Malware Analysis Report

2024-12-01 01:22

Sample ID 241111-lbq5zaxckn
Target 2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e
SHA256 2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e
Tags
redline romik discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e

Threat Level: Known bad

The file 2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e was found to be: Known bad.

Malicious Activity Summary

redline romik discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 09:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 09:21

Reported

2024-11-11 09:24

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3712 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe
PID 3712 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe
PID 3712 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe
PID 2228 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe
PID 2228 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe
PID 2228 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe
PID 1472 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe
PID 1472 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe
PID 1472 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe

"C:\Users\Admin\AppData\Local\Temp\2e6cc644d077ff415e3dee4f709f1a9e9d7c48910485be336eac02135eea824e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcP52.exe

MD5 d9e739d9ff85a85d4ae6c0707ebef68b
SHA1 2082d945a785a3003b03d3e33a6e26c2f4d5ac24
SHA256 97e68cc6719f514f36fbb806bd5bd017325dbe9b6584c30fa8c6105bb22d1289
SHA512 6849ed07e32b620baadd68324266e12c691269ccd3da4ac24be69847be5536fbf953cd56ef39b072358f2637818ed77fe2045183ae5938d0736298b4b5c2d008

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vBJ01.exe

MD5 be3c2a6f36d8411f58580b0b2283046e
SHA1 77ac282e7ac1bd4be9cbf7b0c8dd797774433a72
SHA256 8f1bcb263e5bc70216a07df0fad50357e0dbf77d33417e212142e4d6eced875c
SHA512 17e8339b23db2955db972797d436618f521f3376a58ad1e6c26177c9288c15a21aa5e252199db1a69aba19f43f7ebed8fa35b5a319b7bddf1c9c95a5207011fa

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dlm77.exe

MD5 96cb25fef251057fd9f24f0c8cb90831
SHA1 dc393dceb9194a4814c42b87eb392ff37fca6c68
SHA256 d78d94ee7f5e64a25f292d51afee7a7a8f383a9a48a7d54135e9fdfc0fe7fdac
SHA512 6ad5d18632523607c9d7ec5bbc0dee2664755740a24b475bfc5f56b2707bef2343e12d3d2c6c0d5c7cf2239e245d6a8c6246ddeaf97ba4eba61a123cccaacaa0

memory/5036-22-0x00000000025B0000-0x00000000025F6000-memory.dmp

memory/5036-23-0x0000000004F50000-0x00000000054F4000-memory.dmp

memory/5036-24-0x00000000026C0000-0x0000000002704000-memory.dmp

memory/5036-74-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-88-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-86-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-84-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-82-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-80-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-78-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-76-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-72-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-70-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-69-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-66-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-64-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-62-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-60-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-58-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-56-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-54-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-52-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-48-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-46-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-44-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-42-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-40-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-38-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-36-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-35-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-33-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-30-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-28-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-26-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-25-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-50-0x00000000026C0000-0x00000000026FE000-memory.dmp

memory/5036-931-0x0000000005500000-0x0000000005B18000-memory.dmp

memory/5036-932-0x0000000005B20000-0x0000000005C2A000-memory.dmp

memory/5036-933-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

memory/5036-934-0x0000000004EF0000-0x0000000004F2C000-memory.dmp

memory/5036-935-0x0000000005D30000-0x0000000005D7C000-memory.dmp