Analysis
-
max time kernel
143s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
18-03-2023 20:58
Static task
static1
Behavioral task
behavioral1
Sample
redit.exe
Resource
win7-20230220-en
5 signatures
150 seconds
General
-
Target
redit.exe
-
Size
402KB
-
MD5
7a07a5960a95b97a88558b9d95c8d242
-
SHA1
46c4850a9a75adf910c80507849a9329dbe861a4
-
SHA256
8ec28be6df1f0523887eb852fb19658b34bbeaf21c525be090666dd55b470a13
-
SHA512
c9282552cf6be663afbd6d0f4abd19301146836b00cb502c094d0ed3eb8b6b7d7fcaf105ab1ff6b4a8745749982f56a1d486b51ce29d6c08f9daaf7643114139
-
SSDEEP
3072:PI/YQk4jV9/QazsdKCj7/2oDnbA6I9Drxi6NxTY9qo+v5YFj7/2oDnbA6I9Drxiv:kPHnrsdKCWqn3win97PWqn3win97DZ
Malware Config
Extracted
Family
systembc
C2
212.118.36.165:4193
46.151.26.42:4193
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
redit.exedescription pid process target process PID 1472 set thread context of 584 1472 redit.exe redit.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
redit.exepid process 1472 redit.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
redit.exepid process 1472 redit.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
redit.exedescription pid process target process PID 1472 wrote to memory of 584 1472 redit.exe redit.exe PID 1472 wrote to memory of 584 1472 redit.exe redit.exe PID 1472 wrote to memory of 584 1472 redit.exe redit.exe PID 1472 wrote to memory of 584 1472 redit.exe redit.exe PID 1472 wrote to memory of 584 1472 redit.exe redit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\redit.exe"C:\Users\Admin\AppData\Local\Temp\redit.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\redit.exe"C:\Users\Admin\AppData\Local\Temp\redit.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/584-94-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/584-96-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/584-98-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/584-100-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/584-101-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/1472-87-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/1472-99-0x00000000002F0000-0x00000000002F4000-memory.dmpFilesize
16KB