Malware Analysis Report

2024-12-01 01:36

Sample ID 241110-brwqaayrbj
Target 9cc007f8bd802a9a66f523279781657f5933e2f1bfe79687eaa89ff31617a372
SHA256 9cc007f8bd802a9a66f523279781657f5933e2f1bfe79687eaa89ff31617a372
Tags
redline diwer discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9cc007f8bd802a9a66f523279781657f5933e2f1bfe79687eaa89ff31617a372

Threat Level: Known bad

The file 9cc007f8bd802a9a66f523279781657f5933e2f1bfe79687eaa89ff31617a372 was found to be: Known bad.

Malicious Activity Summary

redline diwer discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:23

Reported

2024-11-10 01:25

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cc007f8bd802a9a66f523279781657f5933e2f1bfe79687eaa89ff31617a372.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9180446.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1358326.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9cc007f8bd802a9a66f523279781657f5933e2f1bfe79687eaa89ff31617a372.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9180446.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9cc007f8bd802a9a66f523279781657f5933e2f1bfe79687eaa89ff31617a372.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9180446.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1358326.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9cc007f8bd802a9a66f523279781657f5933e2f1bfe79687eaa89ff31617a372.exe

"C:\Users\Admin\AppData\Local\Temp\9cc007f8bd802a9a66f523279781657f5933e2f1bfe79687eaa89ff31617a372.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9180446.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9180446.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1358326.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1358326.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9180446.exe

MD5 1abe1865f7dcb54bba5ab811c36f79f4
SHA1 a78bc56e58e0eea18905a7297fb246c58dade311
SHA256 e7b7cf43e183e9deffe8df8db4a7ae138d7dc2dde41dbb7089da97929c0ea923
SHA512 3e6da3f653f229754d0b96342f7a61201309a6c955976bc1c57a49b1f06ac38371c2b953b046ccbe0f7c28557149a5344fa00dfe3960403d670be8126c5a3245

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g1358326.exe

MD5 bfbbf8dd67350f285cc6985210be3692
SHA1 5746bf4f52ad3c21a5038bae2eccbacce6586827
SHA256 2ae5399bf2b23fb5b8dc778bf8d3ae68ded33c7b19014856b7033c9e05de4f94
SHA512 e09568b9265087ac2636775412164ad69f1e6edf68f59771656031640e71b54027f68a7976ee4ba7c4d7c124ef946e51756fe55b17a200ece7270a641a63f25e

memory/3724-14-0x000000007486E000-0x000000007486F000-memory.dmp

memory/3724-15-0x0000000000CA0000-0x0000000000CD0000-memory.dmp

memory/3724-16-0x0000000003030000-0x0000000003036000-memory.dmp

memory/3724-17-0x0000000005C70000-0x0000000006288000-memory.dmp

memory/3724-18-0x0000000005760000-0x000000000586A000-memory.dmp

memory/3724-19-0x0000000005610000-0x0000000005622000-memory.dmp

memory/3724-20-0x0000000074860000-0x0000000075010000-memory.dmp

memory/3724-21-0x0000000005690000-0x00000000056CC000-memory.dmp

memory/3724-22-0x00000000056D0000-0x000000000571C000-memory.dmp

memory/3724-23-0x000000007486E000-0x000000007486F000-memory.dmp

memory/3724-24-0x0000000074860000-0x0000000075010000-memory.dmp