Overview
overview
6Static
static
1IGG-REDCON...02.dll
windows7-x64
1IGG-REDCON...02.dll
windows10-2004-x64
1IGG-REDCON...02.exe
windows7-x64
1IGG-REDCON...02.exe
windows10-2004-x64
1IGG-REDCON...CO.url
windows7-x64
6IGG-REDCON...CO.url
windows10-2004-x64
3IGG-REDCON...OM.url
windows7-x64
1IGG-REDCON...OM.url
windows10-2004-x64
4IGG-REDCON...ER.exe
windows7-x64
6IGG-REDCON...ER.exe
windows10-2004-x64
6IGG-REDCON...on.exe
windows7-x64
1IGG-REDCON...on.exe
windows10-2004-x64
1IGG-REDCON...mu.dll
windows7-x64
1IGG-REDCON...mu.dll
windows10-2004-x64
1IGG-REDCON...ll.dll
windows7-x64
3IGG-REDCON...ll.dll
windows10-2004-x64
3IGG-REDCON...64.dll
windows7-x64
3IGG-REDCON...64.dll
windows10-2004-x64
3IGG-REDCON...ay.dll
windows7-x64
1IGG-REDCON...ay.dll
windows10-2004-x64
3IGG-REDCON...ay.dll
windows7-x64
1IGG-REDCON...ay.dll
windows10-2004-x64
3IGG-REDCON...64.dll
windows7-x64
1IGG-REDCON...64.dll
windows10-2004-x64
1IGG-REDCON...lp.dll
windows7-x64
1IGG-REDCON...lp.dll
windows10-2004-x64
1IGG-REDCON...10.dll
windows7-x64
3IGG-REDCON...10.dll
windows10-2004-x64
3IGG-REDCON...10.dll
windows7-x64
3IGG-REDCON...10.dll
windows10-2004-x64
3Analysis
-
max time kernel
58s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 23:09
Static task
static1
Behavioral task
behavioral1
Sample
IGG-REDCON.v1.3.0/CrashRpt1402.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
IGG-REDCON.v1.3.0/CrashRpt1402.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
IGG-REDCON.v1.3.0/CrashSender1402.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
IGG-REDCON.v1.3.0/CrashSender1402.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
IGG-REDCON.v1.3.0/GAMESTORRENT.CO.url
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
IGG-REDCON.v1.3.0/GAMESTORRENT.CO.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
IGG-REDCON.v1.3.0/IGG-GAMES.COM.url
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
IGG-REDCON.v1.3.0/IGG-GAMES.COM.url
Resource
win10v2004-20230220-en
Behavioral task
behavioral9
Sample
IGG-REDCON.v1.3.0/LAUNCHER.exe
Resource
win7-20230220-en
Behavioral task
behavioral10
Sample
IGG-REDCON.v1.3.0/LAUNCHER.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral11
Sample
IGG-REDCON.v1.3.0/Redcon.exe
Resource
win7-20230220-en
Behavioral task
behavioral12
Sample
IGG-REDCON.v1.3.0/Redcon.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral13
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu.dll
Resource
win7-20230220-en
Behavioral task
behavioral14
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral15
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu/Plugins/SSEFirewall.dll
Resource
win7-20230220-en
Behavioral task
behavioral16
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu/Plugins/SSEFirewall.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral17
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu/Plugins/SSEFirewall64.dll
Resource
win7-20230220-en
Behavioral task
behavioral18
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu/Plugins/SSEFirewall64.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral19
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu/Plugins/x64/SSEOverlay.dll
Resource
win7-20230220-en
Behavioral task
behavioral20
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu/Plugins/x64/SSEOverlay.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral21
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu/Plugins/x86/SSEOverlay.dll
Resource
win7-20230220-en
Behavioral task
behavioral22
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu/Plugins/x86/SSEOverlay.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral23
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu64.dll
Resource
win7-20230220-en
Behavioral task
behavioral24
Sample
IGG-REDCON.v1.3.0/SmartSteamEmu64.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral25
Sample
IGG-REDCON.v1.3.0/dbghelp.dll
Resource
win7-20230220-en
Behavioral task
behavioral26
Sample
IGG-REDCON.v1.3.0/dbghelp.dll
Resource
win10v2004-20230221-en
Behavioral task
behavioral27
Sample
IGG-REDCON.v1.3.0/msvcp110.dll
Resource
win7-20230220-en
Behavioral task
behavioral28
Sample
IGG-REDCON.v1.3.0/msvcp110.dll
Resource
win10v2004-20230220-en
Behavioral task
behavioral29
Sample
IGG-REDCON.v1.3.0/msvcr110.dll
Resource
win7-20230220-en
Behavioral task
behavioral30
Sample
IGG-REDCON.v1.3.0/msvcr110.dll
Resource
win10v2004-20230220-en
General
-
Target
IGG-REDCON.v1.3.0/LAUNCHER.exe
-
Size
227KB
-
MD5
2f4a7fff291d215c42782b66dbbdc28f
-
SHA1
ac6ffdf41e531308358ff621422df2e879c4ae55
-
SHA256
81670b11a1848fdfa52c3dc72d0c80086ab94a52386498f9014fc7010bd69d2f
-
SHA512
0425cfdbc3ddf53cebfc8983980f909161ee9ddb64131e9cb75f7a096fedeca2714cef3ada8d76e6c6e8fa1a9a79868fec6af53f15b7d9296ff51ff6d0a4f8b6
-
SSDEEP
3072:MGtleufyNONL4MdzNOY4jb1pQFhHKPtOHO6VrVPoVJtCbhVPoVJtCbFyf:DtleuqKEYUYQyHHKPtOHRWehWeQ
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Redcon.exerundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 Redcon.exe File opened for modification \??\PhysicalDrive0 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Redcon.exerundll32.exeCrashSender1402.exepid process 1816 Redcon.exe 1816 Redcon.exe 1816 Redcon.exe 1816 Redcon.exe 1816 Redcon.exe 1816 Redcon.exe 1816 Redcon.exe 1816 Redcon.exe 1816 Redcon.exe 1816 Redcon.exe 1816 Redcon.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe 364 rundll32.exe 1644 CrashSender1402.exe 1644 CrashSender1402.exe 1644 CrashSender1402.exe 1644 CrashSender1402.exe 1644 CrashSender1402.exe 1644 CrashSender1402.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
AUDIODG.EXECrashSender1402.exedescription pid process Token: 33 1616 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1616 AUDIODG.EXE Token: 33 1616 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1616 AUDIODG.EXE Token: SeDebugPrivilege 1644 CrashSender1402.exe Token: SeShutdownPrivilege 1644 CrashSender1402.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Redcon.exepid process 1816 Redcon.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
LAUNCHER.exeRedcon.exedescription pid process target process PID 1856 wrote to memory of 1816 1856 LAUNCHER.exe Redcon.exe PID 1856 wrote to memory of 1816 1856 LAUNCHER.exe Redcon.exe PID 1856 wrote to memory of 1816 1856 LAUNCHER.exe Redcon.exe PID 1856 wrote to memory of 1816 1856 LAUNCHER.exe Redcon.exe PID 1856 wrote to memory of 1816 1856 LAUNCHER.exe Redcon.exe PID 1856 wrote to memory of 1816 1856 LAUNCHER.exe Redcon.exe PID 1856 wrote to memory of 1816 1856 LAUNCHER.exe Redcon.exe PID 1816 wrote to memory of 364 1816 Redcon.exe rundll32.exe PID 1816 wrote to memory of 364 1816 Redcon.exe rundll32.exe PID 1816 wrote to memory of 364 1816 Redcon.exe rundll32.exe PID 1816 wrote to memory of 364 1816 Redcon.exe rundll32.exe PID 1816 wrote to memory of 364 1816 Redcon.exe rundll32.exe PID 1816 wrote to memory of 364 1816 Redcon.exe rundll32.exe PID 1816 wrote to memory of 364 1816 Redcon.exe rundll32.exe PID 1816 wrote to memory of 1644 1816 Redcon.exe CrashSender1402.exe PID 1816 wrote to memory of 1644 1816 Redcon.exe CrashSender1402.exe PID 1816 wrote to memory of 1644 1816 Redcon.exe CrashSender1402.exe PID 1816 wrote to memory of 1644 1816 Redcon.exe CrashSender1402.exe PID 1816 wrote to memory of 1644 1816 Redcon.exe CrashSender1402.exe PID 1816 wrote to memory of 1644 1816 Redcon.exe CrashSender1402.exe PID 1816 wrote to memory of 1644 1816 Redcon.exe CrashSender1402.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\LAUNCHER.exe"C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\LAUNCHER.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\Redcon.exe"C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\Redcon.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\SmartSteamEmu.dll",InitSSE3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\CrashSender1402.exe"C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\CrashSender1402.exe" "e59ff213-76f6-43f3-a11d-c241480265ca"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5781⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\SmartSteamEmu\Plugins\SSEOverlay.iniFilesize
34B
MD5480005b54033d978380bff940142462d
SHA1e84e358f9c806852d2c3a54f98a85c35754c21e9
SHA256546bde00c0b7a1df06d6dc2d2e47c32a2bcc7df94b0025685b71e321acf07f0d
SHA512a517dcf5958ae24c2c1dcd89a7a5383673df68767932aba64348ad619b060eac12973054811534dc9963c89f553f2d366a212f35548b05503a936208f1badc61
-
memory/364-66-0x00000000001A0000-0x00000000001B0000-memory.dmpFilesize
64KB
-
memory/1644-69-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB
-
memory/1816-54-0x00000000000C0000-0x00000000000D0000-memory.dmpFilesize
64KB
-
memory/1816-56-0x0000000000230000-0x0000000000240000-memory.dmpFilesize
64KB