Analysis

  • max time kernel
    42s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22/05/2023, 18:31

General

  • Target

    ElectronicDepositCopypdf.exe

  • Size

    1.8MB

  • MD5

    f252f506f84914c3886e791dc984c9e0

  • SHA1

    62dab96df46604f04cd14ee24f27e32840809722

  • SHA256

    055e57a625038b3082161f3e2148a5fafc6f767298cd9ae67f5c1cac9ab71dad

  • SHA512

    90ae68bfb3ceacd5fa86ed784f3f3ea5f809b703ac35e041adb336eb813bef953421b36b6e7ad77b5c3b2d7a21dd5f975f3c4891a17d7fd1502c60320d73ccb6

  • SSDEEP

    6144:cG5aR292nLhb3ZDcJbmiRBAOb9W4YbPg02ytpRlt:vaR2knLhJWBvWxMFAXlt

Malware Config

Extracted

Family

redline

Botnet

4

C2

147.124.217.33:22650

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ElectronicDepositCopypdf.exe
    "C:\Users\Admin\AppData\Local\Temp\ElectronicDepositCopypdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 36
      2⤵
      • Program crash
      PID:920

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp85EC.tmp

    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

  • C:\Users\Admin\AppData\Local\Temp\tmp8611.tmp

    Filesize

    92KB

    MD5

    69b8d13c4e4ec564e98ce44cf52a904e

    SHA1

    299f30cf457794a5310b3604ce074c46b7dba353

    SHA256

    d1dadcd3e1ed1693374068e92062c18d9136295d7b4685f6e564e92242a21905

    SHA512

    4bf2906b5dc87483f479de4a4a180193085e35a615f537c2900498b40a90d7f1af81a7dfb79182dd8793b9fda51dc210834cc2cdacdac34f73f19344c505096c

  • memory/1512-54-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1512-55-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1512-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1512-61-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1512-62-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/1512-63-0x00000000004D0000-0x0000000000510000-memory.dmp

    Filesize

    256KB