Malware Analysis Report

2024-12-01 01:22

Sample ID 241111-hweqwsvfml
Target fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083
SHA256 fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083
Tags
redline romik discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083

Threat Level: Known bad

The file fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083 was found to be: Known bad.

Malicious Activity Summary

redline romik discovery infostealer persistence

Redline family

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 07:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 07:04

Reported

2024-11-11 07:07

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe
PID 2148 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe
PID 2148 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe
PID 4288 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe
PID 4288 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe
PID 4288 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe
PID 4316 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe
PID 4316 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe
PID 4316 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe

"C:\Users\Admin\AppData\Local\Temp\fda4b898a3c579fe7ef0682031a7f1ff9c9cddf6018019f5ef8df2e4533d9083.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 71.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\viu68.exe

MD5 7b8e71bed0c5ce06d440cfdc382c14f0
SHA1 692985b9a2667122646f36baa3ba7e692244068f
SHA256 54e78bb7f9554a00751b7b4676eee607fe5018da8953318bc21af63a624c14ba
SHA512 345e6ac18dbbb01f05b2f5955d8673efefaf3d9260469f4c622d3d1848a7bdfe33eafa510541746dad4fd0ba01e369de287d1dae2499198842a5b3b67bb967a7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vWi46.exe

MD5 2c19365d8e36305798c141ba721b79c5
SHA1 66b18f8d4cc6456c69a15e6fd65021441b0b726a
SHA256 4084464a01c9471f4bea05e6e6e25a00c1114ee96dcec82c99f06ade6d1891c9
SHA512 263269aa3f5dcae6c00eac45378d38b9b68e19cd30b96f47e6e092d64417811638755761ad41096ca13b936fbf659eb03c61642c7342883a7df2399cdd0767b6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dmn77.exe

MD5 5679820c359decb6148df7d1f99dbf24
SHA1 afc2c0c251e62bdcfa1b53ae4f228ba8d734ee9f
SHA256 6187b858630a3b80420ea4e8643056877eb2c528f9f366e4b41d4d31443e5938
SHA512 71d465a2e6accb08a50dc8545792df0c0dd2ea67c06be3462448ce4d76166c12214a8e8b99d994a7303d8b9b7c6f8974b01aa5af206f3f2eed4e59b503731aa9

memory/2436-22-0x00000000027B0000-0x00000000027F6000-memory.dmp

memory/2436-23-0x0000000004E60000-0x0000000005404000-memory.dmp

memory/2436-24-0x0000000002960000-0x00000000029A4000-memory.dmp

memory/2436-34-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-88-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-86-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-84-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-80-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-78-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-76-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-74-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-72-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-68-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-66-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-64-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-62-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-60-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-56-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-54-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-52-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-50-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-48-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-46-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-44-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-42-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-40-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-38-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-36-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-32-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-30-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-82-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-28-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-70-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-58-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-26-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-25-0x0000000002960000-0x000000000299E000-memory.dmp

memory/2436-931-0x0000000005410000-0x0000000005A28000-memory.dmp

memory/2436-932-0x0000000005A80000-0x0000000005B8A000-memory.dmp

memory/2436-933-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

memory/2436-934-0x0000000005BE0000-0x0000000005C1C000-memory.dmp

memory/2436-935-0x0000000005D30000-0x0000000005D7C000-memory.dmp