Malware Analysis Report

2024-12-01 01:34

Sample ID 241110-bp4m4svrdw
Target 35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2
SHA256 35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2
Tags
redline ditro discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2

Threat Level: Known bad

The file 35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2 was found to be: Known bad.

Malicious Activity Summary

redline ditro discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:20

Reported

2024-11-10 01:22

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5843243.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5843243.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe

"C:\Users\Admin\AppData\Local\Temp\35261256143066ec6e95b2f507a721b33daa3cc598f65dc18d491ac51bf611d2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5843243.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5843243.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8626695.exe

MD5 1bc943f3418c4ef680705e0a51faa64d
SHA1 d54ec4984111bf0aeeb4f583fce4c7bc15cac760
SHA256 c91aeac760d8fa71e3210000774565ad493702c53935d23a27c60520a12533e6
SHA512 aecdfb3b31cce92a08fd312dd564a24bfa0fe1803ddc7310ef12b70250136b71714ebcd205c29e4e07468c2a86471dad3bf104e87ffdcdf5783587b417ad23ed

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5843243.exe

MD5 92a1ceb8c7a57cf57d93391b495acae2
SHA1 399707d1e7b2c4df189cc7baa0c07a46d485d2d5
SHA256 90a9e0af28a780e57606a6bb72935f64ee75ba2050c8ae376c19659821217828
SHA512 8bd1f3de0d1b7318a35451d6b6e53bd827b5d8f7adbb963fe5c5e718d68c8d3c2325720c9827cc6589b0d2758ca153be6e91b8fa92edebbe43b864cff1a254af

memory/4920-14-0x000000007440E000-0x000000007440F000-memory.dmp

memory/4920-15-0x0000000000820000-0x0000000000850000-memory.dmp

memory/4920-16-0x0000000002A10000-0x0000000002A16000-memory.dmp

memory/4920-17-0x000000000ABC0000-0x000000000B1D8000-memory.dmp

memory/4920-18-0x000000000A6B0000-0x000000000A7BA000-memory.dmp

memory/4920-19-0x000000000A5C0000-0x000000000A5D2000-memory.dmp

memory/4920-20-0x000000000A620000-0x000000000A65C000-memory.dmp

memory/4920-21-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4920-22-0x0000000004B60000-0x0000000004BAC000-memory.dmp

memory/4920-23-0x000000007440E000-0x000000007440F000-memory.dmp

memory/4920-24-0x0000000074400000-0x0000000074BB0000-memory.dmp