Malware Analysis Report

2024-12-01 01:21

Sample ID 241111-ke26zawfnq
Target f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9
SHA256 f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9
Tags
redline romik discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9

Threat Level: Known bad

The file f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9 was found to be: Known bad.

Malicious Activity Summary

redline romik discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 08:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 08:31

Reported

2024-11-11 08:34

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe
PID 1668 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe
PID 1668 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe
PID 3532 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe
PID 3532 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe
PID 3532 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe
PID 100 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe
PID 100 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe
PID 100 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe

"C:\Users\Admin\AppData\Local\Temp\f35d7ff51b69717921ee6ab5033d965c23d22b1127e8f225ddfb77632fce24b9.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vxq98.exe

MD5 808720598383f6ce34866d1386a7497d
SHA1 50a5d2b6549d59616fb9067ca02ee1fd80ce15f7
SHA256 5d9ee4faeabbe5bd559f7bc0758da46f5375013fc86946ed5e4605fa3383e7ca
SHA512 b571abeb700c7017e697d64ee7fadfbc6030327c05c097cb16476ff4952a259381afb96a413e7132c5d3f04569448e33b9a88ac318e645ed4d936ee7c94fa163

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vow79.exe

MD5 36f593c113598104f57f4e0cfe958f3c
SHA1 db6379d6c4734045b827fb3d87a11b1aba75d94d
SHA256 da242dce74bdeaaa9429453a2b470dbc5722b13e151aa704e41be744468f2070
SHA512 6b22f3976546f5ffdf4ba1ca487eec3ae0d0c4b3b192f2878bed5c69fdac9cc5d2db477bdb0363687f73f7e9be42dced0d57e24bfafa7e03b3efd0b35a51a665

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dXq48.exe

MD5 285075759e1fdcae6a0deb572b9f2deb
SHA1 8ba0efce7c3edce13cd2cda3c250fe4f7c90ff7b
SHA256 b5bdf2dbf6d46257447f8b9633c4b3c1905171c0ca9e6a8c1954a92accbb00c1
SHA512 54338da73f8e569a9d450ac4092d385488103da32cdfddea13d0a92c847d197584683b26a21c5fa37625ce01220717ea34d8b4da4cd3a026e15b77ef23771f02

memory/3456-22-0x00000000026C0000-0x0000000002706000-memory.dmp

memory/3456-23-0x0000000004DC0000-0x0000000005364000-memory.dmp

memory/3456-24-0x0000000004CD0000-0x0000000004D14000-memory.dmp

memory/3456-40-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-88-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-86-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-84-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-82-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-80-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-78-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-76-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-72-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-70-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-68-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-66-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-64-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-62-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-60-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-58-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-56-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-54-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-52-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-48-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-46-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-44-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-42-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-38-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-36-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-34-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-32-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-30-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-74-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-28-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-26-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-50-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-25-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3456-931-0x0000000005370000-0x0000000005988000-memory.dmp

memory/3456-932-0x00000000059B0000-0x0000000005ABA000-memory.dmp

memory/3456-933-0x0000000005AF0000-0x0000000005B02000-memory.dmp

memory/3456-934-0x0000000005B50000-0x0000000005B8C000-memory.dmp

memory/3456-935-0x0000000005C90000-0x0000000005CDC000-memory.dmp