Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 13:57
Static task
static1
Behavioral task
behavioral1
Sample
239e28b7742336ebc33d4011a46c874a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
239e28b7742336ebc33d4011a46c874a.exe
Resource
win10v2004-20231222-en
General
-
Target
239e28b7742336ebc33d4011a46c874a.exe
-
Size
2.3MB
-
MD5
239e28b7742336ebc33d4011a46c874a
-
SHA1
b0f7ae20e722a16dd44375f73a86e333e28ed345
-
SHA256
0ed0168c8ab57e3000bf92fcd68ac6fcba00a522a80cb6297f29c9f280508bdb
-
SHA512
4dfe0354cfe5a0529a27da868caa7f806696f0b2c7094cfde08fc39b4c3d6ccfbbcded9e776c1fcc2aff141dbd63c234f59c49f657ee32218d23db5caab85b7a
-
SSDEEP
49152:NNYkhDviE3uSnxQT7w8ckmNMrwo8Ydxiz8lVHTIioOFZQ+q:NNfvGSxQXw8xrwAxiqZ7q
Malware Config
Extracted
redline
@Devil11fd
95.217.159.87:4348
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x000600000002321c-64.dat family_redline behavioral2/memory/1760-65-0x0000000000090000-0x00000000000AE000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/files/0x000600000002321c-64.dat family_sectoprat behavioral2/memory/1760-65-0x0000000000090000-0x00000000000AE000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 239e28b7742336ebc33d4011a46c874a.exe -
Executes dropped EXE 9 IoCs
pid Process 1044 7z.exe 3108 7z.exe 3664 7z.exe 3820 7z.exe 2328 7z.exe 4600 7z.exe 3956 7z.exe 4212 7z.exe 1760 @Devil11fd.exe -
Loads dropped DLL 8 IoCs
pid Process 1044 7z.exe 3108 7z.exe 3664 7z.exe 3820 7z.exe 2328 7z.exe 4600 7z.exe 3956 7z.exe 4212 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeRestorePrivilege 1044 7z.exe Token: 35 1044 7z.exe Token: SeSecurityPrivilege 1044 7z.exe Token: SeSecurityPrivilege 1044 7z.exe Token: SeRestorePrivilege 3108 7z.exe Token: 35 3108 7z.exe Token: SeSecurityPrivilege 3108 7z.exe Token: SeSecurityPrivilege 3108 7z.exe Token: SeRestorePrivilege 3664 7z.exe Token: 35 3664 7z.exe Token: SeSecurityPrivilege 3664 7z.exe Token: SeSecurityPrivilege 3664 7z.exe Token: SeRestorePrivilege 3820 7z.exe Token: 35 3820 7z.exe Token: SeSecurityPrivilege 3820 7z.exe Token: SeSecurityPrivilege 3820 7z.exe Token: SeRestorePrivilege 2328 7z.exe Token: 35 2328 7z.exe Token: SeSecurityPrivilege 2328 7z.exe Token: SeSecurityPrivilege 2328 7z.exe Token: SeRestorePrivilege 4600 7z.exe Token: 35 4600 7z.exe Token: SeSecurityPrivilege 4600 7z.exe Token: SeSecurityPrivilege 4600 7z.exe Token: SeRestorePrivilege 3956 7z.exe Token: 35 3956 7z.exe Token: SeSecurityPrivilege 3956 7z.exe Token: SeSecurityPrivilege 3956 7z.exe Token: SeRestorePrivilege 4212 7z.exe Token: 35 4212 7z.exe Token: SeSecurityPrivilege 4212 7z.exe Token: SeSecurityPrivilege 4212 7z.exe Token: SeDebugPrivilege 1760 @Devil11fd.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2692 wrote to memory of 4684 2692 239e28b7742336ebc33d4011a46c874a.exe 88 PID 2692 wrote to memory of 4684 2692 239e28b7742336ebc33d4011a46c874a.exe 88 PID 4684 wrote to memory of 2660 4684 cmd.exe 91 PID 4684 wrote to memory of 2660 4684 cmd.exe 91 PID 4684 wrote to memory of 1044 4684 cmd.exe 92 PID 4684 wrote to memory of 1044 4684 cmd.exe 92 PID 4684 wrote to memory of 3108 4684 cmd.exe 93 PID 4684 wrote to memory of 3108 4684 cmd.exe 93 PID 4684 wrote to memory of 3664 4684 cmd.exe 102 PID 4684 wrote to memory of 3664 4684 cmd.exe 102 PID 4684 wrote to memory of 3820 4684 cmd.exe 101 PID 4684 wrote to memory of 3820 4684 cmd.exe 101 PID 4684 wrote to memory of 2328 4684 cmd.exe 100 PID 4684 wrote to memory of 2328 4684 cmd.exe 100 PID 4684 wrote to memory of 4600 4684 cmd.exe 99 PID 4684 wrote to memory of 4600 4684 cmd.exe 99 PID 4684 wrote to memory of 3956 4684 cmd.exe 98 PID 4684 wrote to memory of 3956 4684 cmd.exe 98 PID 4684 wrote to memory of 4212 4684 cmd.exe 97 PID 4684 wrote to memory of 4212 4684 cmd.exe 97 PID 4684 wrote to memory of 1952 4684 cmd.exe 96 PID 4684 wrote to memory of 1952 4684 cmd.exe 96 PID 4684 wrote to memory of 1760 4684 cmd.exe 95 PID 4684 wrote to memory of 1760 4684 cmd.exe 95 PID 4684 wrote to memory of 1760 4684 cmd.exe 95 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1952 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\239e28b7742336ebc33d4011a46c874a.exe"C:\Users\Admin\AppData\Local\Temp\239e28b7742336ebc33d4011a46c874a.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ready\main.bat" /S"2⤵
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\system32\mode.commode 65,103⤵PID:2660
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e file.zip -p___________2063pwd1339pwd10187___________ -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_7.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Users\Admin\AppData\Local\Temp\ready\@Devil11fd.exe"@Devil11fd.exe"""3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760
-
-
C:\Windows\system32\attrib.exeattrib +H "@Devil11fd.exe"""3⤵
- Views/modifies file attributes
PID:1952
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_5.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_6.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3664
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5789989a135e81be6306d037c779213fd
SHA19a4a57f3cb93e5429a96ac82f2facff430f90006
SHA256de2534a60ec258bf0d0e8f842c8b94f126b053d3cb6ceb508fba8dc57da55195
SHA512531f59ff4e7f1db33d43138df8605df5b154669c4c790a3205f56f2a95f29f8c0c33fbc2d85b4feb161ba0b518928e092821ac523d12c2d233844fcc4ea42bd5
-
Filesize
54KB
MD5161762c0ce56bcada4753a7623958de9
SHA17090c2cc1f928ac429e7cec267299725c0b75508
SHA2561188ec9a34ab002c873b34fafda66f539ce5dcd92ced0b3e01b4fad998b005f1
SHA5129d91a6b2901c9822aa39bbecd08d46f48a13b01d550a4b6dc941f5e74542ccb308dd4fa0d0f29adc9c05568bc5ea33fb68769751557844b6c28d870933c34712
-
Filesize
47KB
MD56ad2248e410d99da1f49f9474f2db8bd
SHA132fe2b4b05a950878e92b9671edfcfa527e6d391
SHA256b31ee48c76a6139c48dae5133e8d2522f066a085266077456a05842fdfaeacfe
SHA51227302ff6ca7adccc21abdbdc036f102b0beb1ab22941b6e740993482e4d5c4237bcbec738b15b59db80a9ec86ea470c6cb82141add0c152c7fca5810df74c315
-
Filesize
381KB
MD579bcc0e032caac3d210cd6f8dc7745ac
SHA132a067aba2c26ff5fb21b4537acf52bdc57e1050
SHA256603f6856b01edd98f13585c812692090608dcebccc891b0405cf48d475b1f187
SHA5124791506355b1b28766e82de7249434711b27f2e124fee6c28acaeae1db85cb7671fa07c4ca396d482afc6f7818bf34066dbaf35e9b7ce1b173a8dbfd88b2019e
-
Filesize
256KB
MD5bcbf1584f4bb2d6eed335482d4aaf98c
SHA149bceb06241cdb6ed8556a2f2db957d77a058674
SHA256fe009565cfcf4336c4c9c51999ccb1699cb925519bffaa04ae0488943d376779
SHA51287bad46dbdd3218f31d73e5afd069e23baa7ffcbe75727ac2881d9c08659cfe3d8ca606c841b43f5021a05d83ec650b176d1ec25077aa83fc2b42e2a57db0aae
-
Filesize
286KB
MD5def4102440724d5651edeeae7dcde3bd
SHA15739ddc90db1ff283ac186c346cb7ee4c6dfa29a
SHA256fc93090145c0cf2a39c67322063d417fc9a8e01b7c87aed3c85cecf37ae7cfe6
SHA512b478ad835e3cead37f8c680add412fbb93cd0e578ed9242e179d31b17a1faf072c729dceea2e33bcf77fab0939a94eae879d56d219cd78583794923b4fed787f
-
Filesize
257KB
MD54f2efb4a67a9ab21bae8c30ea6449981
SHA1c34197ec025bb52f08be236767348a0395e78745
SHA256f84e134ec5967d476289c2f37abda5cafca786aef04e0bb943b2b759bb70cd02
SHA5126950fdce9e4b8bcc270ac3bbffe32f1cd4c11c0f752cd2e21585577ad62e2f21c1666c7590572774759cb5a0b03d5aad835579a277acb24a5df78199711f977b
-
Filesize
316KB
MD53da926863f09da4e59def1fbe57f0cb4
SHA1f997cecb244573279cc87757d216eca107889967
SHA2567edcfe190de01c85dfae30f71de34cdee36405b83951ad7ff63e5d84f05b93cc
SHA51222b284e5741bcaef63d40d7d6485d566f73ccf29b2c43eaf68c2404be51e989cb187f8374bade7aa6b32a2471a8152ac3c7cfe8951c26d6b24c44d157dbeb6ce
-
Filesize
278KB
MD58836f39ff199ce7cde1c4714035dafb9
SHA1616e9707176fba8d276fdf9df112a23c2329a628
SHA256adc2aa13f53b0ed90937b1fbcefc249247c993a0daabd72176743dd3fa1a3220
SHA5124cb8a897e06e64317560911ea20597ddb506b6de4e38527ff3c0ee90cd90db5d50b54653c17ff14dcc480d1040126ee2c0410c7b2e7128a5728c87a1753a4af4
-
Filesize
193KB
MD51ff4c789eb8b91106b8848a0b578e8aa
SHA1f7ff37d9b063e2bcfc3b28b750e51b038351dafb
SHA256c526268cd2c9665c4f457609ed8a1c023c39cd24dd4d20187f38db66ccdfb251
SHA512367e04e6b95f757e70ad775d7d7caab9ec098c32298b8f34f4f46f8f34b1465bafbda2828214f231351909328fc82fa77c488b66e772e074e8191dadcc0ffe8d
-
Filesize
64KB
MD5d20d2125b2f22a258e5d59c5b7296207
SHA1b503a25a6ff2c2a912179b4da809ac1422ccf996
SHA2565cc0d7df85e7040b96b5b761bbfb822fb784b8a8f7030eaf20223c765e40108e
SHA5126c51b22598e6abce1fc5e9c6c661e3c783209097018ca2beaa9b2a6c05e9cceb43a796c73f5e683ea8601735453ba72b33c8eb0c1e562eb541b4c9bd02c6b015
-
Filesize
301KB
MD52af456a7fb8334dc93356c552147067a
SHA1e8a3812d61984b458c2b6bb2e58197595aa62b2d
SHA2567dae287c035554c96d9384a933275fc1a219d523948843f0ad3e16cfed75fc77
SHA512389a74b3ee377419ba264c80b4143af29bc8c485f9a5988a9d2623b3ff69acc7f0522c0dce98ec01f867602993f6e5ebc72810f6a6be91b82954487ad6b34632
-
Filesize
30KB
MD5d1e2e9968c49b021ab5faf256de7a3a6
SHA1821f61b4a4f772c806e59cd4f41316805a983bf7
SHA25623e42458cb40a4474b63fb75045d0112b7b3b7ff42fe10cac89e741de6c9f235
SHA5123ba310182359bddb9aa48d955ad1fba75c0ce8556263a97df3b91f0f9f5cfdbad5492ee7994c0277db2bf03d351e42c936695807ec9d491f09abb377cf3e9246
-
Filesize
232KB
MD594254a9a93e71a1933beccdc390561bf
SHA1d57d00e89c71aeaf99185d0e69efedc876a536a1
SHA256a63b2de20fa483963ccd9f5b94b939eb7a99da59c1ac8bf43f7ca8084e533ed6
SHA512afd0b6f6db4ffd29c4e5340497611696a7c79128e66b3d127086b4a70c1f2ccf62f80b9d5ac64ceabc8e2e5a76c19635c853d724ada1a6a232860a4ab03b5c98
-
Filesize
17KB
MD542ee8a907b14028f5115efe86926de2c
SHA17df44ca558ac87da5c1941bd5d3c91234fe6d768
SHA256c9e2c3deae892579602129b8de3aa6891134c13e02e15a8b5660666b8926b2c2
SHA5126b8a37db3d9002ca41bfdb9355d92f54a68338bff7e12956c46385be10e005e1c53146c8b8621cb4411d1d74256b82719daadd04513d7ff3a2d2517a2bdefbaf
-
Filesize
205KB
MD564fe1543fa2459c889d8a4aab2cf1599
SHA1e1f73d59ac3a6922c8e296b8bf0ff3675ada5f37
SHA25625283a294894d2fc6904dd8812f1c8cc7e569764690cb626ed7c1232440868f0
SHA5128368b6b41a962bea3e95e1d5589f8dc077c282f4c2f6a3ef82c1a3062928aee6a49be7a30c2737649e801286deed8abc7a2460d6d0259c024b0021b1ab0ab1ac
-
Filesize
284KB
MD59eb762adf512b7c08a637f0eff11a923
SHA15cda862d8cb4744b83c577e648effd4f34d9179d
SHA2567f7546835b71c6cb7367e7c0d421fa765de32805da089b00e32614390856a62d
SHA5126c96440da7fa5abe8f27d15198fb88857a3bdd16d71fa848af12875d37dddb003fe24d1bb88400f3b4002129566fdef32c8cfffacf7f351f7d7f5ced1d65d7fc
-
Filesize
286KB
MD5d09616592afa1a07e2661b82fd8b514b
SHA150531d4ccef38def77f5239614ac687eb2f2c47a
SHA25681941ce5fae39f23f664b97d69667e225d3a69cc944a44995bc10da59aeff934
SHA5122cded4a99e40e3b046897ee2abd7e598699e315d4ae380d3db3f0722b94ed70657f35297c132a8b9bb1a69818c99acbfbdc36c357bdac461d9cdbf479f895338
-
Filesize
100KB
MD556c01ebfeaf1eeac6929207998033fbe
SHA1acc89a5415b11e07ed7c7cc82de91bb71a67cc5f
SHA2564fa6f0c36855fe2d5ec891552a4eb0df968f1b92c7d2f28483eb362a8e129d12
SHA512a462dfbfc9c36af3b1fe0b05d9fcbbbc80ca5cf534f9f1be9cee42288f39491d245a42759a24bef03ae64e06610db895e343c39e2f8e816799135f7188b3381c
-
Filesize
189KB
MD55958581077a650d47855f5c2d48a4ad5
SHA148258bd340d8841a3e6498a42baebd8fad86a867
SHA256b24bec677eceafd7cfdbc0afcafa3a12974612f00968fd11db47ec42f9012eaa
SHA51250ad79fefb66d5515dc9d9539c2a87110583250d76acdcad6a4b7294261fbc0fa20d0b7bf974bff894f3fca3395e3797980abdd2905a9cad0a29fb93fefbe791
-
Filesize
40KB
MD5f95fbbbef9f63dc5f22ad54fcd59a0a6
SHA12abdcd1905dd8272f6e8ddc6e4e9689829e8e734
SHA256a9d2f58dcbb33390d7597d2989020b7e3c18fa43ffafde0acd252364d9dc0b5a
SHA51238ea08eecc7c01df250e5c3998faa0daea5a79325b66c19b52eb0170af3e86b83e84d5436b87d625ea553039bc0fe74081d56f5b57869727bd259a4b40c2ca0e
-
Filesize
40KB
MD53527abf225cc7c1a93c12c424f77a4bd
SHA17881e33f3025d02326022f928bf9640df9e785ea
SHA2569b37edd1119cd1dc11328b2c519048517f3b59f0ac5d1225a4c4698da24976a7
SHA5128c2d776954513bb74597df1ba6758ec479904073dc307e0378b438dbc433120a10df2421081049f3474c5cadd646031c77ce9335a15f342af9403f62c6d26ba1
-
Filesize
40KB
MD5f2f7cee6818ae088f72d693630f7963a
SHA11b64af7c13c54d9700f49efec2eb729edbc38cea
SHA256f168d9903dba9c71122b6ba31dd83de638a93c77a00b1b006ea0f447b084ae9d
SHA512e50ecc2569f371aeeb3bdaa9b190176b93239b91aad5dc0c930edaa3c96cccbfed5877ca419b1082e3f78f8e68f5bb3d2d0c6b27b7489194de268f077b9c0aa9
-
Filesize
41KB
MD5200143c12bb938e3c3f525d1222f2d5e
SHA1042c8b2216206a45be1dfd5441c708fe8e8f6c52
SHA256d7572a9e745465f83e57107182ab3eb3df4110ba133ac8b26a8fa46cfab29a0d
SHA51290c49510eb8619b1fe4ee89a4c6c7c37434c36e1fabece9c24f4344ffd0738931c0a999f5462827c52bc29ed6bea71b52002fcb7b670c50d0362c2206102394a
-
Filesize
41KB
MD574ae005c75d4dfa890ffd8a1c4e1ae68
SHA103a8ae512bd6bf460d21168d930298ffc53e59d4
SHA256442f53060e633e847f64fa1156b9355a6893fce5d5bd96c4b5ddc99926e5f368
SHA51238d3375a88f70104a9d1a64b247c9dd52fc9b6a8e8e2e345ce7d22c2c81ce1ba16ad9714c059509f1395fb9d011aa9bceb4924e4fa19d4fcbc6668a0fdb831e3
-
Filesize
41KB
MD5ee69bb03a1976761e9e6f772587ae9cd
SHA1c67f41d3984d720d630de32d8a7cc197915f3ea5
SHA256e75362123001b73fe6b3a2a47b225d7aac91b84bcbb5b80213099ce41629d12c
SHA5123ecdac20aa0140597e16b585ba30cc3af4092732c4f53e499257461eac393da915c01014f79c03a0d9b59ab4a92ff35792242d306439b8a12b44d1abc88e068f
-
Filesize
32KB
MD51890f9d74624b17970f82f45c648a31d
SHA1c97bc40332af95da09c3d11652cd34384df80aec
SHA25671b21bc49d8e9c7ee78587d833c7d609610b9cff4d25d6110d92bf9dfce53c47
SHA512236f3e3efa1bc6ef8d9d85b67abc6b90673d3bbf23e22d5d7d569d31a29ffc59a6eae22afd8100063dc59584dc831968d2bbce07bb6ad0353f3a0fccc3c2e40f
-
Filesize
952KB
MD5aa1a56daf38c81d94870ff0ebc0c6176
SHA1afc5d78f02e5a7b53d97d563dc9debc75ab1c8e8
SHA256568f27e756229658d3dd53d4fdee7de94da7629b932f3ab1e24ab8b648bafaf7
SHA51218a62a6f699c4e20f4738d6248d170d318badcebc657000a2e207cd56b891ca42b69cd937ceef0cce5540034399aa32dceae26e69cd61971a809f9b8d2d3d4d7
-
Filesize
509B
MD54cadea2b9bf36bc49ae71bfb62ebb4ab
SHA1846fba69050f0d72be7f57d0824573e04570351b
SHA2567bab88133b6225ba2ced1b7af6c996777065e2d57024fd9b2075e08d53aa3402
SHA51261b53d9220a2b9994b5ccbb7e0e6fc636064718a12817f68c671a592a21b8bc126d128ee3b42d1e0aab8b20d92fced85c807b005afd82013606cfb23b57dc301