Analysis

  • max time kernel
    138s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 05:50

General

  • Target

    5824addc5cace9168fb18810a557998d.exe

  • Size

    2.3MB

  • MD5

    5824addc5cace9168fb18810a557998d

  • SHA1

    f6578c7764eafd0f62027781e131e182cf840786

  • SHA256

    fa6a68e4dff9c701b5a7e4d621dfd67dda338e2c1eae3180d69abae2b2abafcd

  • SHA512

    fd5722eb620fb181ba19be493baa27baaf2a6556575ab6a15b31bdd184a0de88d8e3407c141a4e87c52f37b117d82444ef50c477cd2e0398cfdc8e24a705f4f8

  • SSDEEP

    49152:M5+hFb9qaxBvTd8gNzZLNWT5VJtzFrzezgvGjo+WXxiz8lVHTIioOFZQ+/:M5aFb5kczTWT9tzFrKlhmxiqZ7/

Malware Config

Extracted

Family

redline

Botnet

@Makarenaq

C2

45.14.49.109:21295

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 3 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe
    "C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2740
  • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2824
  • C:\Windows\system32\attrib.exe
    attrib +H "build.exe"""
    1⤵
    • Views/modifies file attributes
    PID:1544
  • C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
    "build.exe"""
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: CmdExeWriteProcessMemorySpam
    • Suspicious use of AdjustPrivilegeToken
    PID:704
  • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2036
  • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2592
  • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2664
  • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2796
  • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
    7z.exe e file.zip -p -oextracted
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    PID:2744
  • C:\Windows\system32\mode.com
    mode 65,10
    1⤵
      PID:2788

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            104KB

            MD5

            b4a29bf2c9cf2190b1113cb6786acde3

            SHA1

            2c3a84bfc8096b2e07bab943206e2046b5fc03e6

            SHA256

            aecd3cbe96e36b4262ff82f8fa7b3908d418842ce7434d60fb574e4cf433efcf

            SHA512

            df37a74348738fe1aebc651cb191b1c75f1a5527e46183ef9f9009fb2ab2fb1df22cd87d0d7dcec8b10923da6b38128c59ebd34b2a59dbf698c46cd1157ea461

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            208KB

            MD5

            847d8d09a72890d8fcc0420f01f0324e

            SHA1

            8341ff6aa2accf2d36fddc3816f95687c848a2ca

            SHA256

            504bf11cc0a8c7ba3675d3d5720da0021950b250bc6fe90fc80cbcc779ecb271

            SHA512

            39dd5e3e4e513337d7f9cec96c4039a5591840a7144b64c0ab3758cf241aa4e2b216dacdc44664d83eb299c745a17d1d26bd66ad15df0beb470bf0bb6a689683

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            45KB

            MD5

            c0eff909765c495bed6356ee10099050

            SHA1

            d1e0fc37ec60fa394f7cbce47ee45a60f29181f6

            SHA256

            c9e18d58acdbf3dce411706cc8c6bb9048ee2316c662d983a16b5510212d09b6

            SHA512

            f138ac5f0504576ebb85f2af8f0b513d779d4da3966c9e4650abc396e02ac1beb5fd210d1d848c739dd676c50999fbc5edfd8ef38c09f4cd9626db9f02b4fdd8

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            119KB

            MD5

            6032b52fa5dd0a8dd57eb9b26bd591e2

            SHA1

            b24f033c1f6422b17863c330cbc64e8c49f9b975

            SHA256

            1bad7fa4d19da87ea8cec7efa2298b4b21671aa078cc50d8d3354902a21d1df3

            SHA512

            96df90ebab377dc8e7b6f8a8aa465777d81ab6b3779b8caf825d87ef68164ceb98e5050a1e8c727c61bbdafd27d1523566448c49830fb24621e1e48c094c5ac4

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            185KB

            MD5

            1793d44a3f48937e86e6d255fa221e50

            SHA1

            5613a82da5ce3de8646076eab24006a4c5f753f6

            SHA256

            90dba1b7ff7ef84ea4b85d4bde926a1be0488cfa9cc3a362a6c56fd5e1b590c6

            SHA512

            b372f7a49743adb7c48aa05ed4febebb2219f43a4fa1bad1cbc6fbc722502e2f6dfd9a611c0108df5da9509fdb8ff127274f7715e6fadfc55e0f00db47d0a496

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            97KB

            MD5

            9f92e325a79ffe793c898b1dfeb5a3f2

            SHA1

            5483ef9e3a1a9dee90fd9fc6fd98e8c7a4a38eb2

            SHA256

            260a5a8388fa1085f9d6deb7d6c354215195a50cc280a8af23701d9dbb3a0a56

            SHA512

            8df6f48677ca31c15891fa578a9626cf648adf1719d1430a7b63a61e99b181eab80ecbb45f5cfbae08ef1927e08d6683597e00e3cec850292f5e21c33a3c96e0

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            105KB

            MD5

            2083f89979ad4cb16c504acade1e5dac

            SHA1

            e730d5ff874c3d7ebe7c3cb40c0a7ea48b1f5153

            SHA256

            0257bb90ceac230a7ccfe85ba0640d99fea52420a8a3d6535e20b1c0e95840a4

            SHA512

            9953d04f6a28892df6de7a1367bcbc0f683aa523cc8ba2d53d95719ebc860a99cd6049bfc5716c7e15f389db83d6d571341ddedd4a555e48a8d113902e6f0af3

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            190KB

            MD5

            03641b846c3f22860d65affd546b2aaf

            SHA1

            adf95544193cbdc0f35fe4e0cfab27fc33f42427

            SHA256

            e3ba4b3121b370afdd42018cb0c5f2e96f9a28f6e2137503a3fccb54d67b0ddc

            SHA512

            8a2395dabc5afe278ee6eb949acd5202dce918f46c70dfe05be439737d6163436d9c7cff5b45b79f726850982ce3b2a668a59966d1821d74b6762d677b47a015

          • C:\Users\Admin\AppData\Local\Temp\svchost\build.exe

            Filesize

            92KB

            MD5

            840ce01435f45bd7cfb31949c5790443

            SHA1

            8ce20196db0eea2e1b04f575b8de95f1c09fc31e

            SHA256

            550d93df062facfe817ff3794e0703ce020c1c18fd21c4d9ebc92a96cba9f991

            SHA512

            117992191ad03e3016429b94d8ad8152527d1643197bdff60d7ec7fb8554d93613b0c3d9d892c64016426133dfefa2f0d14c280074a888b8ad1f9fcfe51b55c1

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

            Filesize

            136KB

            MD5

            72bce3686805dfc913556ded79e329ab

            SHA1

            3e4554b4c2ab1db9e09b153c643c44a5e87565fa

            SHA256

            cb085d0d6f7377543b12481bb6af7d559089eddb082a57002703c96f039fbba5

            SHA512

            7e2e58152d7df5afab697012487f71561be844a4b7c646079b8e31dfa42cf6a420c5e5e02e7aa861afc96ad2160de7af6d75f30b9fb0d9be27ab67ae796cda7d

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\build.exe

            Filesize

            35KB

            MD5

            cd44299e11918b1e8e9c0cb01f52477b

            SHA1

            ac7d5cf31cc8d3c5f71adc6192f8fd867dd05737

            SHA256

            83e8f9e4943f9289d344f3442a9dbe3564afcf7a20531ffa979e9816babe53f1

            SHA512

            8623cd7af5e24b1e86721e1a1c7945905b7c00b6132f52f9ea6ff4d434cd268c54277b786f9fa5a9f89c7cf4d617f0bb0c0b1b0d643a017cfe61b67193464809

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

            Filesize

            38KB

            MD5

            580eab814576665d16a0faa6fff2bab6

            SHA1

            dca3a9c3936179181c3b5e08926d4d02a43221d7

            SHA256

            ee626cc556542301f01b701999b779f7cece5c8f133cdebf9bcd84012e0a0e19

            SHA512

            4e9e02b9b2ff37702e857032065f9672d18325884dfa69fa292a4f74b76dff3b564a0b0fbaf0f6492f10e0e31dc90b8e6ccea46ef635398a24c330e6049d8b5c

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

            Filesize

            38KB

            MD5

            1a1abb9d3c276d49b82533a01e5749de

            SHA1

            9afe72a88ef8416d4766765e849e4938db2cc347

            SHA256

            03b5c136ce10551c43bbb8e241481bb14528bc86dd9981b05dcb13f7257043b1

            SHA512

            7670ff5ca9fb150bdfb720b64ddb8b78c9899ea5022935a64de9f8e0e9f684110c347fb361122f20b46ee9c6feeba410f89012488f03d0a95a65748395d67bcd

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

            Filesize

            38KB

            MD5

            88353e8a3843ec7ea0bb8ede2a66b820

            SHA1

            12ad7b4843c9000a7c6fb3b4f0f7fbb61589cff4

            SHA256

            d8126f64b41cd5ea9fd3e5e7b2d11b156006d12c11878be6f9af30ecb0ca70be

            SHA512

            86e954104e83a01203dd78b56df0dacccfb2b42f394bef98f2281406ae37729a53ebc91f5b08ea3a86bbeb222c3f72dcaef44a2d31d121ad987564a48c417870

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

            Filesize

            39KB

            MD5

            4551328bc2245d4635af4b457bf0ee61

            SHA1

            21c020d83ed6591496719587f4b8efe471cd1f10

            SHA256

            54fe8a83fc59379b6eb9ea6f5592bee6ac6eb238abdc878f5e526a8f51127522

            SHA512

            59205295b0acd34ea4d23bffe121fe0550f22d7c99e16e1d42989d3adbf3600c7f3dc90fa7283c3ec3c8118a276f1fec8205e8d8553a55459ec36398f99d4293

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip

            Filesize

            178KB

            MD5

            95b1e5aa02d225760ef7b74748a2f751

            SHA1

            94f8d027b4331548074955b647cc28eb23720d69

            SHA256

            b8f4038bcfad7d68fbc130297072669f36c022ffb46457b6d227ffe698980460

            SHA512

            304f86276bbd35a0862e60f0c02f7a22185df1221b5fc2dfd00e9c6e7936a072f670fe77364a1bba3e21cae9e67dac82cc2a5282f0590b8d1278b6c729bd6af3

          • C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

            Filesize

            168KB

            MD5

            5798b36ca7e199fefc2c0d79ad5999d0

            SHA1

            31a848c69faef08bb5ac8da68268b5df9e149290

            SHA256

            57ecb27c9bb6568856ca0796f0708383e73183ae1a3fe1f71ae531165e349295

            SHA512

            a6614cc2ef2dd382df8b52ad9622b7139ff7db01671f69a1fc3e3a9b56924370a4cdc9f7b4cfc9953393ce95962ab20a01371498c2d545bb6e9176cb68811849

          • C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

            Filesize

            447B

            MD5

            b8d0fdde29b49c27a22b6d5418505832

            SHA1

            6d7e3ac153bc8d49ec2ae043095fd32cd7c57a69

            SHA256

            87651ba0e7d43c146d25f912afe049fd75ba8f62d32148001caf8c379a4e1002

            SHA512

            42aa76a3c602b1d65f38bf1a16ec83844fd6523f58df24e54f557b9cf07302cb568385ef079fac39c64b28dc6098925532270a74913b1f070b90f36ad46b8eb0

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            171KB

            MD5

            0649841faf7eb6847162d24af9dd7297

            SHA1

            2f56cf8f757cb08357edbfd22a3462b53a244da3

            SHA256

            b176bfdcf7f463940b31c0dd19579bccba918da7920b651d13d2c3999f4fcdff

            SHA512

            79c9b1c4ec559a87994bbeff3a339d503eff1685d7be86bd4e926dd12d44c052c1a599fd908715bfcdd6d2ab56c680352eeff163be6dfa95de1128204c068e45

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            149KB

            MD5

            4316979f932910bf022d3f0ca0861f83

            SHA1

            048e6b89b2d29f3c35df27199f60be16a4143cf6

            SHA256

            172bb977c6a4e62d8a96bbae650be7ca6b091f4a13631c0a74865b6ccda95099

            SHA512

            9c1e9bccda064cc2872cb88b5ea46be45b9b3e8909c87417239e571cb981cfcfda1521e72b6ca009b4cb1b8cb3dff7765eb6c671e96d8800b1d06c616185833e

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            104KB

            MD5

            578a21d631f7e1c30c6ef98aa4ddfe9e

            SHA1

            00bf9cffcce35fc3e7880979706b007722c0bcb9

            SHA256

            de921f104f0df636e298131280be9e08ff3dfae35b40bcd3dd06a18c3b0f1181

            SHA512

            a228b520e5d641713e678c4fea86c8588d39a2e65ce256d2ab0f130c9d9663cd49d4614076dedb03147126ceb8e92c722b3b56e5d12e8701e92f01c9b7e53918

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            180KB

            MD5

            80c05a105fe7d8071aee41467a7e50ff

            SHA1

            44c9c5335862523ea4a3918c344d41f3b3ff2a60

            SHA256

            aed52da3975b35c0dba3e95dabfaeab807e8ae0269e5bf0c101c0408915b6e04

            SHA512

            952d8b2c1786dcd2e14764f74e8457187dbcbf660ef7ff2f6cc453e59792f351118d719ebe4f34126983ec996cf2f27cab093d2352785357c9d191558f296e58

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            85KB

            MD5

            9510b386175232e0738df036d80e4d66

            SHA1

            8c00f923ec818d15fa07fab8e7c9cd8855efeb09

            SHA256

            539a8a9158772888b16bfdae3b87e23b8369317622b319656ffc4cea7410a659

            SHA512

            60264f7e76fa290103fd870ef5e6bb5a6989fa3b2e1a2f65d1906b147b58bd17c99ece80f224da88e6e0d9576fb28f3277da1fc5551a73464b4cccc4151eee52

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            220KB

            MD5

            c59e1661cab7cce318e2fd4b15ac1a03

            SHA1

            138cc5fedacc18607d8b8299e273c22b0e0b0c9a

            SHA256

            bfd1f423cf488c0f7084743f288096cf715f6311418a71ec91aafa747534acb9

            SHA512

            d89bb35aa89d6de5c51f2d5f90b9f7c8e2b301118462da6f8383dbe94ccc72cd41d88b597954c82fc2439693734f7029ea6d568f2ade75038d2fdc63de7a04a7

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            169KB

            MD5

            f4be2eb3955430d0f6614a60d74c3fd0

            SHA1

            c183e55262d97e9ed683dd6fa25d9bd7b75970bb

            SHA256

            ad316a8c046d8deb5775e675538dcbade24292ef9b81c83e402518cd0f26b0b0

            SHA512

            77c2d7dfecb9115a7b1412830819f09989f11ff05d1e894c29ea1ab78e398c4d47fd5a7c6068527831e09743445713905e10877805598632ac015aecdbce23bc

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            230KB

            MD5

            db2d86f04a9a62b2d0bf26900a4eab88

            SHA1

            a401d944d9af9428ec6fef97169144a7f494174c

            SHA256

            c24888b93ce2b58c5937e36e152aa725b7fbb802e915135bd8464b8071374bf8

            SHA512

            fd519c2be1e7bd6d9c721d81ccbc8bfd74210572208913338c97df0da86e0bdccef16f32fb3467d4f6a420b3320bc41201e6a2e275b27fbd6887bcef04f30174

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            77KB

            MD5

            42541fc596e0c7377a86b9197ea2c2a0

            SHA1

            75c5648aed8fd6a88444889aa2e97622a319a538

            SHA256

            48f7ffa2e4dbb103662b85954d62481d89684f3c28af501afc14c62673abeb8c

            SHA512

            5c16f2cf08991cc3323486bf933baad706713187e1d965c5236ad8f24038e818620ca76bf75beff046dcb292b12b8bd82f8dc7ae3be71e4ae4759f7ec9d4226e

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            173KB

            MD5

            65b5f127151e82a1e6db03da38c7614d

            SHA1

            f2f6582660fefd9dd894701a56c667cb900f243b

            SHA256

            94f62fc658d1cc6cb993f2107b1ebe4558a3921caafef9cf868f212d8aa62503

            SHA512

            d2df55a3522369087fb221aaa6e4c65d0828239665cfdbbe8d5f768a9a2dd7edc036ffc0f2f7757c0b87495b0d9cce6ac0e833ea6efe7eb421abe099d548535d

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            77KB

            MD5

            57abc5c06eeacc722f7fe2cd83e28544

            SHA1

            0c00c42383b1252fa9c3d75d120119934d5b1fd5

            SHA256

            fffcb4af82b424440c49e2d078ab4d80d13e6ead384ec0151eca156410103e34

            SHA512

            3d7453effa471bbf54ec3a231582035e739243479a93d20b41017b704352e08b95adaac4b7d3c5fe986d3351de04d0d9dc16c4ce416303ee931d0999b6e47a9b

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            136KB

            MD5

            af5233f6d4c806ecc112ee4b7623e4f8

            SHA1

            53dcfd03b40a0dc7a6491745cfbeb8db23e3113c

            SHA256

            c7722d8aad2e6a1d1c300d057c3674a894fac996bbf78feba48bfabf4214ae41

            SHA512

            1181c1c0b4c7ef6464bf5d0be164601b3ad8c21b50ea7c1dc33fa60f0f629b7a4d1f8f2ff15298536e4c5b4a720d6d321e289e92cffe2b7a880e874ed6a1be84

          • memory/704-66-0x0000000004330000-0x0000000004370000-memory.dmp

            Filesize

            256KB

          • memory/704-65-0x0000000074870000-0x0000000074F5E000-memory.dmp

            Filesize

            6.9MB

          • memory/704-64-0x0000000000C90000-0x0000000000CAE000-memory.dmp

            Filesize

            120KB

          • memory/704-67-0x0000000074870000-0x0000000074F5E000-memory.dmp

            Filesize

            6.9MB