Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 13:57

General

  • Target

    239e28b7742336ebc33d4011a46c874a.exe

  • Size

    2.3MB

  • MD5

    239e28b7742336ebc33d4011a46c874a

  • SHA1

    b0f7ae20e722a16dd44375f73a86e333e28ed345

  • SHA256

    0ed0168c8ab57e3000bf92fcd68ac6fcba00a522a80cb6297f29c9f280508bdb

  • SHA512

    4dfe0354cfe5a0529a27da868caa7f806696f0b2c7094cfde08fc39b4c3d6ccfbbcded9e776c1fcc2aff141dbd63c234f59c49f657ee32218d23db5caab85b7a

  • SSDEEP

    49152:NNYkhDviE3uSnxQT7w8ckmNMrwo8Ydxiz8lVHTIioOFZQ+q:NNfvGSxQXw8xrwAxiqZ7q

Malware Config

Extracted

Family

redline

Botnet

@Devil11fd

C2

95.217.159.87:4348

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\239e28b7742336ebc33d4011a46c874a.exe
    "C:\Users\Admin\AppData\Local\Temp\239e28b7742336ebc33d4011a46c874a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ready\main.bat" /S"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4684
      • C:\Windows\system32\mode.com
        mode 65,10
        3⤵
          PID:2660
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e file.zip -p___________2063pwd1339pwd10187___________ -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1044
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_7.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3108
        • C:\Users\Admin\AppData\Local\Temp\ready\@Devil11fd.exe
          "@Devil11fd.exe"""
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1760
        • C:\Windows\system32\attrib.exe
          attrib +H "@Devil11fd.exe"""
          3⤵
          • Views/modifies file attributes
          PID:1952
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_1.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4212
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_2.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3956
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_3.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4600
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_4.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2328
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_5.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3820
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_6.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3664

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            46KB

            MD5

            789989a135e81be6306d037c779213fd

            SHA1

            9a4a57f3cb93e5429a96ac82f2facff430f90006

            SHA256

            de2534a60ec258bf0d0e8f842c8b94f126b053d3cb6ceb508fba8dc57da55195

            SHA512

            531f59ff4e7f1db33d43138df8605df5b154669c4c790a3205f56f2a95f29f8c0c33fbc2d85b4feb161ba0b518928e092821ac523d12c2d233844fcc4ea42bd5

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            54KB

            MD5

            161762c0ce56bcada4753a7623958de9

            SHA1

            7090c2cc1f928ac429e7cec267299725c0b75508

            SHA256

            1188ec9a34ab002c873b34fafda66f539ce5dcd92ced0b3e01b4fad998b005f1

            SHA512

            9d91a6b2901c9822aa39bbecd08d46f48a13b01d550a4b6dc941f5e74542ccb308dd4fa0d0f29adc9c05568bc5ea33fb68769751557844b6c28d870933c34712

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            47KB

            MD5

            6ad2248e410d99da1f49f9474f2db8bd

            SHA1

            32fe2b4b05a950878e92b9671edfcfa527e6d391

            SHA256

            b31ee48c76a6139c48dae5133e8d2522f066a085266077456a05842fdfaeacfe

            SHA512

            27302ff6ca7adccc21abdbdc036f102b0beb1ab22941b6e740993482e4d5c4237bcbec738b15b59db80a9ec86ea470c6cb82141add0c152c7fca5810df74c315

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            381KB

            MD5

            79bcc0e032caac3d210cd6f8dc7745ac

            SHA1

            32a067aba2c26ff5fb21b4537acf52bdc57e1050

            SHA256

            603f6856b01edd98f13585c812692090608dcebccc891b0405cf48d475b1f187

            SHA512

            4791506355b1b28766e82de7249434711b27f2e124fee6c28acaeae1db85cb7671fa07c4ca396d482afc6f7818bf34066dbaf35e9b7ce1b173a8dbfd88b2019e

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            256KB

            MD5

            bcbf1584f4bb2d6eed335482d4aaf98c

            SHA1

            49bceb06241cdb6ed8556a2f2db957d77a058674

            SHA256

            fe009565cfcf4336c4c9c51999ccb1699cb925519bffaa04ae0488943d376779

            SHA512

            87bad46dbdd3218f31d73e5afd069e23baa7ffcbe75727ac2881d9c08659cfe3d8ca606c841b43f5021a05d83ec650b176d1ec25077aa83fc2b42e2a57db0aae

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            286KB

            MD5

            def4102440724d5651edeeae7dcde3bd

            SHA1

            5739ddc90db1ff283ac186c346cb7ee4c6dfa29a

            SHA256

            fc93090145c0cf2a39c67322063d417fc9a8e01b7c87aed3c85cecf37ae7cfe6

            SHA512

            b478ad835e3cead37f8c680add412fbb93cd0e578ed9242e179d31b17a1faf072c729dceea2e33bcf77fab0939a94eae879d56d219cd78583794923b4fed787f

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            257KB

            MD5

            4f2efb4a67a9ab21bae8c30ea6449981

            SHA1

            c34197ec025bb52f08be236767348a0395e78745

            SHA256

            f84e134ec5967d476289c2f37abda5cafca786aef04e0bb943b2b759bb70cd02

            SHA512

            6950fdce9e4b8bcc270ac3bbffe32f1cd4c11c0f752cd2e21585577ad62e2f21c1666c7590572774759cb5a0b03d5aad835579a277acb24a5df78199711f977b

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            316KB

            MD5

            3da926863f09da4e59def1fbe57f0cb4

            SHA1

            f997cecb244573279cc87757d216eca107889967

            SHA256

            7edcfe190de01c85dfae30f71de34cdee36405b83951ad7ff63e5d84f05b93cc

            SHA512

            22b284e5741bcaef63d40d7d6485d566f73ccf29b2c43eaf68c2404be51e989cb187f8374bade7aa6b32a2471a8152ac3c7cfe8951c26d6b24c44d157dbeb6ce

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            278KB

            MD5

            8836f39ff199ce7cde1c4714035dafb9

            SHA1

            616e9707176fba8d276fdf9df112a23c2329a628

            SHA256

            adc2aa13f53b0ed90937b1fbcefc249247c993a0daabd72176743dd3fa1a3220

            SHA512

            4cb8a897e06e64317560911ea20597ddb506b6de4e38527ff3c0ee90cd90db5d50b54653c17ff14dcc480d1040126ee2c0410c7b2e7128a5728c87a1753a4af4

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            193KB

            MD5

            1ff4c789eb8b91106b8848a0b578e8aa

            SHA1

            f7ff37d9b063e2bcfc3b28b750e51b038351dafb

            SHA256

            c526268cd2c9665c4f457609ed8a1c023c39cd24dd4d20187f38db66ccdfb251

            SHA512

            367e04e6b95f757e70ad775d7d7caab9ec098c32298b8f34f4f46f8f34b1465bafbda2828214f231351909328fc82fa77c488b66e772e074e8191dadcc0ffe8d

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            64KB

            MD5

            d20d2125b2f22a258e5d59c5b7296207

            SHA1

            b503a25a6ff2c2a912179b4da809ac1422ccf996

            SHA256

            5cc0d7df85e7040b96b5b761bbfb822fb784b8a8f7030eaf20223c765e40108e

            SHA512

            6c51b22598e6abce1fc5e9c6c661e3c783209097018ca2beaa9b2a6c05e9cceb43a796c73f5e683ea8601735453ba72b33c8eb0c1e562eb541b4c9bd02c6b015

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            301KB

            MD5

            2af456a7fb8334dc93356c552147067a

            SHA1

            e8a3812d61984b458c2b6bb2e58197595aa62b2d

            SHA256

            7dae287c035554c96d9384a933275fc1a219d523948843f0ad3e16cfed75fc77

            SHA512

            389a74b3ee377419ba264c80b4143af29bc8c485f9a5988a9d2623b3ff69acc7f0522c0dce98ec01f867602993f6e5ebc72810f6a6be91b82954487ad6b34632

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            30KB

            MD5

            d1e2e9968c49b021ab5faf256de7a3a6

            SHA1

            821f61b4a4f772c806e59cd4f41316805a983bf7

            SHA256

            23e42458cb40a4474b63fb75045d0112b7b3b7ff42fe10cac89e741de6c9f235

            SHA512

            3ba310182359bddb9aa48d955ad1fba75c0ce8556263a97df3b91f0f9f5cfdbad5492ee7994c0277db2bf03d351e42c936695807ec9d491f09abb377cf3e9246

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            232KB

            MD5

            94254a9a93e71a1933beccdc390561bf

            SHA1

            d57d00e89c71aeaf99185d0e69efedc876a536a1

            SHA256

            a63b2de20fa483963ccd9f5b94b939eb7a99da59c1ac8bf43f7ca8084e533ed6

            SHA512

            afd0b6f6db4ffd29c4e5340497611696a7c79128e66b3d127086b4a70c1f2ccf62f80b9d5ac64ceabc8e2e5a76c19635c853d724ada1a6a232860a4ab03b5c98

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            17KB

            MD5

            42ee8a907b14028f5115efe86926de2c

            SHA1

            7df44ca558ac87da5c1941bd5d3c91234fe6d768

            SHA256

            c9e2c3deae892579602129b8de3aa6891134c13e02e15a8b5660666b8926b2c2

            SHA512

            6b8a37db3d9002ca41bfdb9355d92f54a68338bff7e12956c46385be10e005e1c53146c8b8621cb4411d1d74256b82719daadd04513d7ff3a2d2517a2bdefbaf

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            205KB

            MD5

            64fe1543fa2459c889d8a4aab2cf1599

            SHA1

            e1f73d59ac3a6922c8e296b8bf0ff3675ada5f37

            SHA256

            25283a294894d2fc6904dd8812f1c8cc7e569764690cb626ed7c1232440868f0

            SHA512

            8368b6b41a962bea3e95e1d5589f8dc077c282f4c2f6a3ef82c1a3062928aee6a49be7a30c2737649e801286deed8abc7a2460d6d0259c024b0021b1ab0ab1ac

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            284KB

            MD5

            9eb762adf512b7c08a637f0eff11a923

            SHA1

            5cda862d8cb4744b83c577e648effd4f34d9179d

            SHA256

            7f7546835b71c6cb7367e7c0d421fa765de32805da089b00e32614390856a62d

            SHA512

            6c96440da7fa5abe8f27d15198fb88857a3bdd16d71fa848af12875d37dddb003fe24d1bb88400f3b4002129566fdef32c8cfffacf7f351f7d7f5ced1d65d7fc

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            286KB

            MD5

            d09616592afa1a07e2661b82fd8b514b

            SHA1

            50531d4ccef38def77f5239614ac687eb2f2c47a

            SHA256

            81941ce5fae39f23f664b97d69667e225d3a69cc944a44995bc10da59aeff934

            SHA512

            2cded4a99e40e3b046897ee2abd7e598699e315d4ae380d3db3f0722b94ed70657f35297c132a8b9bb1a69818c99acbfbdc36c357bdac461d9cdbf479f895338

          • C:\Users\Admin\AppData\Local\Temp\ready\@Devil11fd.exe

            Filesize

            100KB

            MD5

            56c01ebfeaf1eeac6929207998033fbe

            SHA1

            acc89a5415b11e07ed7c7cc82de91bb71a67cc5f

            SHA256

            4fa6f0c36855fe2d5ec891552a4eb0df968f1b92c7d2f28483eb362a8e129d12

            SHA512

            a462dfbfc9c36af3b1fe0b05d9fcbbbc80ca5cf534f9f1be9cee42288f39491d245a42759a24bef03ae64e06610db895e343c39e2f8e816799135f7188b3381c

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\ANTIAV~1.DAT

            Filesize

            189KB

            MD5

            5958581077a650d47855f5c2d48a4ad5

            SHA1

            48258bd340d8841a3e6498a42baebd8fad86a867

            SHA256

            b24bec677eceafd7cfdbc0afcafa3a12974612f00968fd11db47ec42f9012eaa

            SHA512

            50ad79fefb66d5515dc9d9539c2a87110583250d76acdcad6a4b7294261fbc0fa20d0b7bf974bff894f3fca3395e3797980abdd2905a9cad0a29fb93fefbe791

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_1.zip

            Filesize

            40KB

            MD5

            f95fbbbef9f63dc5f22ad54fcd59a0a6

            SHA1

            2abdcd1905dd8272f6e8ddc6e4e9689829e8e734

            SHA256

            a9d2f58dcbb33390d7597d2989020b7e3c18fa43ffafde0acd252364d9dc0b5a

            SHA512

            38ea08eecc7c01df250e5c3998faa0daea5a79325b66c19b52eb0170af3e86b83e84d5436b87d625ea553039bc0fe74081d56f5b57869727bd259a4b40c2ca0e

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_2.zip

            Filesize

            40KB

            MD5

            3527abf225cc7c1a93c12c424f77a4bd

            SHA1

            7881e33f3025d02326022f928bf9640df9e785ea

            SHA256

            9b37edd1119cd1dc11328b2c519048517f3b59f0ac5d1225a4c4698da24976a7

            SHA512

            8c2d776954513bb74597df1ba6758ec479904073dc307e0378b438dbc433120a10df2421081049f3474c5cadd646031c77ce9335a15f342af9403f62c6d26ba1

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_3.zip

            Filesize

            40KB

            MD5

            f2f7cee6818ae088f72d693630f7963a

            SHA1

            1b64af7c13c54d9700f49efec2eb729edbc38cea

            SHA256

            f168d9903dba9c71122b6ba31dd83de638a93c77a00b1b006ea0f447b084ae9d

            SHA512

            e50ecc2569f371aeeb3bdaa9b190176b93239b91aad5dc0c930edaa3c96cccbfed5877ca419b1082e3f78f8e68f5bb3d2d0c6b27b7489194de268f077b9c0aa9

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_4.zip

            Filesize

            41KB

            MD5

            200143c12bb938e3c3f525d1222f2d5e

            SHA1

            042c8b2216206a45be1dfd5441c708fe8e8f6c52

            SHA256

            d7572a9e745465f83e57107182ab3eb3df4110ba133ac8b26a8fa46cfab29a0d

            SHA512

            90c49510eb8619b1fe4ee89a4c6c7c37434c36e1fabece9c24f4344ffd0738931c0a999f5462827c52bc29ed6bea71b52002fcb7b670c50d0362c2206102394a

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_5.zip

            Filesize

            41KB

            MD5

            74ae005c75d4dfa890ffd8a1c4e1ae68

            SHA1

            03a8ae512bd6bf460d21168d930298ffc53e59d4

            SHA256

            442f53060e633e847f64fa1156b9355a6893fce5d5bd96c4b5ddc99926e5f368

            SHA512

            38d3375a88f70104a9d1a64b247c9dd52fc9b6a8e8e2e345ce7d22c2c81ce1ba16ad9714c059509f1395fb9d011aa9bceb4924e4fa19d4fcbc6668a0fdb831e3

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_6.zip

            Filesize

            41KB

            MD5

            ee69bb03a1976761e9e6f772587ae9cd

            SHA1

            c67f41d3984d720d630de32d8a7cc197915f3ea5

            SHA256

            e75362123001b73fe6b3a2a47b225d7aac91b84bcbb5b80213099ce41629d12c

            SHA512

            3ecdac20aa0140597e16b585ba30cc3af4092732c4f53e499257461eac393da915c01014f79c03a0d9b59ab4a92ff35792242d306439b8a12b44d1abc88e068f

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_7.zip

            Filesize

            32KB

            MD5

            1890f9d74624b17970f82f45c648a31d

            SHA1

            c97bc40332af95da09c3d11652cd34384df80aec

            SHA256

            71b21bc49d8e9c7ee78587d833c7d609610b9cff4d25d6110d92bf9dfce53c47

            SHA512

            236f3e3efa1bc6ef8d9d85b67abc6b90673d3bbf23e22d5d7d569d31a29ffc59a6eae22afd8100063dc59584dc831968d2bbce07bb6ad0353f3a0fccc3c2e40f

          • C:\Users\Admin\AppData\Local\Temp\ready\file.bin

            Filesize

            952KB

            MD5

            aa1a56daf38c81d94870ff0ebc0c6176

            SHA1

            afc5d78f02e5a7b53d97d563dc9debc75ab1c8e8

            SHA256

            568f27e756229658d3dd53d4fdee7de94da7629b932f3ab1e24ab8b648bafaf7

            SHA512

            18a62a6f699c4e20f4738d6248d170d318badcebc657000a2e207cd56b891ca42b69cd937ceef0cce5540034399aa32dceae26e69cd61971a809f9b8d2d3d4d7

          • C:\Users\Admin\AppData\Local\Temp\ready\main.bat

            Filesize

            509B

            MD5

            4cadea2b9bf36bc49ae71bfb62ebb4ab

            SHA1

            846fba69050f0d72be7f57d0824573e04570351b

            SHA256

            7bab88133b6225ba2ced1b7af6c996777065e2d57024fd9b2075e08d53aa3402

            SHA512

            61b53d9220a2b9994b5ccbb7e0e6fc636064718a12817f68c671a592a21b8bc126d128ee3b42d1e0aab8b20d92fced85c807b005afd82013606cfb23b57dc301

          • memory/1760-71-0x0000000004AF0000-0x0000000004B3C000-memory.dmp

            Filesize

            304KB

          • memory/1760-72-0x0000000004D60000-0x0000000004E6A000-memory.dmp

            Filesize

            1.0MB

          • memory/1760-70-0x0000000004C10000-0x0000000004C20000-memory.dmp

            Filesize

            64KB

          • memory/1760-67-0x0000000072AE0000-0x0000000073290000-memory.dmp

            Filesize

            7.7MB

          • memory/1760-69-0x0000000004AB0000-0x0000000004AEC000-memory.dmp

            Filesize

            240KB

          • memory/1760-68-0x0000000004A50000-0x0000000004A62000-memory.dmp

            Filesize

            72KB

          • memory/1760-66-0x0000000004FB0000-0x00000000055C8000-memory.dmp

            Filesize

            6.1MB

          • memory/1760-65-0x0000000000090000-0x00000000000AE000-memory.dmp

            Filesize

            120KB

          • memory/1760-73-0x0000000072AE0000-0x0000000073290000-memory.dmp

            Filesize

            7.7MB