Analysis
-
max time kernel
60s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
31-03-2023 23:15
Static task
static1
Behavioral task
behavioral1
Sample
IGG-REDCON.v1.3.0/LAUNCHER.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
IGG-REDCON.v1.3.0/LAUNCHER.exe
Resource
win10v2004-20230220-en
General
-
Target
IGG-REDCON.v1.3.0/LAUNCHER.exe
-
Size
227KB
-
MD5
2f4a7fff291d215c42782b66dbbdc28f
-
SHA1
ac6ffdf41e531308358ff621422df2e879c4ae55
-
SHA256
81670b11a1848fdfa52c3dc72d0c80086ab94a52386498f9014fc7010bd69d2f
-
SHA512
0425cfdbc3ddf53cebfc8983980f909161ee9ddb64131e9cb75f7a096fedeca2714cef3ada8d76e6c6e8fa1a9a79868fec6af53f15b7d9296ff51ff6d0a4f8b6
-
SSDEEP
3072:MGtleufyNONL4MdzNOY4jb1pQFhHKPtOHO6VrVPoVJtCbhVPoVJtCbFyf:DtleuqKEYUYQyHHKPtOHRWehWeQ
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 api.ipify.org -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Redcon.exerundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 Redcon.exe File opened for modification \??\PhysicalDrive0 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Redcon.exerundll32.exeCrashSender1402.exepid process 1200 Redcon.exe 1200 Redcon.exe 1200 Redcon.exe 1200 Redcon.exe 1200 Redcon.exe 1200 Redcon.exe 1200 Redcon.exe 1200 Redcon.exe 1200 Redcon.exe 1200 Redcon.exe 1200 Redcon.exe 1348 rundll32.exe 1348 rundll32.exe 1348 rundll32.exe 1348 rundll32.exe 1348 rundll32.exe 1348 rundll32.exe 1348 rundll32.exe 1348 rundll32.exe 1348 rundll32.exe 1872 CrashSender1402.exe 1872 CrashSender1402.exe 1872 CrashSender1402.exe 1872 CrashSender1402.exe 1872 CrashSender1402.exe 1872 CrashSender1402.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
AUDIODG.EXECrashSender1402.exedescription pid process Token: 33 896 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 896 AUDIODG.EXE Token: 33 896 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 896 AUDIODG.EXE Token: SeDebugPrivilege 1872 CrashSender1402.exe Token: SeShutdownPrivilege 1872 CrashSender1402.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Redcon.exepid process 1200 Redcon.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
LAUNCHER.exeRedcon.exedescription pid process target process PID 1768 wrote to memory of 1200 1768 LAUNCHER.exe Redcon.exe PID 1768 wrote to memory of 1200 1768 LAUNCHER.exe Redcon.exe PID 1768 wrote to memory of 1200 1768 LAUNCHER.exe Redcon.exe PID 1768 wrote to memory of 1200 1768 LAUNCHER.exe Redcon.exe PID 1768 wrote to memory of 1200 1768 LAUNCHER.exe Redcon.exe PID 1768 wrote to memory of 1200 1768 LAUNCHER.exe Redcon.exe PID 1768 wrote to memory of 1200 1768 LAUNCHER.exe Redcon.exe PID 1200 wrote to memory of 1348 1200 Redcon.exe rundll32.exe PID 1200 wrote to memory of 1348 1200 Redcon.exe rundll32.exe PID 1200 wrote to memory of 1348 1200 Redcon.exe rundll32.exe PID 1200 wrote to memory of 1348 1200 Redcon.exe rundll32.exe PID 1200 wrote to memory of 1348 1200 Redcon.exe rundll32.exe PID 1200 wrote to memory of 1348 1200 Redcon.exe rundll32.exe PID 1200 wrote to memory of 1348 1200 Redcon.exe rundll32.exe PID 1200 wrote to memory of 1872 1200 Redcon.exe CrashSender1402.exe PID 1200 wrote to memory of 1872 1200 Redcon.exe CrashSender1402.exe PID 1200 wrote to memory of 1872 1200 Redcon.exe CrashSender1402.exe PID 1200 wrote to memory of 1872 1200 Redcon.exe CrashSender1402.exe PID 1200 wrote to memory of 1872 1200 Redcon.exe CrashSender1402.exe PID 1200 wrote to memory of 1872 1200 Redcon.exe CrashSender1402.exe PID 1200 wrote to memory of 1872 1200 Redcon.exe CrashSender1402.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\LAUNCHER.exe"C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\LAUNCHER.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\Redcon.exe"C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\Redcon.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\SmartSteamEmu.dll",InitSSE3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\CrashSender1402.exe"C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\CrashSender1402.exe" "433d7b8d-51d7-42df-a2ce-05a489d9c192"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5581⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\SmartSteamEmu\Plugins\SSEOverlay.iniFilesize
34B
MD5480005b54033d978380bff940142462d
SHA1e84e358f9c806852d2c3a54f98a85c35754c21e9
SHA256546bde00c0b7a1df06d6dc2d2e47c32a2bcc7df94b0025685b71e321acf07f0d
SHA512a517dcf5958ae24c2c1dcd89a7a5383673df68767932aba64348ad619b060eac12973054811534dc9963c89f553f2d366a212f35548b05503a936208f1badc61
-
memory/1200-55-0x0000000000130000-0x0000000000140000-memory.dmpFilesize
64KB
-
memory/1200-56-0x0000000000170000-0x0000000000180000-memory.dmpFilesize
64KB
-
memory/1348-72-0x00000000001C0000-0x00000000001D0000-memory.dmpFilesize
64KB
-
memory/1872-75-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB