Malware Analysis Report

2024-12-07 03:57

Sample ID 241113-p3nqpsscke
Target 715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N
SHA256 715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1
Tags
redline most discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1

Threat Level: Known bad

The file 715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N was found to be: Known bad.

Malicious Activity Summary

redline most discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 12:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 12:51

Reported

2024-11-13 12:53

Platform

win10v2004-20241007-en

Max time kernel

106s

Max time network

115s

Command Line

"C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe

"C:\Users\Admin\AppData\Local\Temp\715fe05b0bdce41a6c1997a99cac8b9d2ae7072c612faf7bc25f2a49145817d1N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i08177316.exe

MD5 ee33710c8057acb64e9ca7c1f9e07673
SHA1 2b06e4119398dd8f16674341e5adf95ba9f70375
SHA256 28a46b6b121e238b2c07f77a4281c23fe21d24fa8e3561647f3f681386ded443
SHA512 2d379c140ca31aebc88627cb45535eb11678e0548ecc07b6d49dc3e3c8fe611e9121e60283aa7a0f3adc340430edac5957b5738cc3ae81796843aeafd5df17dc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a79313029.exe

MD5 b9dbcf7dc0ebc9b366d7f0c3f1bc1f61
SHA1 04ccea00069151a3dd221b7e9acdcdff642a0e14
SHA256 9d10117658b96e7f6245411deab4faee01910d330722bde839f39b57436d020e
SHA512 291d302bad96d6ebefe769490f6c966bd96d4478a63fc8c7462c6d7bfb415929cfc74d6fd19bb63ced349543b812076cb7f6ead37dd26b5ed444126025b3a7f5

memory/5116-14-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

memory/5116-15-0x0000000000630000-0x0000000000660000-memory.dmp

memory/5116-16-0x0000000002A00000-0x0000000002A06000-memory.dmp

memory/5116-17-0x000000000AAC0000-0x000000000B0D8000-memory.dmp

memory/5116-18-0x000000000A5E0000-0x000000000A6EA000-memory.dmp

memory/5116-19-0x000000000A510000-0x000000000A522000-memory.dmp

memory/5116-20-0x0000000073D20000-0x00000000744D0000-memory.dmp

memory/5116-21-0x000000000A570000-0x000000000A5AC000-memory.dmp

memory/5116-22-0x00000000028C0000-0x000000000290C000-memory.dmp

memory/5116-23-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

memory/5116-24-0x0000000073D20000-0x00000000744D0000-memory.dmp