Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 13:57
Static task
static1
Behavioral task
behavioral1
Sample
239e28b7742336ebc33d4011a46c874a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
239e28b7742336ebc33d4011a46c874a.exe
Resource
win10v2004-20231222-en
General
-
Target
239e28b7742336ebc33d4011a46c874a.exe
-
Size
2.3MB
-
MD5
239e28b7742336ebc33d4011a46c874a
-
SHA1
b0f7ae20e722a16dd44375f73a86e333e28ed345
-
SHA256
0ed0168c8ab57e3000bf92fcd68ac6fcba00a522a80cb6297f29c9f280508bdb
-
SHA512
4dfe0354cfe5a0529a27da868caa7f806696f0b2c7094cfde08fc39b4c3d6ccfbbcded9e776c1fcc2aff141dbd63c234f59c49f657ee32218d23db5caab85b7a
-
SSDEEP
49152:NNYkhDviE3uSnxQT7w8ckmNMrwo8Ydxiz8lVHTIioOFZQ+q:NNfvGSxQXw8xrwAxiqZ7q
Malware Config
Extracted
redline
@Devil11fd
95.217.159.87:4348
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/2984-78-0x0000000000A10000-0x0000000000A2E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/2984-78-0x0000000000A10000-0x0000000000A2E000-memory.dmp family_sectoprat -
Executes dropped EXE 9 IoCs
pid Process 2268 7z.exe 2632 7z.exe 2528 7z.exe 2700 7z.exe 2460 7z.exe 2476 7z.exe 2484 7z.exe 2968 7z.exe 2984 @Devil11fd.exe -
Loads dropped DLL 16 IoCs
pid Process 1348 cmd.exe 2268 7z.exe 1348 cmd.exe 2632 7z.exe 1348 cmd.exe 2528 7z.exe 1348 cmd.exe 2700 7z.exe 1348 cmd.exe 2460 7z.exe 1348 cmd.exe 2476 7z.exe 1348 cmd.exe 2484 7z.exe 1348 cmd.exe 2968 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2984 @Devil11fd.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeRestorePrivilege 2268 7z.exe Token: 35 2268 7z.exe Token: SeSecurityPrivilege 2268 7z.exe Token: SeSecurityPrivilege 2268 7z.exe Token: SeRestorePrivilege 2632 7z.exe Token: 35 2632 7z.exe Token: SeSecurityPrivilege 2632 7z.exe Token: SeSecurityPrivilege 2632 7z.exe Token: SeRestorePrivilege 2528 7z.exe Token: 35 2528 7z.exe Token: SeSecurityPrivilege 2528 7z.exe Token: SeSecurityPrivilege 2528 7z.exe Token: SeRestorePrivilege 2700 7z.exe Token: 35 2700 7z.exe Token: SeSecurityPrivilege 2700 7z.exe Token: SeSecurityPrivilege 2700 7z.exe Token: SeRestorePrivilege 2460 7z.exe Token: 35 2460 7z.exe Token: SeSecurityPrivilege 2460 7z.exe Token: SeSecurityPrivilege 2460 7z.exe Token: SeRestorePrivilege 2476 7z.exe Token: 35 2476 7z.exe Token: SeSecurityPrivilege 2476 7z.exe Token: SeSecurityPrivilege 2476 7z.exe Token: SeRestorePrivilege 2484 7z.exe Token: 35 2484 7z.exe Token: SeSecurityPrivilege 2484 7z.exe Token: SeSecurityPrivilege 2484 7z.exe Token: SeRestorePrivilege 2968 7z.exe Token: 35 2968 7z.exe Token: SeSecurityPrivilege 2968 7z.exe Token: SeSecurityPrivilege 2968 7z.exe Token: SeDebugPrivilege 2984 @Devil11fd.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 3036 wrote to memory of 1348 3036 239e28b7742336ebc33d4011a46c874a.exe 31 PID 3036 wrote to memory of 1348 3036 239e28b7742336ebc33d4011a46c874a.exe 31 PID 3036 wrote to memory of 1348 3036 239e28b7742336ebc33d4011a46c874a.exe 31 PID 3036 wrote to memory of 1348 3036 239e28b7742336ebc33d4011a46c874a.exe 31 PID 1348 wrote to memory of 1156 1348 cmd.exe 29 PID 1348 wrote to memory of 1156 1348 cmd.exe 29 PID 1348 wrote to memory of 1156 1348 cmd.exe 29 PID 1348 wrote to memory of 2268 1348 cmd.exe 28 PID 1348 wrote to memory of 2268 1348 cmd.exe 28 PID 1348 wrote to memory of 2268 1348 cmd.exe 28 PID 1348 wrote to memory of 2632 1348 cmd.exe 27 PID 1348 wrote to memory of 2632 1348 cmd.exe 27 PID 1348 wrote to memory of 2632 1348 cmd.exe 27 PID 1348 wrote to memory of 2528 1348 cmd.exe 26 PID 1348 wrote to memory of 2528 1348 cmd.exe 26 PID 1348 wrote to memory of 2528 1348 cmd.exe 26 PID 1348 wrote to memory of 2700 1348 cmd.exe 25 PID 1348 wrote to memory of 2700 1348 cmd.exe 25 PID 1348 wrote to memory of 2700 1348 cmd.exe 25 PID 1348 wrote to memory of 2460 1348 cmd.exe 24 PID 1348 wrote to memory of 2460 1348 cmd.exe 24 PID 1348 wrote to memory of 2460 1348 cmd.exe 24 PID 1348 wrote to memory of 2476 1348 cmd.exe 23 PID 1348 wrote to memory of 2476 1348 cmd.exe 23 PID 1348 wrote to memory of 2476 1348 cmd.exe 23 PID 1348 wrote to memory of 2484 1348 cmd.exe 22 PID 1348 wrote to memory of 2484 1348 cmd.exe 22 PID 1348 wrote to memory of 2484 1348 cmd.exe 22 PID 1348 wrote to memory of 2968 1348 cmd.exe 21 PID 1348 wrote to memory of 2968 1348 cmd.exe 21 PID 1348 wrote to memory of 2968 1348 cmd.exe 21 PID 1348 wrote to memory of 2980 1348 cmd.exe 20 PID 1348 wrote to memory of 2980 1348 cmd.exe 20 PID 1348 wrote to memory of 2980 1348 cmd.exe 20 PID 1348 wrote to memory of 2984 1348 cmd.exe 19 PID 1348 wrote to memory of 2984 1348 cmd.exe 19 PID 1348 wrote to memory of 2984 1348 cmd.exe 19 PID 1348 wrote to memory of 2984 1348 cmd.exe 19 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2980 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\239e28b7742336ebc33d4011a46c874a.exe"C:\Users\Admin\AppData\Local\Temp\239e28b7742336ebc33d4011a46c874a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ready\main.bat" /S"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348
-
-
C:\Users\Admin\AppData\Local\Temp\ready\@Devil11fd.exe"@Devil11fd.exe"""1⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
C:\Windows\system32\attrib.exeattrib +H "@Devil11fd.exe"""1⤵
- Views/modifies file attributes
PID:2980
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_1.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_2.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2484
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_3.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_4.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_5.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_6.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_7.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e file.zip -p___________2063pwd1339pwd10187___________ -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
C:\Windows\system32\mode.commode 65,101⤵PID:1156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5f645f61ee6bee0b933d0d07791cec8c6
SHA10f81ec2033cdd31b728d38d6f0cc20faf4567721
SHA2563d0faf25fe3b9fe9b0697023440ec0e02593c3e2042be705f9daa8d7e811c49c
SHA5126c957070623abeaf7f71a0aef772e57e0d3489d7050b8d4a1d2989df633309fe162b5a190b40be032403d36916d8c52a48e4aa286417a1b70b37b0f6690075c2
-
Filesize
509B
MD54cadea2b9bf36bc49ae71bfb62ebb4ab
SHA1846fba69050f0d72be7f57d0824573e04570351b
SHA2567bab88133b6225ba2ced1b7af6c996777065e2d57024fd9b2075e08d53aa3402
SHA51261b53d9220a2b9994b5ccbb7e0e6fc636064718a12817f68c671a592a21b8bc126d128ee3b42d1e0aab8b20d92fced85c807b005afd82013606cfb23b57dc301