Malware Analysis Report

2024-12-01 01:22

Sample ID 241111-m9pkgayfrf
Target 9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2
SHA256 9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2
Tags
redline romik discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2

Threat Level: Known bad

The file 9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2 was found to be: Known bad.

Malicious Activity Summary

redline romik discovery infostealer persistence

Redline family

RedLine

RedLine payload

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 11:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 11:10

Reported

2024-11-11 11:12

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4380 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe
PID 4380 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe
PID 4380 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe
PID 3708 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe
PID 3708 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe
PID 3708 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe
PID 1420 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe
PID 1420 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe
PID 1420 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe

"C:\Users\Admin\AppData\Local\Temp\9c87ae8aa139f78d048e64fef780cef440b87e3ac7f583cbda8f530995cd1de2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGu18.exe

MD5 1c03cf581d0b202e326d177106dce492
SHA1 e53f111b16694713dc233e2a53f9f3de317cb802
SHA256 621a683bbf03c7b907a5a84d18a971d3c033eb0cee9ffb51b6ebe1e795b21f1a
SHA512 2b189d85934f9c9e5ffba05f0ae8b13b9351b5c9c6f0926197c8c53ce07359ea3a3fa256ba802b7ebf3e73b7e574af21c9aaa30ec5d64e24a90a0dd41fe9175a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vJl17.exe

MD5 b9e5e108c15efadef1247987402118e5
SHA1 7f6bb289ba9b7de7efd48f7294f1d18e8c149669
SHA256 14a7e1de2c732d95b5f661b897cd4aa7dd97287679bc7cb2962544ff2309e3e6
SHA512 23c6bc3ac0438096a54bef8c61c300410a32ec1d06d9115ba1b214703406ae10cb7269c5736a12ca8a5a76d66b9ed22b7f1cb9913f965bec28a67d0105701370

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dkS63.exe

MD5 05cec4f107653cd20a093e2ab3255796
SHA1 3ea89b1cf7fc3a40d3a8c06d7e3082b39ad67f85
SHA256 f8f4ea19cff74a70ef2cc653515d2512d6caf81f7cff71774ae8978718039326
SHA512 7553f277177d5025c4346ce5d727073c83c224b12540908bf6d8b75e229ec25b5ad0ef1ce6569ecb59661ef7e16926c3a5bfad477979f9b9d0ab55cc80091b65

memory/1548-22-0x0000000000860000-0x0000000000960000-memory.dmp

memory/1548-23-0x0000000000650000-0x000000000069B000-memory.dmp

memory/1548-24-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1548-25-0x0000000004A90000-0x0000000004AD6000-memory.dmp

memory/1548-26-0x0000000004BF0000-0x0000000005194000-memory.dmp

memory/1548-27-0x0000000004B50000-0x0000000004B94000-memory.dmp

memory/1548-29-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-35-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-33-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-31-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-89-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-77-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-65-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-37-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-28-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-91-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-87-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-86-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-83-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-81-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-79-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-75-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-73-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-71-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-69-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-67-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-63-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-61-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-59-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-57-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-55-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-53-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-51-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-49-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-47-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-45-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-43-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-41-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-39-0x0000000004B50000-0x0000000004B8E000-memory.dmp

memory/1548-934-0x00000000051B0000-0x00000000057C8000-memory.dmp

memory/1548-935-0x0000000005850000-0x000000000595A000-memory.dmp

memory/1548-936-0x0000000005990000-0x00000000059A2000-memory.dmp

memory/1548-937-0x00000000059B0000-0x00000000059EC000-memory.dmp

memory/1548-938-0x0000000005B00000-0x0000000005B4C000-memory.dmp

memory/1548-940-0x0000000000860000-0x0000000000960000-memory.dmp

memory/1548-941-0x0000000000650000-0x000000000069B000-memory.dmp

memory/1548-942-0x0000000000400000-0x000000000044E000-memory.dmp