Analysis

  • max time kernel
    135s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    12/01/2024, 18:47

General

  • Target

    5738d596be68071de7786712b5410024.exe

  • Size

    2.3MB

  • MD5

    5738d596be68071de7786712b5410024

  • SHA1

    6245023401af7c614e5dcb61d657f41c17233ccd

  • SHA256

    03469423c7c63f0144fc8e3135db3efd65f0a15bbc80c374236792f820633310

  • SHA512

    93e08c9d3c194f4fa290113eb9bae836b79f512ae2b8a0c68430c3acd4ac170d1f6d47b2ff3ce0d673651afed388ad8206acd9856122b7d95972e8c9827d2668

  • SSDEEP

    49152:hYVPdezBnlW4Es4e3yIvLb59ou2cfJ6xiz8lVHTIioOFZQ+y:hkQlQ4tTP7xJ6xiqZ7y

Malware Config

Extracted

Family

redline

Botnet

@janhidf

C2

45.14.12.90:52072

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe
    "C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2496
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\ready\main.bat" /S"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2248
      • C:\Windows\system32\mode.com
        mode 65,10
        3⤵
          PID:2792
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e file.zip -p___________20689pwd2342pwd16763___________ -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2800
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_10.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2744
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_9.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2932
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_8.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2728
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_7.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2576
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_5.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:616
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_6.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2072
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_1.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2816
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_2.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:764
        • C:\Windows\system32\attrib.exe
          attrib +H "janhidf.exe"
          3⤵
          • Views/modifies file attributes
          PID:740
        • C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe
          "janhidf.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:1016
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_3.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2952
        • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
          7z.exe e extracted/file_4.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2912

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            1.6MB

            MD5

            689c2cc5525bd008b965cd9b901603aa

            SHA1

            0e402d9d5a0b7e756add4e69bd65a2bc555e9530

            SHA256

            11e76f3f041f18b96785856c53c2517b7f2a3e07f9106f3ce0d56056493fac3f

            SHA512

            4411c1db84d01818fe3fbd22f0e9e41a28896986f443d78dbd574c5a4d4e9b70822a30d6ba79b93f4d7a3c2f8a8c35d15ba02ae4fe699191595d3131a5148412

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            444KB

            MD5

            07c85cf88c73ddf572aa9d11afb23d96

            SHA1

            e116ac67460c0faea4095016545e9e73f7b45f1a

            SHA256

            b316e1f050dd514864a3d937aff41c80a2a3c5ab527d692088154186d9ce4edd

            SHA512

            58af7369361f2a5dda1c3af6ff53b6e0ead1f7ec7f02b85434ae2637892bf7e1599c36f36d12c821f93491dd42b6ece4c81180919033c3efb146e61a52823237

          • C:\Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            281KB

            MD5

            d5a4f7252db87294f50c40648900fa5f

            SHA1

            12a5cd05f3a4f0fab6ce4f5a38f495b7e6c6d465

            SHA256

            15b7220662df6f13bdd8dd91b805b7a52da043a797842d57cc700aa5785676ab

            SHA512

            bca9b2c16544d89df6ac412c2854bf569ae8a088c402065060bd60974ebaafb83c1370855c94354bd4f8c6a176989e48c459bab6edbb5027799f59e1c836b0ab

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\ANTIAV~1.DAT

            Filesize

            472KB

            MD5

            0c896387b0765d8ea6528edd6a489c8a

            SHA1

            e1c42a6c1dd3f367db45d97896e67d79e855e8a1

            SHA256

            16420c770b7bd9bce02a13cdccc675000747e1a850f8e51dcde1c2f62e861e08

            SHA512

            d1ef26df7cb94c571d23bbb55e5cd3302cceb46edc1533115a2aa5ed2ae02d6b3bd69fda46ebaccc508d30b35629fce79a3f104bbec713709cf28cb6663a80fc

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_1.zip

            Filesize

            40KB

            MD5

            9f4f7b66d6cd9adbff1492ec77be9126

            SHA1

            13f8d7df286a9c89e42708caf9aaf59c0edbab98

            SHA256

            4ef2a3cbb5bd9b054c59c316bb294cbc3eb53a7996a85bb4b69683c98edbabc2

            SHA512

            0eac85d3976b46ea59ea1d5469d9b35680a3c1cbac0f0e72c245b64db574befd5a045b3506b247ac4eaee634f4466ed33728d781907bd64b2b31b7b68c13c944

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_10.zip

            Filesize

            559KB

            MD5

            752679ebac1f52b7228a8d3f933e240c

            SHA1

            52c04db5184f3be4e207ea7f429aad1b14b27827

            SHA256

            76f2b5cb35b847436d99988b77eef7f1ad3af73bddbc39aba439e1970724a495

            SHA512

            57589053bfa11a90a43ac894881d65b45f8af3fbf870e804ca2fbf96557a16cd9ece0399809888fc000ed2dd431cba87ac6d4da8889fef6930d9086c794d32c8

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_2.zip

            Filesize

            40KB

            MD5

            e5bb59fdbd11b8fef49f264fd5bd3c6e

            SHA1

            e4beff350bbc47c546a0be7aea44619047487241

            SHA256

            4217b0a7ec80903416e41e0f7bdefbf83c057ebd37578b495021e04b23e96bc3

            SHA512

            b549cf1d0ac48233a89abf96513d2ce3556a8cc1c59267b26fd4afb7f51613b3a480a974271dc26cdca8a15920635d3044a7de72839447dc255dedbfbef4561b

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_3.zip

            Filesize

            40KB

            MD5

            50c959de88daba22ae8ce3d253dd13d7

            SHA1

            2499ec1a7a172282c79702a1387aa9b5824cb8df

            SHA256

            15d67b78a9641a6d59f77d1a81921fc376ccfe52f60d67dd3e56005b3f621914

            SHA512

            461d3f50bd4885e6d144a2972d012cc33ffae439ce2899a4422c17f601eea49c86cc97927933ef6f50f8329fa5f9b58748ac4e4809167460c9bc03bc5911b6ce

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_4.zip

            Filesize

            40KB

            MD5

            dd12a31f83517dd645ef8974616d2c30

            SHA1

            02126fa349cb10b600e430ad9ad6b75ca365304c

            SHA256

            fa94fd89a5c7ecceeca8a8c9550acd00ffa11f2d450d4e34de1e09d21c96ab65

            SHA512

            fc47aaed6155817171b58a0e4663f3fd338732fb4d5cb3af60b23e196e48444726f3ecd248f0e7015c831b62dfbe6daf9dfa3877561715261b2b3499939b93af

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_5.zip

            Filesize

            40KB

            MD5

            285d432d435cd6fb30a14b26d785ae5c

            SHA1

            1bba0e1cd964177543561233df0117f210184610

            SHA256

            82123a06b9ed0f527fed2d987b222befb12023e077bc0187c15ca7389351043f

            SHA512

            f6c2c6eebd2e1c451f4a4cbb92ee81601a24df97584a6636bf712fe23ba6e2adf2b1c3b1b62de2f28cd0eeb93d07cac12c96548897be42c093c885995c5131a6

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_6.zip

            Filesize

            41KB

            MD5

            110d098300a79bf77df3e1f9dc000854

            SHA1

            7fc902980a6ad5c49d2a1592b17aa94d6cd63bc6

            SHA256

            3b5a7ae6a43ca5e3cb3280a6463ed79f7ae688eeae2a81114d24d1bc8f8048c3

            SHA512

            7e4051d93a0f543a686e9b0bb5d705ee542a1658ab60f7e23c517a6221b2f8bc11f2c22442b58a5a9eb602078bc03956908cab6adf0dca501b975d1a6940cedd

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_7.zip

            Filesize

            41KB

            MD5

            d9f067d9b53e9dac1d72d801b5348c12

            SHA1

            ccdfdf4205d670f422facdfc772405ae11096000

            SHA256

            e00256861aca90c8f701ab67cd4442cee23ace47ebb7fe87d368814701f013ab

            SHA512

            950c1b2b805bfa666eafb6acd6ffababc40373110c567e70b15fe54d06a505a26656b94361d09ae00c64929d46726c439b6c041e2200988b6c76c05fbe29b098

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_8.zip

            Filesize

            41KB

            MD5

            f268400b4f4630f70e6220f9f73ca770

            SHA1

            f7c0717bb47ef3d3f075d7fbe62ae9146cccd561

            SHA256

            5216fd47e01f7a9c5dd503f3576c2bb6b54f5bdf51f942c4e0c230eaa5a3a0b4

            SHA512

            a7ef869820d1294431c5a351bb423c024af5b07d4adc6abe50074996dfefbb05ddf68451cb060ecc263d85a608195f3206aaf9eaa2c9e7bb8ab573e51deb63e1

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_9.zip

            Filesize

            41KB

            MD5

            7be328380791baf2e2427349b5ac2b08

            SHA1

            1b10efbfeca8ba85dd4af53b1066ee338bba9120

            SHA256

            14a5a7e340f07b9859bd2694f7aa7f71f2a6f31400afc0d16ce79db740190d95

            SHA512

            1bc4672bc9b6178b5baa1934ce6114c0a0c4d052df45099ac4a946c8ad360f8bf9a1d56e8bccb8847571a333c809698da798f8d0308dfeaf35501dfa1407be4c

          • C:\Users\Admin\AppData\Local\Temp\ready\extracted\janhidf.exe

            Filesize

            99KB

            MD5

            a42608e928cfd28602e252d4feb52352

            SHA1

            243d378906e9a4c355c3091ccf2763e0dfdbe33b

            SHA256

            10a5bbeeb39216bde492a246b1b003bcb2d7c0895dea287b5f8ad4f3428ef3cc

            SHA512

            ce6a597bd3caee4f141d12c987b41d4041adee78437a8c1803a84c24968a6f35eb3cd3779270479c836e25f19770981f74bfc3ed7509aee44c7a4ef70e2d667d

          • C:\Users\Admin\AppData\Local\Temp\ready\file.bin

            Filesize

            1.5MB

            MD5

            80ee31171fbd4fa75c6ef69c74c086a5

            SHA1

            95a88efc5b00b0d0a772a2350543f758a3ada61f

            SHA256

            571438548221628d90c3847d21c4bb32172a90aa204bebbfaa08e6e551679675

            SHA512

            5bf5b8bd01a753ff2fb53e249ac9aae53958711f3c0d8abf92d38ca896fa7029a12f41afb6c736c31690db6a007b772aeefeec7554177567b45ec4aa8330af9c

          • C:\Users\Admin\AppData\Local\Temp\ready\main.bat

            Filesize

            486B

            MD5

            3afb4af06ef85bcec37d3493910949b7

            SHA1

            8dece16a9f45866453ee6af0f1cabaaef5b11448

            SHA256

            c17d67303f4483cb9a3c3e3f974a26c6c4482f1042aba973cc4a37c686d0803f

            SHA512

            832067f4f08e111d22aef14ff0a2d86b9e86ae6ae193cfe33486c30c7cd172aa64d19f0729ced4dd3bb08f28feffd992dec416d1d383fc308ac4640c34dae180

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            1.4MB

            MD5

            d70338725e346f223b73e603284677a1

            SHA1

            3f797a357008ec344aeb7db7090a9f9529aae1da

            SHA256

            4ea148b631c2401cb7ec9b2e42cbd3d4a77fa018bec19c2b35405bcf6ad298fe

            SHA512

            b888b10321738bdd97d13c1372ae649c0953f9eca26959e3b7a77c7995ee41b524e05d96de7618d886ba82fd31495e2f911869d91bace3e6c5597548b24ef8eb

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            643KB

            MD5

            10d803c03b2ec478a532deb9133f8166

            SHA1

            f199af33624481fe84f4924cac8fae2144159af1

            SHA256

            5a22ca08f6b141530f98bf8a9dbb2108e626eee4f82484b1a80513ee954a4f14

            SHA512

            33ce6066b93fadd399b8f83389d1b6edc99053c91d8522185e0768547f7a5622ecc317296d2ec06acb59db17350ccb43d6949eab633da4a92e4c65297313f81b

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            481KB

            MD5

            5f767bd3ffdbef363b72a13006391f50

            SHA1

            19dbdc2a5092f6581a7a531df5717752c736bab2

            SHA256

            d4e39627e447016054ae28f93f70ae3734415bea00759d63240432f7f82847b8

            SHA512

            3dfb04b17a7d97aa242629d9b122181f3288d92fe7023a8906d854ee2ab7aab27a8e16a7795c59403ec0a6ecbc9868ca659a246e6f60328825895d1fbc9ce8e5

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            770KB

            MD5

            6291e81da558e318ab93360d360aacf5

            SHA1

            8a94438b78e4403327d19cce4d3549052511c86d

            SHA256

            967ea301491c296910c15ad9a256af4243261cc0608fe67bb27039a1140311b3

            SHA512

            3ecc459eeeabd46742929ad25a7d5b9973f02ea70fc47a7cc2926dbf90407bee18bfcb7605394cb1a3e99b7da478d439b42d4177941d02553466c436b5fa9f79

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            542KB

            MD5

            5818fc4dd99c5a4e588d261220db82b7

            SHA1

            0870f5ce420f76ed0e66396d159c6b074e0ea21e

            SHA256

            631d4f6bb1d59821d0a8a9e6c7089c1fd46d44ffc0042eebc144668bef86a417

            SHA512

            a041d92b77c55e1d0381f8451cb543f1b1f80afcfd14429c2b7b82690b50c63420cdf5567ea8e737507fa42a00ab1f2973d70d7d1469e6bab5b61b3f00dfa3bd

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            582KB

            MD5

            d6223015ded76e77040965ed6491a509

            SHA1

            fc1cbb649313f6eaa929193deebb40edd8671c63

            SHA256

            a17e4430226d6fc1fca49caf4f74adfa3ba54ce6ec88fe8ce27acf2ec9e8915e

            SHA512

            17e4341d16accb95bfa565cd342da4b6f311d4152f3afd450e0f2c6065ac2953baa831ab1ecf1944df6e16c2073252b5cb6fd53f2e806390fa53c53d320ae433

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            696KB

            MD5

            71c52bef0ff7df8e85832ddef610d016

            SHA1

            03891360975cb14efdedb09882b1ed36e15e07dd

            SHA256

            d01a0ee5178283d7f18fb4a9e4826e12eda8160b4f6f5adf5651813837300b29

            SHA512

            69d212913e745ef3445878b8faf87ef233d3451f454c40beee985dba0c52535a9fecef095323b99b06774343774900423bc4dc393bd8dd6e99bb08d4062d4041

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            1018KB

            MD5

            c5a7139baa557af5030a20d2664f0bb8

            SHA1

            4e485ba135a06c97b580bd8acbf72510ac5b23d2

            SHA256

            621edef2fcb601b6572bc6f5b6f1c5b660d216c3748ec42d7b43815b2c0445a8

            SHA512

            91af4ebe9f55c4469b8455215a8191e9747ee958417d9b6af033ff10b2a33c43c5a47a406dc2f52edc7000cb8eb733ef9901e2a5869d75f59ed1903c8a2148ee

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            589KB

            MD5

            92dff693608c7b6b751950bef63eff73

            SHA1

            988841ec4d99443a4f1bde81b6a0691d87426ae1

            SHA256

            d17cfab43ede359fd611854048a77080d9083cd78c27ad5b6883333b7333689e

            SHA512

            af1408e76b5e2e4d0f38b149155b4338aa73976d46b4455748ac1fd87bff65bb3b81747a454fe2caed9c655692b9203d29374e9742e3c60f9eb43d4cc4df923d

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            263KB

            MD5

            8f1a39012a7db9ef468084fea1a97a73

            SHA1

            31363a902f18db82f9cb165d6713dd5158acfc77

            SHA256

            4c679901c55b6e674e128c96bca3916e97fb7e7c4c206caedbb8d4d5799bfe95

            SHA512

            4da560710ad4437d1c9285ed096e69ebbc4d0da6a001bfd6aa92ee7333a9b9200bc8c442f1c117e16176b54f3df68b68d7c800d553b55a002640672e84359f03

          • \Users\Admin\AppData\Local\Temp\ready\7z.dll

            Filesize

            829KB

            MD5

            6d806f416ddad629f99a51e86179e4ec

            SHA1

            d3fccd0022d31fb1be48c243a774d577f87469fe

            SHA256

            5cf11df592da7f035b4839a56f644eb5c07e2488635208f9333a3d5cec036523

            SHA512

            2ff397098879cabcc462315fa9676e494a24bbc576586e2674ced4ef6592f6340758c6ebc3a5718cd43fce96392eb4ae7074bead8c435d01678f2d166cc067df

          • \Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            458KB

            MD5

            619f7135621b50fd1900ff24aade1524

            SHA1

            6c7ea8bbd435163ae3945cbef30ef6b9872a4591

            SHA256

            344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

            SHA512

            2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

          • \Users\Admin\AppData\Local\Temp\ready\7z.exe

            Filesize

            389KB

            MD5

            4416cb5f95548fb06371ab3df79238fb

            SHA1

            796963cae899260aab2b8e6f93f5c2d039dff2cc

            SHA256

            bfd6d0eee7bc984f20459d538efa183321d790627adcb0ae3fcf3b36283dd172

            SHA512

            524ed177f5ec0388482a485595c2c51f7b8229c1694a1420e6543d3883a3abfc69b4371126f775e0c8b20e08257bdef12aa4d0c4d15e64330673cd8e53d40a5d

          • memory/1016-99-0x0000000001230000-0x000000000124E000-memory.dmp

            Filesize

            120KB

          • memory/1016-100-0x0000000073E70000-0x000000007455E000-memory.dmp

            Filesize

            6.9MB

          • memory/1016-101-0x0000000001000000-0x0000000001040000-memory.dmp

            Filesize

            256KB

          • memory/1016-102-0x0000000073E70000-0x000000007455E000-memory.dmp

            Filesize

            6.9MB

          • memory/1016-103-0x0000000001000000-0x0000000001040000-memory.dmp

            Filesize

            256KB