Malware Analysis Report

2024-12-01 01:22

Sample ID 241111-z61jsaxajj
Target 38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1
SHA256 38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1
Tags
redline romik discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1

Threat Level: Known bad

The file 38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1 was found to be: Known bad.

Malicious Activity Summary

redline romik discovery infostealer persistence

RedLine payload

RedLine

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 21:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 21:20

Reported

2024-11-11 21:23

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe

"C:\Users\Admin\AppData\Local\Temp\38a69dbb581af4f2f9dd2762e58adadb968e62f36b57143198bd2f45b5cdbdc1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vrW84.exe

MD5 3958dd8ac2a8746b927e9ac278aa66fd
SHA1 c44b9d160613628015256846309f2a6fdf666944
SHA256 152d9b91a6b37cbdb0bff999e8e2fdb21c5428a0aea7c8eb5f447c887fd0250c
SHA512 3d376334d19f6ed2589cf2e67e85613f1a1ae3ed856318ebe123e005b67b94678d43b4a94c72ae61e2453aea75419a90debc599b8fbfdeb355468a2488277c3e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTi36.exe

MD5 24c46754103adc1ecce0a7e177f03bf2
SHA1 72f06bb8c21d8da858a16399e2cd86be84f2e987
SHA256 0130db5ed9a6d75757e9232d13d56033239b00afc7eeade437f96e377353181c
SHA512 55ec531b17b8c7f193f918ff2042b72c18f6e4a081acb6daffdc5801c0083d2fa582e06ca495dcd3c2b624f4b291f2fae61b4364452b45f1c8635d41acb70eef

memory/2520-16-0x00000000023E0000-0x000000000242B000-memory.dmp

memory/2520-15-0x0000000000A40000-0x0000000000B40000-memory.dmp

memory/2520-17-0x0000000000400000-0x000000000044E000-memory.dmp

memory/2520-18-0x0000000000400000-0x00000000007B1000-memory.dmp

memory/2520-19-0x0000000004CF0000-0x0000000004D36000-memory.dmp

memory/2520-20-0x0000000004EC0000-0x0000000005464000-memory.dmp

memory/2520-21-0x0000000004D90000-0x0000000004DD4000-memory.dmp

memory/2520-23-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-41-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-39-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-37-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-35-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-33-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-85-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-83-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-79-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-77-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-75-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-74-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-71-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-67-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-65-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-63-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-61-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-59-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-57-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-53-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-51-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-49-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-47-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-45-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-43-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-31-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-29-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-25-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-81-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-69-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-56-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-28-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-22-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2520-928-0x0000000005470000-0x0000000005A88000-memory.dmp

memory/2520-929-0x0000000005A90000-0x0000000005B9A000-memory.dmp

memory/2520-930-0x0000000005BD0000-0x0000000005BE2000-memory.dmp

memory/2520-931-0x0000000005BF0000-0x0000000005C2C000-memory.dmp

memory/2520-932-0x0000000005D40000-0x0000000005D8C000-memory.dmp

memory/2520-933-0x0000000000A40000-0x0000000000B40000-memory.dmp

memory/2520-934-0x00000000023E0000-0x000000000242B000-memory.dmp

memory/2520-935-0x0000000000400000-0x000000000044E000-memory.dmp