Analysis

  • max time kernel
    131s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 13:57

General

  • Target

    239e28b7742336ebc33d4011a46c874a.exe

  • Size

    2.3MB

  • MD5

    239e28b7742336ebc33d4011a46c874a

  • SHA1

    b0f7ae20e722a16dd44375f73a86e333e28ed345

  • SHA256

    0ed0168c8ab57e3000bf92fcd68ac6fcba00a522a80cb6297f29c9f280508bdb

  • SHA512

    4dfe0354cfe5a0529a27da868caa7f806696f0b2c7094cfde08fc39b4c3d6ccfbbcded9e776c1fcc2aff141dbd63c234f59c49f657ee32218d23db5caab85b7a

  • SSDEEP

    49152:NNYkhDviE3uSnxQT7w8ckmNMrwo8Ydxiz8lVHTIioOFZQ+q:NNfvGSxQXw8xrwAxiqZ7q

Malware Config

Extracted

Family

redline

Botnet

@Devil11fd

C2

95.217.159.87:4348

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\239e28b7742336ebc33d4011a46c874a.exe
    "C:\Users\Admin\AppData\Local\Temp\239e28b7742336ebc33d4011a46c874a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ready\main.bat" /S"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1348
  • C:\Users\Admin\AppData\Local\Temp\ready\@Devil11fd.exe
    "@Devil11fd.exe"""
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: CmdExeWriteProcessMemorySpam
    • Suspicious use of AdjustPrivilegeToken
    PID:2984
  • C:\Windows\system32\attrib.exe
    attrib +H "@Devil11fd.exe"""
    1⤵
    • Views/modifies file attributes
    PID:2980
  • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2968
  • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2484
  • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2476
  • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2460
  • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2700
  • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2528
  • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2632
  • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
    7z.exe e file.zip -p___________2063pwd1339pwd10187___________ -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2268
  • C:\Windows\system32\mode.com
    mode 65,10
    1⤵
      PID:1156

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ready\file.bin

            Filesize

            92KB

            MD5

            f645f61ee6bee0b933d0d07791cec8c6

            SHA1

            0f81ec2033cdd31b728d38d6f0cc20faf4567721

            SHA256

            3d0faf25fe3b9fe9b0697023440ec0e02593c3e2042be705f9daa8d7e811c49c

            SHA512

            6c957070623abeaf7f71a0aef772e57e0d3489d7050b8d4a1d2989df633309fe162b5a190b40be032403d36916d8c52a48e4aa286417a1b70b37b0f6690075c2

          • C:\Users\Admin\AppData\Local\Temp\ready\main.bat

            Filesize

            509B

            MD5

            4cadea2b9bf36bc49ae71bfb62ebb4ab

            SHA1

            846fba69050f0d72be7f57d0824573e04570351b

            SHA256

            7bab88133b6225ba2ced1b7af6c996777065e2d57024fd9b2075e08d53aa3402

            SHA512

            61b53d9220a2b9994b5ccbb7e0e6fc636064718a12817f68c671a592a21b8bc126d128ee3b42d1e0aab8b20d92fced85c807b005afd82013606cfb23b57dc301

          • memory/2984-78-0x0000000000A10000-0x0000000000A2E000-memory.dmp

            Filesize

            120KB

          • memory/2984-79-0x0000000074390000-0x0000000074A7E000-memory.dmp

            Filesize

            6.9MB

          • memory/2984-80-0x0000000004CC0000-0x0000000004D00000-memory.dmp

            Filesize

            256KB

          • memory/2984-81-0x0000000074390000-0x0000000074A7E000-memory.dmp

            Filesize

            6.9MB