Malware Analysis Report

2024-12-01 01:49

Sample ID 241110-bvpq5swgrc
Target 0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba
SHA256 0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba
Tags
redline doma discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba

Threat Level: Known bad

The file 0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba was found to be: Known bad.

Malicious Activity Summary

redline doma discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:28

Reported

2024-11-10 01:30

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe
PID 5048 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe
PID 5048 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe
PID 968 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe
PID 968 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe
PID 968 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe
PID 1492 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe
PID 1492 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe
PID 1492 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe

"C:\Users\Admin\AppData\Local\Temp\0cebb90e26b7ed9e1ab29b4620b2270de761469b6d630ae7a411ecf0d54477ba.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.75:4132 tcp
RU 185.161.248.75:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6066881.exe

MD5 7a05acabce7dd1066ea099fb13c75adf
SHA1 7d99bd714de74c0b47ab3cfb8cefa43dda79ce56
SHA256 902ba912435a11647c782a44c0e449c5766f0b7b7489671707ebeca159c25959
SHA512 4bad57062261b28146de53c500772e971d17059f36a6871fa65b13794f5ceaf75667e1d6a37f40256b27bc9faa6804175667cc91ad83d12d1bd5ec5800bc1be7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4444320.exe

MD5 30953a378de72624b0d1c0b9562733a4
SHA1 5900c61b2b2b286a42504b9910687ede7ee0d01c
SHA256 fd89d9c07891166c82eda88373585b7d7d419db1b49fb50e241ffe8c2d8ee420
SHA512 1a842b157abd25d6637dea1c000e6f34d1633e2af26665f38595ac8eb1b844463e01c5e6f6dc0a7145172bb48209e72ef86650aa2ae6b35357608b41b3383ae5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f8027644.exe

MD5 4fd5c9bc65d0d1009a09353e99b80323
SHA1 a1890ea18653d647d33acc1416942bac34f06d40
SHA256 5a6d984c120abf06468714d0553802305be4304fa7f70399da9472132f02e360
SHA512 1bc69f926063d95ce68a6abe013302bd940794d3e51327e22e8ac179ed01284a8b2c2c77c5d756923efa7748678a02a872b0200bdc1852f49d7a9c79fbff4b99

memory/1512-21-0x00000000004C0000-0x00000000004EA000-memory.dmp

memory/1512-22-0x0000000005300000-0x0000000005918000-memory.dmp

memory/1512-23-0x0000000004E50000-0x0000000004F5A000-memory.dmp

memory/1512-24-0x0000000004DA0000-0x0000000004DB2000-memory.dmp

memory/1512-25-0x0000000004DC0000-0x0000000004DFC000-memory.dmp

memory/1512-26-0x0000000004E00000-0x0000000004E4C000-memory.dmp