Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 18:47
Static task
static1
Behavioral task
behavioral1
Sample
5738d596be68071de7786712b5410024.exe
Resource
win7-20231215-en
General
-
Target
5738d596be68071de7786712b5410024.exe
-
Size
2.3MB
-
MD5
5738d596be68071de7786712b5410024
-
SHA1
6245023401af7c614e5dcb61d657f41c17233ccd
-
SHA256
03469423c7c63f0144fc8e3135db3efd65f0a15bbc80c374236792f820633310
-
SHA512
93e08c9d3c194f4fa290113eb9bae836b79f512ae2b8a0c68430c3acd4ac170d1f6d47b2ff3ce0d673651afed388ad8206acd9856122b7d95972e8c9827d2668
-
SSDEEP
49152:hYVPdezBnlW4Es4e3yIvLb59ou2cfJ6xiz8lVHTIioOFZQ+y:hkQlQ4tTP7xJ6xiqZ7y
Malware Config
Extracted
redline
@janhidf
45.14.12.90:52072
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/5040-83-0x00000000008E0000-0x00000000008FE000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/5040-83-0x00000000008E0000-0x00000000008FE000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 5738d596be68071de7786712b5410024.exe -
Executes dropped EXE 12 IoCs
pid Process 4644 7z.exe 2840 7z.exe 4376 7z.exe 4488 7z.exe 1700 7z.exe 2144 7z.exe 3132 7z.exe 4888 7z.exe 3360 7z.exe 2632 7z.exe 1072 7z.exe 5040 janhidf.exe -
Loads dropped DLL 11 IoCs
pid Process 4644 7z.exe 2840 7z.exe 4376 7z.exe 4488 7z.exe 1700 7z.exe 2144 7z.exe 3132 7z.exe 4888 7z.exe 3360 7z.exe 2632 7z.exe 1072 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeRestorePrivilege 4644 7z.exe Token: 35 4644 7z.exe Token: SeSecurityPrivilege 4644 7z.exe Token: SeSecurityPrivilege 4644 7z.exe Token: SeRestorePrivilege 2840 7z.exe Token: 35 2840 7z.exe Token: SeSecurityPrivilege 2840 7z.exe Token: SeSecurityPrivilege 2840 7z.exe Token: SeRestorePrivilege 4376 7z.exe Token: 35 4376 7z.exe Token: SeSecurityPrivilege 4376 7z.exe Token: SeSecurityPrivilege 4376 7z.exe Token: SeRestorePrivilege 4488 7z.exe Token: 35 4488 7z.exe Token: SeSecurityPrivilege 4488 7z.exe Token: SeSecurityPrivilege 4488 7z.exe Token: SeRestorePrivilege 1700 7z.exe Token: 35 1700 7z.exe Token: SeSecurityPrivilege 1700 7z.exe Token: SeSecurityPrivilege 1700 7z.exe Token: SeRestorePrivilege 2144 7z.exe Token: 35 2144 7z.exe Token: SeSecurityPrivilege 2144 7z.exe Token: SeSecurityPrivilege 2144 7z.exe Token: SeRestorePrivilege 3132 7z.exe Token: 35 3132 7z.exe Token: SeSecurityPrivilege 3132 7z.exe Token: SeSecurityPrivilege 3132 7z.exe Token: SeRestorePrivilege 4888 7z.exe Token: 35 4888 7z.exe Token: SeSecurityPrivilege 4888 7z.exe Token: SeSecurityPrivilege 4888 7z.exe Token: SeRestorePrivilege 3360 7z.exe Token: 35 3360 7z.exe Token: SeSecurityPrivilege 3360 7z.exe Token: SeSecurityPrivilege 3360 7z.exe Token: SeRestorePrivilege 2632 7z.exe Token: 35 2632 7z.exe Token: SeSecurityPrivilege 2632 7z.exe Token: SeSecurityPrivilege 2632 7z.exe Token: SeRestorePrivilege 1072 7z.exe Token: 35 1072 7z.exe Token: SeSecurityPrivilege 1072 7z.exe Token: SeSecurityPrivilege 1072 7z.exe Token: SeDebugPrivilege 5040 janhidf.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1428 1408 5738d596be68071de7786712b5410024.exe 91 PID 1408 wrote to memory of 1428 1408 5738d596be68071de7786712b5410024.exe 91 PID 1428 wrote to memory of 3928 1428 cmd.exe 94 PID 1428 wrote to memory of 3928 1428 cmd.exe 94 PID 1428 wrote to memory of 4644 1428 cmd.exe 95 PID 1428 wrote to memory of 4644 1428 cmd.exe 95 PID 1428 wrote to memory of 2840 1428 cmd.exe 108 PID 1428 wrote to memory of 2840 1428 cmd.exe 108 PID 1428 wrote to memory of 4376 1428 cmd.exe 107 PID 1428 wrote to memory of 4376 1428 cmd.exe 107 PID 1428 wrote to memory of 4488 1428 cmd.exe 96 PID 1428 wrote to memory of 4488 1428 cmd.exe 96 PID 1428 wrote to memory of 1700 1428 cmd.exe 106 PID 1428 wrote to memory of 1700 1428 cmd.exe 106 PID 1428 wrote to memory of 2144 1428 cmd.exe 105 PID 1428 wrote to memory of 2144 1428 cmd.exe 105 PID 1428 wrote to memory of 3132 1428 cmd.exe 104 PID 1428 wrote to memory of 3132 1428 cmd.exe 104 PID 1428 wrote to memory of 4888 1428 cmd.exe 103 PID 1428 wrote to memory of 4888 1428 cmd.exe 103 PID 1428 wrote to memory of 3360 1428 cmd.exe 102 PID 1428 wrote to memory of 3360 1428 cmd.exe 102 PID 1428 wrote to memory of 2632 1428 cmd.exe 97 PID 1428 wrote to memory of 2632 1428 cmd.exe 97 PID 1428 wrote to memory of 1072 1428 cmd.exe 101 PID 1428 wrote to memory of 1072 1428 cmd.exe 101 PID 1428 wrote to memory of 4660 1428 cmd.exe 100 PID 1428 wrote to memory of 4660 1428 cmd.exe 100 PID 1428 wrote to memory of 5040 1428 cmd.exe 99 PID 1428 wrote to memory of 5040 1428 cmd.exe 99 PID 1428 wrote to memory of 5040 1428 cmd.exe 99 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4660 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe"C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ready\main.bat" /S"2⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\system32\mode.commode 65,103⤵PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e file.zip -p___________20689pwd2342pwd16763___________ -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_8.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe"janhidf.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\system32\attrib.exeattrib +H "janhidf.exe"3⤵
- Views/modifies file attributes
PID:4660
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_5.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_6.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_7.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_9.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe7z.exe e extracted/file_10.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD572491c7b87a7c2dd350b727444f13bb4
SHA11e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA25634ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
129KB
MD5f1ceb742b0adaa20196016a3a94d454b
SHA14482fa8c46273bfdec7b28f2154ea03d07b611ca
SHA256fbcb24ed51dc5cdecff1a7b883f401907f526a0331d5c966f50112ffe2c4bc01
SHA512f1754053fdd5eaa11053d66c812d825bf5273bf93f9a31927bf21c3b6cf29e880c4617602fb0633c57a3106eecc60bff89e9502567c2893ba409387a6216999d
-
Filesize
1.5MB
MD55bb135d42aac5b8fea4c41e4f0e682fb
SHA17f462309a386c1f2b496f9f7b972458dd513af9f
SHA2567cf3d534397c1618d5984387ea3d319744a1c9fc450d01003f5953355fb9128b
SHA5124026241c9f003c9a96286b235d3314fe2e0212d914f255242dadc0e454a71adaed6f67fc8a4b49c7fda285a5bb9ec1ae703723a0c1942906b0060d299b1e4df8
-
Filesize
40KB
MD5285d432d435cd6fb30a14b26d785ae5c
SHA11bba0e1cd964177543561233df0117f210184610
SHA25682123a06b9ed0f527fed2d987b222befb12023e077bc0187c15ca7389351043f
SHA512f6c2c6eebd2e1c451f4a4cbb92ee81601a24df97584a6636bf712fe23ba6e2adf2b1c3b1b62de2f28cd0eeb93d07cac12c96548897be42c093c885995c5131a6
-
Filesize
41KB
MD5110d098300a79bf77df3e1f9dc000854
SHA17fc902980a6ad5c49d2a1592b17aa94d6cd63bc6
SHA2563b5a7ae6a43ca5e3cb3280a6463ed79f7ae688eeae2a81114d24d1bc8f8048c3
SHA5127e4051d93a0f543a686e9b0bb5d705ee542a1658ab60f7e23c517a6221b2f8bc11f2c22442b58a5a9eb602078bc03956908cab6adf0dca501b975d1a6940cedd
-
Filesize
41KB
MD5d9f067d9b53e9dac1d72d801b5348c12
SHA1ccdfdf4205d670f422facdfc772405ae11096000
SHA256e00256861aca90c8f701ab67cd4442cee23ace47ebb7fe87d368814701f013ab
SHA512950c1b2b805bfa666eafb6acd6ffababc40373110c567e70b15fe54d06a505a26656b94361d09ae00c64929d46726c439b6c041e2200988b6c76c05fbe29b098
-
Filesize
41KB
MD5f268400b4f4630f70e6220f9f73ca770
SHA1f7c0717bb47ef3d3f075d7fbe62ae9146cccd561
SHA2565216fd47e01f7a9c5dd503f3576c2bb6b54f5bdf51f942c4e0c230eaa5a3a0b4
SHA512a7ef869820d1294431c5a351bb423c024af5b07d4adc6abe50074996dfefbb05ddf68451cb060ecc263d85a608195f3206aaf9eaa2c9e7bb8ab573e51deb63e1
-
Filesize
41KB
MD57be328380791baf2e2427349b5ac2b08
SHA11b10efbfeca8ba85dd4af53b1066ee338bba9120
SHA25614a5a7e340f07b9859bd2694f7aa7f71f2a6f31400afc0d16ce79db740190d95
SHA5121bc4672bc9b6178b5baa1934ce6114c0a0c4d052df45099ac4a946c8ad360f8bf9a1d56e8bccb8847571a333c809698da798f8d0308dfeaf35501dfa1407be4c
-
Filesize
1.2MB
MD54c8c55cced3cb71d93234a2dd5bfb21a
SHA1d439bc492d1e0b95923eec971ca4af617a7e0f9c
SHA25628dc476829c3c92271d67791becd6e7623e7b15ef2f44d0602c9b1435dc67500
SHA512cb6114635dc4f0a33a75ef8b9cc5e9fe4a1495b1e44ddab8ed08ec42922cb410fe65a3942055375de12ff2427c275a02134f7e19fb844561daa1b86f6371fe5e
-
Filesize
486B
MD53afb4af06ef85bcec37d3493910949b7
SHA18dece16a9f45866453ee6af0f1cabaaef5b11448
SHA256c17d67303f4483cb9a3c3e3f974a26c6c4482f1042aba973cc4a37c686d0803f
SHA512832067f4f08e111d22aef14ff0a2d86b9e86ae6ae193cfe33486c30c7cd172aa64d19f0729ced4dd3bb08f28feffd992dec416d1d383fc308ac4640c34dae180