Malware Analysis Report

2024-12-07 03:38

Sample ID 241110-mycrjawama
Target 4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8
SHA256 4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8
Tags
redline fusa discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8

Threat Level: Known bad

The file 4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8 was found to be: Known bad.

Malicious Activity Summary

redline fusa discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 10:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 10:52

Reported

2024-11-10 10:54

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe
PID 3356 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe
PID 3356 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe
PID 1440 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe
PID 1440 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe
PID 1440 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe
PID 1268 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe
PID 1268 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe
PID 1268 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe

"C:\Users\Admin\AppData\Local\Temp\4b7de33d65e90b4cb80dc18b340a08556ce6b7f58474357803da55b4eca96ab8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\skh73pn.exe

MD5 d03ba7baefa1d842bfde8e04aec0a381
SHA1 19458ed5c8e9de60e324bf8b25fb26451c0fd42c
SHA256 b34ef1ad7fd9466607629dd4fe87f9e55cf091584943124a2a19d54002ace614
SHA512 f70f93366627d01c96a06235a659c5f9f21eebb19d9b128a6a825e1b8419085b94388bd929820a0c0c36e7ee07d0e2dc59b97fb7bef5761ba3dc8de098958df2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIp36jU.exe

MD5 5c73fd6c5b3127283eb7c0018f924a74
SHA1 934c4f9fe7145ab70a50b6a27232213cde9637c5
SHA256 8d3c1477b8185a75c82312e89617975a8ad503e4aecbfe7df09891efa91e39ec
SHA512 16d271b4a695a571f48148688592f0ba301632f9be28b631716186682074a15bec5706203d511570623ee808182542b21306743a4051016d5c8102e34fe04c6b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kZl49NG.exe

MD5 da6f3bef8abc85bd09f50783059964e3
SHA1 a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256 e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA512 4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

memory/3676-21-0x0000000000F00000-0x0000000000F32000-memory.dmp

memory/3676-22-0x0000000005D20000-0x0000000006338000-memory.dmp

memory/3676-23-0x00000000058A0000-0x00000000059AA000-memory.dmp

memory/3676-24-0x00000000057D0000-0x00000000057E2000-memory.dmp

memory/3676-25-0x0000000005830000-0x000000000586C000-memory.dmp

memory/3676-26-0x00000000059B0000-0x00000000059FC000-memory.dmp