Malware Analysis Report

2024-12-07 03:36

Sample ID 241118-ne4lkswbml
Target 5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793.exe
SHA256 5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793
Tags
redline fusa discovery infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793

Threat Level: Known bad

The file 5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793.exe was found to be: Known bad.

Malicious Activity Summary

redline fusa discovery infostealer persistence

RedLine

RedLine payload

Redline family

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 11:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 11:19

Reported

2024-11-18 11:21

Platform

win10v2004-20241007-en

Max time kernel

107s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kMj13yz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe
PID 4728 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe
PID 4728 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe
PID 1248 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe
PID 1248 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe
PID 1248 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe
PID 464 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kMj13yz.exe
PID 464 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kMj13yz.exe
PID 464 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kMj13yz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793.exe

"C:\Users\Admin\AppData\Local\Temp\5c3af2a9e1a953b8c03c97c7d23ad794d5fb0e8a035cac95da321d7055b16793.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kMj13yz.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kMj13yz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
RU 193.233.20.12:4132 tcp
RU 193.233.20.12:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sCO76Bu.exe

MD5 5fbb0d79cae435900f7d06218a74f909
SHA1 bc5cb3a5494517bae48680b5d8fa9a2baee0cebf
SHA256 e7ae48923118e31efc26db6344a84b886b0243b3e8413eb754098666c165fe06
SHA512 da3b821649f560de0253cbd7671c833a5f54d9b23d6033bbaab6296b9e35b99bf01ba13e7de3713bd9f20dd84feb13e94aba79bd46adee8f58be18c27be48fb5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\seO45bO.exe

MD5 972f3c99da86f0b6d6daf95e4e0154bf
SHA1 bfd0c1dc555f6b2855d9996d6d51e64237a5b574
SHA256 c6f54c0ef99683f74c00dde1eeb01ec8b4d68bd5ad1f72f1cbc269b20f9b1f5c
SHA512 ceae51f7eee96e33bc7393d9ab465037f637d6f298a640a571d2aa777be38865adb91362d376b01cfa437100cb4c2f5450372c5a07f1de6573efcdcf07201cbb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kMj13yz.exe

MD5 da6f3bef8abc85bd09f50783059964e3
SHA1 a0f25f60ec1896c4c920ea397f40e6ce29724322
SHA256 e6d9ee8ab0ea2ade6e5a9481d8f0f921427ec6919b1b48c6067570fde270736b
SHA512 4d2e1472b114c98c74900b8305aabbc49ba28edffdc2376206cf02e26593df4e444933b3aa19f0c6cd0ae3ac3133d656433574aaf25a57748758e5dd25edfbec

memory/1000-21-0x00000000006C0000-0x00000000006F2000-memory.dmp

memory/1000-22-0x0000000005620000-0x0000000005C38000-memory.dmp

memory/1000-23-0x00000000051A0000-0x00000000052AA000-memory.dmp

memory/1000-24-0x00000000050D0000-0x00000000050E2000-memory.dmp

memory/1000-25-0x00000000052B0000-0x00000000052EC000-memory.dmp

memory/1000-26-0x0000000005130000-0x000000000517C000-memory.dmp