c1a66683fe9d8db25b632b9
SHA256 f8a667aad6aa692f46bf30c46b45f9fd80a0c4d23484635147f6080565e4d0f0
SHA512 387293a1b725a7d4601a438ec39b10ce0587f72c5626955806205345655bbed2ee6d99d30424b23a81a104e3d8ac8d56bae209c7094453bae0e32480ad0bbd29

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i41843636.exe

MD5 de83c3f0968b64ad6b5bd0128edc00a0
SHA1 1f6b5630821223ee437dc1998a5aa6b14d528ef2
SHA256 8a6861e73519e8f7a659bf5b02f5d35d1b4180aaf9debfc5870c8e99b5552536
SHA512 61d4f36e97882aafdf586a22161060a8dfb64942322273b2e01a65eab253cf9bf480237656fd84abb92cb950068b09e8884d9f4ef5e78691f03635caaa5124d6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a97214348.exe

MD5 44d07a9d2e37f8eec8af6734583a9c3f
SHA1 d14f0a6620645f054d89861b54c4455651810871
SHA256 877d41b3912d640bb21c6228a9d788ba4a1e414e35ac091a872644680c3cac9d
SHA512 92d5d19d6cf9f219f48a3aec1a6aba4411b718cd6c802cabce3931495652cd0ada9afda4e76b360c0d2d3dedfc1defcf08b11302c1be1d9ac34c6f283f76ec5e

memory/1164-35-0x00000000002D0000-0x0000000000300000-memory.dmp

memory/1164-36-0x00000000025C0000-0x00000000025C6000-memory.dmp

memory/1164-37-0x00000000052C0000-0x00000000058D8000-memory.dmp

memory/1164-38-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

memory/1164-39-0x0000000004C40000-0x0000000004C52000-memory.dmp

memory/1164-40-0x0000000004CE0000-0x0000000004D1C000-memory.dmp

memory/1164-41-0x0000000004D20000-0x0000000004D6C000-memory.dmp