Malware Analysis Report

2024-12-07 04:12

Sample ID 241113-as55nstela
Target 07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe
SHA256 07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5e
Tags
redline ruma discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5e

Threat Level: Known bad

The file 07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe was found to be: Known bad.

Malicious Activity Summary

redline ruma discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 00:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 00:29

Reported

2024-11-13 00:31

Platform

win10v2004-20241007-en

Max time kernel

111s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe
PID 1400 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe
PID 1400 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe
PID 4536 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe
PID 4536 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe
PID 4536 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe
PID 4056 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe
PID 4056 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe
PID 4056 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe

Processes

C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe

"C:\Users\Admin\AppData\Local\Temp\07c9d1fa427f5daf282a26639d9a1663852abc036d4e91a0c1bcecfed6ad0c5eN.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 82.190.18.2.in-addr.arpa udp
RU 193.233.20.13:4136 tcp
RU 193.233.20.13:4136 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 193.233.20.13:4136 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vsh86.exe

MD5 6b439981ec44a792dc8fc1c84759094a
SHA1 fd7c90196c70d4eb0cc992c4195c4050847f88e5
SHA256 b4ccba2b67d3f344e245f78ab9759a90d99ed83c1d9538ea9d0e5cf80ac5cdb6
SHA512 876d5d7a7be6dae4fa1b7396b2b024f0d8406573cb3ded1cf725dbdc90b88119cecc578dc294b5b1fb30e48059e1b915352e9823a9600c3fdcd0b1b2959b35f8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vkI61.exe

MD5 ea82a9132d81fdd49514a643b82c5be9
SHA1 8f8bc0f74456638dec6460e99f7dbfd55a20c463
SHA256 dbe5573ae2fd493a206dbae70c15c46a15f4c9c7620befdbd891c43a167751bd
SHA512 2b2a12479ebaf7cfc300c0cd3e162bfb9a7d7eb3e12aa27dd6d4cede3a6708d6e31df190a0cbb4062b0e37a0e726306b9ac80bc7a2907bece195327888db80be

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dpr78.exe

MD5 8052d925dcd515d349e252a0d434e27c
SHA1 9a78f5daa0001a5d4f2c1e9439f4ce80f4ef15db
SHA256 bd229d944fbb7266329eda429de3ac07f2a89729ee91d1f9dfda73ea3b6691cc
SHA512 ed29c5bfa0123e5e0ee16afe72d2279139149eebe82b5aae572d714d1f1e1426c2d5484066c7b637f70732524733c27d3d0dda7cfda8a60c918c783a33f124de

memory/2820-22-0x0000000002590000-0x00000000025D6000-memory.dmp

memory/2820-23-0x0000000004E90000-0x0000000005434000-memory.dmp

memory/2820-24-0x0000000004D90000-0x0000000004DD4000-memory.dmp

memory/2820-26-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-34-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-88-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-86-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-84-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-82-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-78-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-76-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-75-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-72-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-70-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-68-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-66-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-64-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-62-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-60-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-56-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-54-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-52-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-50-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-48-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-46-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-44-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-40-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-38-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-36-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-32-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-30-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-28-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-80-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-58-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-42-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-25-0x0000000004D90000-0x0000000004DCE000-memory.dmp

memory/2820-931-0x0000000005440000-0x0000000005A58000-memory.dmp

memory/2820-932-0x0000000005A60000-0x0000000005B6A000-memory.dmp

memory/2820-933-0x0000000005B80000-0x0000000005B92000-memory.dmp

memory/2820-934-0x0000000005BA0000-0x0000000005BDC000-memory.dmp

memory/2820-935-0x0000000005CF0000-0x0000000005D3C000-memory.dmp