Analysis
-
max time kernel
59s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 23:15
Static task
static1
Behavioral task
behavioral1
Sample
IGG-REDCON.v1.3.0/LAUNCHER.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
IGG-REDCON.v1.3.0/LAUNCHER.exe
Resource
win10v2004-20230220-en
General
-
Target
IGG-REDCON.v1.3.0/LAUNCHER.exe
-
Size
227KB
-
MD5
2f4a7fff291d215c42782b66dbbdc28f
-
SHA1
ac6ffdf41e531308358ff621422df2e879c4ae55
-
SHA256
81670b11a1848fdfa52c3dc72d0c80086ab94a52386498f9014fc7010bd69d2f
-
SHA512
0425cfdbc3ddf53cebfc8983980f909161ee9ddb64131e9cb75f7a096fedeca2714cef3ada8d76e6c6e8fa1a9a79868fec6af53f15b7d9296ff51ff6d0a4f8b6
-
SSDEEP
3072:MGtleufyNONL4MdzNOY4jb1pQFhHKPtOHO6VrVPoVJtCbhVPoVJtCbFyf:DtleuqKEYUYQyHHKPtOHRWehWeQ
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 api.ipify.org -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Redcon.exerundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 Redcon.exe File opened for modification \??\PhysicalDrive0 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
Redcon.exerundll32.exepid process 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe 2476 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Redcon.exepid process 972 Redcon.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 3772 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3772 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
Redcon.exepid process 972 Redcon.exe 972 Redcon.exe 972 Redcon.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
LAUNCHER.exeRedcon.exedescription pid process target process PID 2160 wrote to memory of 972 2160 LAUNCHER.exe Redcon.exe PID 2160 wrote to memory of 972 2160 LAUNCHER.exe Redcon.exe PID 2160 wrote to memory of 972 2160 LAUNCHER.exe Redcon.exe PID 972 wrote to memory of 2476 972 Redcon.exe rundll32.exe PID 972 wrote to memory of 2476 972 Redcon.exe rundll32.exe PID 972 wrote to memory of 2476 972 Redcon.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\LAUNCHER.exe"C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\LAUNCHER.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\Redcon.exe"C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\Redcon.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\SmartSteamEmu.dll",InitSSE3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x4681⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IGG-REDCON.v1.3.0\SmartSteamEmu\Plugins\SSEOverlay.iniFilesize
34B
MD5480005b54033d978380bff940142462d
SHA1e84e358f9c806852d2c3a54f98a85c35754c21e9
SHA256546bde00c0b7a1df06d6dc2d2e47c32a2bcc7df94b0025685b71e321acf07f0d
SHA512a517dcf5958ae24c2c1dcd89a7a5383673df68767932aba64348ad619b060eac12973054811534dc9963c89f553f2d366a212f35548b05503a936208f1badc61
-
memory/972-134-0x0000000001310000-0x0000000001320000-memory.dmpFilesize
64KB
-
memory/972-145-0x0000000003390000-0x00000000033A0000-memory.dmpFilesize
64KB
-
memory/2476-146-0x0000000002BF0000-0x0000000002C00000-memory.dmpFilesize
64KB