Overview

overview

7

Static

static

3

2. RedGian...ir.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    33s
  • max time network
    39s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 06:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2. RedGiant Activation Service Unlocker_Downloadly.ir.exe

  • Size

    5.4MB

  • MD5

    af5c350cc0f7e4f2bbd39a9cc706fe10

  • SHA1

    77e563d392a8de25053d6db2a26fa2924fc22710

  • SHA256

    71c1f5f4ad3e24e0bbaf5943a191f4dd7c49b80c14633593e7cb38d0ef9d4c3a

  • SHA512

    f8c37e3039df7f860e693a06d784472f61e30a1dbe4242f53e16f20387a0b666cc35bb640aecb0aa7c2168844cc79c4dd93a08ba230811ec7446f65772e952ca

  • SSDEEP

    98304:lSiSXHx6vD5XtXkNoSr8kvZ16/wit4cFEk76g8W5Zje3M0ea245o:Igxt06O8kbD+EhgNTe3sIo

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2. RedGiant Activation Service Unlocker_Downloadly.ir.exe
    "C:\Users\Admin\AppData\Local\Temp\2. RedGiant Activation Service Unlocker_Downloadly.ir.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1388
    • C:\Users\Admin\AppData\Local\Temp\is-4SD9F.tmp\2. RedGiant Activation Service Unlocker_Downloadly.ir.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-4SD9F.tmp\2. RedGiant Activation Service Unlocker_Downloadly.ir.tmp" /SL5="$5016C,4730505,799744,C:\Users\Admin\AppData\Local\Temp\2. RedGiant Activation Service Unlocker_Downloadly.ir.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2324
      • C:\Windows\system32\net.exe
        "C:\Windows\system32\net.exe" stop "Red Giant Service"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4608
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "Red Giant Service"
          4⤵
            PID:2736
        • C:\Windows\system32\timeout.exe
          "timeout" /T 1 /NOBREAK
          3⤵
          • Delays execution with timeout.exe
          PID:1304
        • C:\Windows\system32\net.exe
          "C:\Windows\system32\net.exe" stop mxredirect
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3280
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop mxredirect
            4⤵
              PID:392
          • C:\Windows\system32\taskkill.exe
            "C:\Windows\system32\taskkill.exe" /f /im "RGContentService.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4028
          • C:\Windows\system32\taskkill.exe
            "C:\Windows\system32\taskkill.exe" /f /im "MxNotify.exe"
            3⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:1168
          • C:\Users\Admin\AppData\Local\Temp\is-I6DPV.tmp\deep.exe
            "C:\Users\Admin\AppData\Local\Temp\is-I6DPV.tmp\deep.exe" /verysilent
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:3620
            • C:\Users\Admin\AppData\Local\Temp\is-ESSP7.tmp\deep.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-ESSP7.tmp\deep.tmp" /SL5="$6023C,3584401,799744,C:\Users\Admin\AppData\Local\Temp\is-I6DPV.tmp\deep.exe" /verysilent
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:4568
              • C:\Windows\system32\taskkill.exe
                "C:\Windows\system32\taskkill.exe" /f /im maxon.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4264
          • C:\Windows\system32\net.exe
            "C:\Windows\system32\net.exe" start "Red Giant Service"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4448
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 start "Red Giant Service"
              4⤵
                PID:1656

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-4SD9F.tmp\2. RedGiant Activation Service Unlocker_Downloadly.ir.tmp
          Filesize

          3.0MB

          MD5

          d09b1325888beea51e5bcb494a35f409

          SHA1

          0445b94e631d095077732c5e8be06ea8fe65b750

          SHA256

          d03d365124865647889e1b75ae68dad5fd216b3c8448de8ebeb826e05c689bfe

          SHA512

          142ab50d024d670f3c968587cda784a443982ee242482654cb566d8c81c05c2688323a9264fbedba16a88e792943a810f7a74f82313d91f5a556860cf10d139d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-I6DPV.tmp\_isetup\_iscrypt.dll
          Filesize

          2KB

          MD5

          a69559718ab506675e907fe49deb71e9

          SHA1

          bc8f404ffdb1960b50c12ff9413c893b56f2e36f

          SHA256

          2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

          SHA512

          e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-I6DPV.tmp\deep.exe
          Filesize

          786KB

          MD5

          c2f0a5fb0ef70ecdb216ac2863047084

          SHA1

          440f45beae96bbc4fd353995cc43033a5f5a1a0f

          SHA256

          11c081d7396d731cc66999a5ba00704a5dc92767082df171a76ac24173d65fda

          SHA512

          7eaba91ba23328fefb2c0a6e5a3b30a513f0875501a3aa4e3193019b31fbf701ad6984d274422a7b10275af7781d19ac000f0b545b6308b80e0a25643f5f3424

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-I6DPV.tmp\deep.exe
          Filesize

          532KB

          MD5

          e1d2059218159ff56a8a2af3fd39ffd1

          SHA1

          162f67210c7c8eebf10d79452d2d3aa101ce8329

          SHA256

          be142ac886d9bda7872fc70ae284ecfc466946ecc6bd7345b12f5e45077e6773

          SHA512

          c8b3e40f3b1cfc7de23e94a5d0d2781132c0b35ad2e29f677c7da1a7ea58ceca01ae339add3350820d9c04e63d36daa53d231648b1e1e6e97af02dd2e757547c

          Download Submit

        • memory/1388-0-0x0000000000400000-0x00000000004D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/1388-39-0x0000000000400000-0x00000000004D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/2324-5-0x0000000002800000-0x0000000002801000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2324-37-0x0000000000400000-0x0000000000709000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/3620-17-0x0000000000400000-0x00000000004D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/3620-34-0x0000000000400000-0x00000000004D1000-memory.dmp

          Filesize

          836KB

          Download

        • memory/4568-23-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4568-32-0x0000000000400000-0x0000000000709000-memory.dmp

          Filesize

          3.0MB

          Download