Analysis
-
max time kernel
138s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
5824addc5cace9168fb18810a557998d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5824addc5cace9168fb18810a557998d.exe
Resource
win10v2004-20231215-en
General
-
Target
5824addc5cace9168fb18810a557998d.exe
-
Size
2.3MB
-
MD5
5824addc5cace9168fb18810a557998d
-
SHA1
f6578c7764eafd0f62027781e131e182cf840786
-
SHA256
fa6a68e4dff9c701b5a7e4d621dfd67dda338e2c1eae3180d69abae2b2abafcd
-
SHA512
fd5722eb620fb181ba19be493baa27baaf2a6556575ab6a15b31bdd184a0de88d8e3407c141a4e87c52f37b117d82444ef50c477cd2e0398cfdc8e24a705f4f8
-
SSDEEP
49152:M5+hFb9qaxBvTd8gNzZLNWT5VJtzFrzezgvGjo+WXxiz8lVHTIioOFZQ+/:M5aFb5kczTWT9tzFrKlhmxiqZ7/
Malware Config
Extracted
redline
@Makarenaq
45.14.49.109:21295
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000016cdf-63.dat family_redline behavioral1/memory/704-64-0x0000000000C90000-0x0000000000CAE000-memory.dmp family_redline behavioral1/files/0x0006000000016cdf-61.dat family_redline -
SectopRAT payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000016cdf-63.dat family_sectoprat behavioral1/memory/704-64-0x0000000000C90000-0x0000000000CAE000-memory.dmp family_sectoprat behavioral1/files/0x0006000000016cdf-61.dat family_sectoprat -
Executes dropped EXE 7 IoCs
pid Process 2744 7z.exe 2824 7z.exe 2796 7z.exe 2664 7z.exe 2592 7z.exe 2036 7z.exe 704 build.exe -
Loads dropped DLL 12 IoCs
pid Process 2740 cmd.exe 2744 7z.exe 2740 cmd.exe 2824 7z.exe 2740 cmd.exe 2796 7z.exe 2740 cmd.exe 2664 7z.exe 2740 cmd.exe 2592 7z.exe 2740 cmd.exe 2036 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 704 build.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeRestorePrivilege 2744 7z.exe Token: 35 2744 7z.exe Token: SeSecurityPrivilege 2744 7z.exe Token: SeSecurityPrivilege 2744 7z.exe Token: SeRestorePrivilege 2824 7z.exe Token: 35 2824 7z.exe Token: SeSecurityPrivilege 2824 7z.exe Token: SeSecurityPrivilege 2824 7z.exe Token: SeRestorePrivilege 2796 7z.exe Token: 35 2796 7z.exe Token: SeSecurityPrivilege 2796 7z.exe Token: SeSecurityPrivilege 2796 7z.exe Token: SeRestorePrivilege 2664 7z.exe Token: 35 2664 7z.exe Token: SeSecurityPrivilege 2664 7z.exe Token: SeSecurityPrivilege 2664 7z.exe Token: SeRestorePrivilege 2592 7z.exe Token: 35 2592 7z.exe Token: SeSecurityPrivilege 2592 7z.exe Token: SeSecurityPrivilege 2592 7z.exe Token: SeRestorePrivilege 2036 7z.exe Token: 35 2036 7z.exe Token: SeSecurityPrivilege 2036 7z.exe Token: SeSecurityPrivilege 2036 7z.exe Token: SeDebugPrivilege 704 build.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1248 wrote to memory of 2740 1248 5824addc5cace9168fb18810a557998d.exe 37 PID 1248 wrote to memory of 2740 1248 5824addc5cace9168fb18810a557998d.exe 37 PID 1248 wrote to memory of 2740 1248 5824addc5cace9168fb18810a557998d.exe 37 PID 1248 wrote to memory of 2740 1248 5824addc5cace9168fb18810a557998d.exe 37 PID 2740 wrote to memory of 2788 2740 cmd.exe 35 PID 2740 wrote to memory of 2788 2740 cmd.exe 35 PID 2740 wrote to memory of 2788 2740 cmd.exe 35 PID 2740 wrote to memory of 2744 2740 cmd.exe 34 PID 2740 wrote to memory of 2744 2740 cmd.exe 34 PID 2740 wrote to memory of 2744 2740 cmd.exe 34 PID 2740 wrote to memory of 2824 2740 cmd.exe 27 PID 2740 wrote to memory of 2824 2740 cmd.exe 27 PID 2740 wrote to memory of 2824 2740 cmd.exe 27 PID 2740 wrote to memory of 2796 2740 cmd.exe 33 PID 2740 wrote to memory of 2796 2740 cmd.exe 33 PID 2740 wrote to memory of 2796 2740 cmd.exe 33 PID 2740 wrote to memory of 2664 2740 cmd.exe 32 PID 2740 wrote to memory of 2664 2740 cmd.exe 32 PID 2740 wrote to memory of 2664 2740 cmd.exe 32 PID 2740 wrote to memory of 2592 2740 cmd.exe 31 PID 2740 wrote to memory of 2592 2740 cmd.exe 31 PID 2740 wrote to memory of 2592 2740 cmd.exe 31 PID 2740 wrote to memory of 2036 2740 cmd.exe 30 PID 2740 wrote to memory of 2036 2740 cmd.exe 30 PID 2740 wrote to memory of 2036 2740 cmd.exe 30 PID 2740 wrote to memory of 1544 2740 cmd.exe 28 PID 2740 wrote to memory of 1544 2740 cmd.exe 28 PID 2740 wrote to memory of 1544 2740 cmd.exe 28 PID 2740 wrote to memory of 704 2740 cmd.exe 29 PID 2740 wrote to memory of 704 2740 cmd.exe 29 PID 2740 wrote to memory of 704 2740 cmd.exe 29 PID 2740 wrote to memory of 704 2740 cmd.exe 29 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1544 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_5.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
C:\Windows\system32\attrib.exeattrib +H "build.exe"""1⤵
- Views/modifies file attributes
PID:1544
-
C:\Users\Admin\AppData\Local\Temp\svchost\build.exe"build.exe"""1⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:704
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_1.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_2.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_3.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_4.zip -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e file.zip -p -oextracted1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
C:\Windows\system32\mode.commode 65,101⤵PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5b4a29bf2c9cf2190b1113cb6786acde3
SHA12c3a84bfc8096b2e07bab943206e2046b5fc03e6
SHA256aecd3cbe96e36b4262ff82f8fa7b3908d418842ce7434d60fb574e4cf433efcf
SHA512df37a74348738fe1aebc651cb191b1c75f1a5527e46183ef9f9009fb2ab2fb1df22cd87d0d7dcec8b10923da6b38128c59ebd34b2a59dbf698c46cd1157ea461
-
Filesize
208KB
MD5847d8d09a72890d8fcc0420f01f0324e
SHA18341ff6aa2accf2d36fddc3816f95687c848a2ca
SHA256504bf11cc0a8c7ba3675d3d5720da0021950b250bc6fe90fc80cbcc779ecb271
SHA51239dd5e3e4e513337d7f9cec96c4039a5591840a7144b64c0ab3758cf241aa4e2b216dacdc44664d83eb299c745a17d1d26bd66ad15df0beb470bf0bb6a689683
-
Filesize
45KB
MD5c0eff909765c495bed6356ee10099050
SHA1d1e0fc37ec60fa394f7cbce47ee45a60f29181f6
SHA256c9e18d58acdbf3dce411706cc8c6bb9048ee2316c662d983a16b5510212d09b6
SHA512f138ac5f0504576ebb85f2af8f0b513d779d4da3966c9e4650abc396e02ac1beb5fd210d1d848c739dd676c50999fbc5edfd8ef38c09f4cd9626db9f02b4fdd8
-
Filesize
119KB
MD56032b52fa5dd0a8dd57eb9b26bd591e2
SHA1b24f033c1f6422b17863c330cbc64e8c49f9b975
SHA2561bad7fa4d19da87ea8cec7efa2298b4b21671aa078cc50d8d3354902a21d1df3
SHA51296df90ebab377dc8e7b6f8a8aa465777d81ab6b3779b8caf825d87ef68164ceb98e5050a1e8c727c61bbdafd27d1523566448c49830fb24621e1e48c094c5ac4
-
Filesize
185KB
MD51793d44a3f48937e86e6d255fa221e50
SHA15613a82da5ce3de8646076eab24006a4c5f753f6
SHA25690dba1b7ff7ef84ea4b85d4bde926a1be0488cfa9cc3a362a6c56fd5e1b590c6
SHA512b372f7a49743adb7c48aa05ed4febebb2219f43a4fa1bad1cbc6fbc722502e2f6dfd9a611c0108df5da9509fdb8ff127274f7715e6fadfc55e0f00db47d0a496
-
Filesize
97KB
MD59f92e325a79ffe793c898b1dfeb5a3f2
SHA15483ef9e3a1a9dee90fd9fc6fd98e8c7a4a38eb2
SHA256260a5a8388fa1085f9d6deb7d6c354215195a50cc280a8af23701d9dbb3a0a56
SHA5128df6f48677ca31c15891fa578a9626cf648adf1719d1430a7b63a61e99b181eab80ecbb45f5cfbae08ef1927e08d6683597e00e3cec850292f5e21c33a3c96e0
-
Filesize
105KB
MD52083f89979ad4cb16c504acade1e5dac
SHA1e730d5ff874c3d7ebe7c3cb40c0a7ea48b1f5153
SHA2560257bb90ceac230a7ccfe85ba0640d99fea52420a8a3d6535e20b1c0e95840a4
SHA5129953d04f6a28892df6de7a1367bcbc0f683aa523cc8ba2d53d95719ebc860a99cd6049bfc5716c7e15f389db83d6d571341ddedd4a555e48a8d113902e6f0af3
-
Filesize
190KB
MD503641b846c3f22860d65affd546b2aaf
SHA1adf95544193cbdc0f35fe4e0cfab27fc33f42427
SHA256e3ba4b3121b370afdd42018cb0c5f2e96f9a28f6e2137503a3fccb54d67b0ddc
SHA5128a2395dabc5afe278ee6eb949acd5202dce918f46c70dfe05be439737d6163436d9c7cff5b45b79f726850982ce3b2a668a59966d1821d74b6762d677b47a015
-
Filesize
92KB
MD5840ce01435f45bd7cfb31949c5790443
SHA18ce20196db0eea2e1b04f575b8de95f1c09fc31e
SHA256550d93df062facfe817ff3794e0703ce020c1c18fd21c4d9ebc92a96cba9f991
SHA512117992191ad03e3016429b94d8ad8152527d1643197bdff60d7ec7fb8554d93613b0c3d9d892c64016426133dfefa2f0d14c280074a888b8ad1f9fcfe51b55c1
-
Filesize
136KB
MD572bce3686805dfc913556ded79e329ab
SHA13e4554b4c2ab1db9e09b153c643c44a5e87565fa
SHA256cb085d0d6f7377543b12481bb6af7d559089eddb082a57002703c96f039fbba5
SHA5127e2e58152d7df5afab697012487f71561be844a4b7c646079b8e31dfa42cf6a420c5e5e02e7aa861afc96ad2160de7af6d75f30b9fb0d9be27ab67ae796cda7d
-
Filesize
35KB
MD5cd44299e11918b1e8e9c0cb01f52477b
SHA1ac7d5cf31cc8d3c5f71adc6192f8fd867dd05737
SHA25683e8f9e4943f9289d344f3442a9dbe3564afcf7a20531ffa979e9816babe53f1
SHA5128623cd7af5e24b1e86721e1a1c7945905b7c00b6132f52f9ea6ff4d434cd268c54277b786f9fa5a9f89c7cf4d617f0bb0c0b1b0d643a017cfe61b67193464809
-
Filesize
38KB
MD5580eab814576665d16a0faa6fff2bab6
SHA1dca3a9c3936179181c3b5e08926d4d02a43221d7
SHA256ee626cc556542301f01b701999b779f7cece5c8f133cdebf9bcd84012e0a0e19
SHA5124e9e02b9b2ff37702e857032065f9672d18325884dfa69fa292a4f74b76dff3b564a0b0fbaf0f6492f10e0e31dc90b8e6ccea46ef635398a24c330e6049d8b5c
-
Filesize
38KB
MD51a1abb9d3c276d49b82533a01e5749de
SHA19afe72a88ef8416d4766765e849e4938db2cc347
SHA25603b5c136ce10551c43bbb8e241481bb14528bc86dd9981b05dcb13f7257043b1
SHA5127670ff5ca9fb150bdfb720b64ddb8b78c9899ea5022935a64de9f8e0e9f684110c347fb361122f20b46ee9c6feeba410f89012488f03d0a95a65748395d67bcd
-
Filesize
38KB
MD588353e8a3843ec7ea0bb8ede2a66b820
SHA112ad7b4843c9000a7c6fb3b4f0f7fbb61589cff4
SHA256d8126f64b41cd5ea9fd3e5e7b2d11b156006d12c11878be6f9af30ecb0ca70be
SHA51286e954104e83a01203dd78b56df0dacccfb2b42f394bef98f2281406ae37729a53ebc91f5b08ea3a86bbeb222c3f72dcaef44a2d31d121ad987564a48c417870
-
Filesize
39KB
MD54551328bc2245d4635af4b457bf0ee61
SHA121c020d83ed6591496719587f4b8efe471cd1f10
SHA25654fe8a83fc59379b6eb9ea6f5592bee6ac6eb238abdc878f5e526a8f51127522
SHA51259205295b0acd34ea4d23bffe121fe0550f22d7c99e16e1d42989d3adbf3600c7f3dc90fa7283c3ec3c8118a276f1fec8205e8d8553a55459ec36398f99d4293
-
Filesize
178KB
MD595b1e5aa02d225760ef7b74748a2f751
SHA194f8d027b4331548074955b647cc28eb23720d69
SHA256b8f4038bcfad7d68fbc130297072669f36c022ffb46457b6d227ffe698980460
SHA512304f86276bbd35a0862e60f0c02f7a22185df1221b5fc2dfd00e9c6e7936a072f670fe77364a1bba3e21cae9e67dac82cc2a5282f0590b8d1278b6c729bd6af3
-
Filesize
168KB
MD55798b36ca7e199fefc2c0d79ad5999d0
SHA131a848c69faef08bb5ac8da68268b5df9e149290
SHA25657ecb27c9bb6568856ca0796f0708383e73183ae1a3fe1f71ae531165e349295
SHA512a6614cc2ef2dd382df8b52ad9622b7139ff7db01671f69a1fc3e3a9b56924370a4cdc9f7b4cfc9953393ce95962ab20a01371498c2d545bb6e9176cb68811849
-
Filesize
447B
MD5b8d0fdde29b49c27a22b6d5418505832
SHA16d7e3ac153bc8d49ec2ae043095fd32cd7c57a69
SHA25687651ba0e7d43c146d25f912afe049fd75ba8f62d32148001caf8c379a4e1002
SHA51242aa76a3c602b1d65f38bf1a16ec83844fd6523f58df24e54f557b9cf07302cb568385ef079fac39c64b28dc6098925532270a74913b1f070b90f36ad46b8eb0
-
Filesize
171KB
MD50649841faf7eb6847162d24af9dd7297
SHA12f56cf8f757cb08357edbfd22a3462b53a244da3
SHA256b176bfdcf7f463940b31c0dd19579bccba918da7920b651d13d2c3999f4fcdff
SHA51279c9b1c4ec559a87994bbeff3a339d503eff1685d7be86bd4e926dd12d44c052c1a599fd908715bfcdd6d2ab56c680352eeff163be6dfa95de1128204c068e45
-
Filesize
149KB
MD54316979f932910bf022d3f0ca0861f83
SHA1048e6b89b2d29f3c35df27199f60be16a4143cf6
SHA256172bb977c6a4e62d8a96bbae650be7ca6b091f4a13631c0a74865b6ccda95099
SHA5129c1e9bccda064cc2872cb88b5ea46be45b9b3e8909c87417239e571cb981cfcfda1521e72b6ca009b4cb1b8cb3dff7765eb6c671e96d8800b1d06c616185833e
-
Filesize
104KB
MD5578a21d631f7e1c30c6ef98aa4ddfe9e
SHA100bf9cffcce35fc3e7880979706b007722c0bcb9
SHA256de921f104f0df636e298131280be9e08ff3dfae35b40bcd3dd06a18c3b0f1181
SHA512a228b520e5d641713e678c4fea86c8588d39a2e65ce256d2ab0f130c9d9663cd49d4614076dedb03147126ceb8e92c722b3b56e5d12e8701e92f01c9b7e53918
-
Filesize
180KB
MD580c05a105fe7d8071aee41467a7e50ff
SHA144c9c5335862523ea4a3918c344d41f3b3ff2a60
SHA256aed52da3975b35c0dba3e95dabfaeab807e8ae0269e5bf0c101c0408915b6e04
SHA512952d8b2c1786dcd2e14764f74e8457187dbcbf660ef7ff2f6cc453e59792f351118d719ebe4f34126983ec996cf2f27cab093d2352785357c9d191558f296e58
-
Filesize
85KB
MD59510b386175232e0738df036d80e4d66
SHA18c00f923ec818d15fa07fab8e7c9cd8855efeb09
SHA256539a8a9158772888b16bfdae3b87e23b8369317622b319656ffc4cea7410a659
SHA51260264f7e76fa290103fd870ef5e6bb5a6989fa3b2e1a2f65d1906b147b58bd17c99ece80f224da88e6e0d9576fb28f3277da1fc5551a73464b4cccc4151eee52
-
Filesize
220KB
MD5c59e1661cab7cce318e2fd4b15ac1a03
SHA1138cc5fedacc18607d8b8299e273c22b0e0b0c9a
SHA256bfd1f423cf488c0f7084743f288096cf715f6311418a71ec91aafa747534acb9
SHA512d89bb35aa89d6de5c51f2d5f90b9f7c8e2b301118462da6f8383dbe94ccc72cd41d88b597954c82fc2439693734f7029ea6d568f2ade75038d2fdc63de7a04a7
-
Filesize
169KB
MD5f4be2eb3955430d0f6614a60d74c3fd0
SHA1c183e55262d97e9ed683dd6fa25d9bd7b75970bb
SHA256ad316a8c046d8deb5775e675538dcbade24292ef9b81c83e402518cd0f26b0b0
SHA51277c2d7dfecb9115a7b1412830819f09989f11ff05d1e894c29ea1ab78e398c4d47fd5a7c6068527831e09743445713905e10877805598632ac015aecdbce23bc
-
Filesize
230KB
MD5db2d86f04a9a62b2d0bf26900a4eab88
SHA1a401d944d9af9428ec6fef97169144a7f494174c
SHA256c24888b93ce2b58c5937e36e152aa725b7fbb802e915135bd8464b8071374bf8
SHA512fd519c2be1e7bd6d9c721d81ccbc8bfd74210572208913338c97df0da86e0bdccef16f32fb3467d4f6a420b3320bc41201e6a2e275b27fbd6887bcef04f30174
-
Filesize
77KB
MD542541fc596e0c7377a86b9197ea2c2a0
SHA175c5648aed8fd6a88444889aa2e97622a319a538
SHA25648f7ffa2e4dbb103662b85954d62481d89684f3c28af501afc14c62673abeb8c
SHA5125c16f2cf08991cc3323486bf933baad706713187e1d965c5236ad8f24038e818620ca76bf75beff046dcb292b12b8bd82f8dc7ae3be71e4ae4759f7ec9d4226e
-
Filesize
173KB
MD565b5f127151e82a1e6db03da38c7614d
SHA1f2f6582660fefd9dd894701a56c667cb900f243b
SHA25694f62fc658d1cc6cb993f2107b1ebe4558a3921caafef9cf868f212d8aa62503
SHA512d2df55a3522369087fb221aaa6e4c65d0828239665cfdbbe8d5f768a9a2dd7edc036ffc0f2f7757c0b87495b0d9cce6ac0e833ea6efe7eb421abe099d548535d
-
Filesize
77KB
MD557abc5c06eeacc722f7fe2cd83e28544
SHA10c00c42383b1252fa9c3d75d120119934d5b1fd5
SHA256fffcb4af82b424440c49e2d078ab4d80d13e6ead384ec0151eca156410103e34
SHA5123d7453effa471bbf54ec3a231582035e739243479a93d20b41017b704352e08b95adaac4b7d3c5fe986d3351de04d0d9dc16c4ce416303ee931d0999b6e47a9b
-
Filesize
136KB
MD5af5233f6d4c806ecc112ee4b7623e4f8
SHA153dcfd03b40a0dc7a6491745cfbeb8db23e3113c
SHA256c7722d8aad2e6a1d1c300d057c3674a894fac996bbf78feba48bfabf4214ae41
SHA5121181c1c0b4c7ef6464bf5d0be164601b3ad8c21b50ea7c1dc33fa60f0f629b7a4d1f8f2ff15298536e4c5b4a720d6d321e289e92cffe2b7a880e874ed6a1be84