Analysis
-
max time kernel
154s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2024, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
5824addc5cace9168fb18810a557998d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5824addc5cace9168fb18810a557998d.exe
Resource
win10v2004-20231215-en
General
-
Target
5824addc5cace9168fb18810a557998d.exe
-
Size
2.3MB
-
MD5
5824addc5cace9168fb18810a557998d
-
SHA1
f6578c7764eafd0f62027781e131e182cf840786
-
SHA256
fa6a68e4dff9c701b5a7e4d621dfd67dda338e2c1eae3180d69abae2b2abafcd
-
SHA512
fd5722eb620fb181ba19be493baa27baaf2a6556575ab6a15b31bdd184a0de88d8e3407c141a4e87c52f37b117d82444ef50c477cd2e0398cfdc8e24a705f4f8
-
SSDEEP
49152:M5+hFb9qaxBvTd8gNzZLNWT5VJtzFrzezgvGjo+WXxiz8lVHTIioOFZQ+/:M5aFb5kczTWT9tzFrKlhmxiqZ7/
Malware Config
Extracted
redline
@Makarenaq
45.14.49.109:21295
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023218-50.dat family_redline behavioral2/memory/2132-54-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
resource yara_rule behavioral2/files/0x0006000000023218-50.dat family_sectoprat behavioral2/memory/2132-54-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 5824addc5cace9168fb18810a557998d.exe -
Executes dropped EXE 7 IoCs
pid Process 3948 7z.exe 416 7z.exe 4620 7z.exe 4252 7z.exe 3044 7z.exe 3668 7z.exe 2132 build.exe -
Loads dropped DLL 6 IoCs
pid Process 3948 7z.exe 416 7z.exe 4620 7z.exe 4252 7z.exe 3044 7z.exe 3668 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeRestorePrivilege 3948 7z.exe Token: 35 3948 7z.exe Token: SeSecurityPrivilege 3948 7z.exe Token: SeSecurityPrivilege 3948 7z.exe Token: SeRestorePrivilege 416 7z.exe Token: 35 416 7z.exe Token: SeSecurityPrivilege 416 7z.exe Token: SeSecurityPrivilege 416 7z.exe Token: SeRestorePrivilege 4620 7z.exe Token: 35 4620 7z.exe Token: SeSecurityPrivilege 4620 7z.exe Token: SeSecurityPrivilege 4620 7z.exe Token: SeRestorePrivilege 4252 7z.exe Token: 35 4252 7z.exe Token: SeSecurityPrivilege 4252 7z.exe Token: SeSecurityPrivilege 4252 7z.exe Token: SeRestorePrivilege 3044 7z.exe Token: 35 3044 7z.exe Token: SeSecurityPrivilege 3044 7z.exe Token: SeSecurityPrivilege 3044 7z.exe Token: SeRestorePrivilege 3668 7z.exe Token: 35 3668 7z.exe Token: SeSecurityPrivilege 3668 7z.exe Token: SeSecurityPrivilege 3668 7z.exe Token: SeDebugPrivilege 2132 build.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4604 wrote to memory of 3388 4604 5824addc5cace9168fb18810a557998d.exe 91 PID 4604 wrote to memory of 3388 4604 5824addc5cace9168fb18810a557998d.exe 91 PID 3388 wrote to memory of 4736 3388 cmd.exe 93 PID 3388 wrote to memory of 4736 3388 cmd.exe 93 PID 3388 wrote to memory of 3948 3388 cmd.exe 94 PID 3388 wrote to memory of 3948 3388 cmd.exe 94 PID 3388 wrote to memory of 416 3388 cmd.exe 95 PID 3388 wrote to memory of 416 3388 cmd.exe 95 PID 3388 wrote to memory of 4620 3388 cmd.exe 96 PID 3388 wrote to memory of 4620 3388 cmd.exe 96 PID 3388 wrote to memory of 4252 3388 cmd.exe 97 PID 3388 wrote to memory of 4252 3388 cmd.exe 97 PID 3388 wrote to memory of 3044 3388 cmd.exe 98 PID 3388 wrote to memory of 3044 3388 cmd.exe 98 PID 3388 wrote to memory of 3668 3388 cmd.exe 101 PID 3388 wrote to memory of 3668 3388 cmd.exe 101 PID 3388 wrote to memory of 2808 3388 cmd.exe 100 PID 3388 wrote to memory of 2808 3388 cmd.exe 100 PID 3388 wrote to memory of 2132 3388 cmd.exe 99 PID 3388 wrote to memory of 2132 3388 cmd.exe 99 PID 3388 wrote to memory of 2132 3388 cmd.exe 99 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2808 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"2⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\system32\mode.commode 65,103⤵PID:4736
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e file.zip -p -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_5.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:416
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\build.exe"build.exe"""3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Windows\system32\attrib.exeattrib +H "build.exe"""3⤵
- Views/modifies file attributes
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3668
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
243KB
MD53106aead3385431dfb7b721988e170c1
SHA1ea118631dd8b39d01436bdab216eb6e6f64cecad
SHA25686954c3b19c12b7544524c384c009764625f5f73d93b2ddff7c1874694ec6767
SHA512778d1b5269920211ee093b9091460d9636444d6c724f51ce9f8ab0597a8060c9fcb6868937dbd0409c178cabb192f1612a6f6c7ddbded2b2a6cff7577ad266d8
-
Filesize
174KB
MD56fc2d66a31dbe7c220740f67b9a78446
SHA1a0d99c03e5f7b295f3f9a16bcf4997fe32d8e5b0
SHA25652b789686f4ebd770c5753fa8d3f6a79178189f68bcc0c77b6c94142e1756a8c
SHA5127a9eb7301d04f1f3883892f09b1bc2a21a3d830837410cdb612da19beec970fac005cfd7a81d9cc231ae201025c60a08f4f339e5372087a65be9eae62ed82e5d
-
Filesize
88KB
MD599ad3c8da0219defebec5055eb5156a6
SHA10acedc3c5239eccb2d370537b30cdd894696126f
SHA256a94601caec8af183dac7e36d8ea8e81cf2f12f4f2e3b2e4ae6447ca476b6ae6e
SHA5123ac3621afac898c4a9630a020e25b342e42c6b050b89f015290fad62928f43a98251c6ca6eb1b594c931b2c779fef5c7e7c6a2dd61b209e2c775a448142a3adf
-
Filesize
237KB
MD5853fe0a01cd4a2c084b994e3de9b5d04
SHA1859582d323692779f28da1adf4b250ef2733a408
SHA256986d8fe9e773b9e103484618bb60d6802c7a9c9192bfc1deccb7e20e69fa265d
SHA5129a9489894b9b62ad81029ce8765288e2ea5d0f7ac0cbdffeaab9c089f837ee1a3fcd2be56083d91db5a2db895de9c429fc162f2b0c3777c8ab4e09d95598ed94
-
Filesize
238KB
MD55ed0c1872a6c94b31ae3cccbea45dc3e
SHA117b9a252f26b77941b74d6eaf8da94bc1cead204
SHA2567875069172719d2d1ebb2d5d656076b946a058b6a3ee6edce222c638be745ee9
SHA512d81ebcda3602b1c2a6e31975f27c1e53cd19ef7bf2c01d5a5e6c78f09b7ffbef0e9c449218ddd84bca60db7beeeebf14407a412c32a28c9782c3d2131cd9925e
-
Filesize
282KB
MD534e4a8246286929b1c1827358c1b14cf
SHA18a91b6272e68945707e3f307e076c0e736b339b0
SHA256710ffba46739131673867faa35ab6488c39395cb7f254e788ea28ac03b8d362b
SHA5120721153762c062e7c45b37440e492a6fdef8ad90ef51d0782ac06f5a5e04ae39a15c869164e39e1698b449e4eef0dc711d0cd0106406cc1188162b71bf4323a4
-
Filesize
249KB
MD5b0e2e6e782fc477e48a2a1ee0acb753b
SHA162fad9e245a7661d89daaf01427cc21b82506921
SHA256a83ecdcca5d65497b9d6c53530f29184ced10bdab6bafa97c727433d9e4b7bbf
SHA512f833376e8876a4d2bca61ce7cbbaff497395cf80ba38d0dc7a5300c3fd8afb34b7e5893cfa42eefe19edb78aaa0fff136b654b4b9592ebc6082dbac14b3ff425
-
Filesize
381KB
MD52dcff3a04cb4c1e9cf4d11eb603485cb
SHA150a37bbc50f15714bc69589d1fd263d269d2be75
SHA2569b7dd38d09d05b5c1c92b495e7ef1a10e673998cf8ae6381128e5ce5f35d786e
SHA512137628a35593e1011c36e18b3dad4494ec8bdfc6772616534aee31cf2d214c406f3cff8c8c9d53d96dc7ae564a48b96a106c7b491707cb46551583064a9fe5f7
-
Filesize
235KB
MD5f2fc35f8e523bd7fea8dd5b5e35d065d
SHA1bec86a0ad6e876603a6e510ae42fc90cfc2c9573
SHA256a975a7e8bd95d5a716c7c1a09f7da255b81eaa8c7743fd23e32d1f7c734543d4
SHA51271d045befb79ab1fac6b4e352088d4e7fa60ffd611e226d9ddf7e38c828f833713a78c9e7167fc23d1daa3b96605b1235fa5b8c6f013c47c9aa75c04d1abb91d
-
Filesize
304KB
MD5907a24cca3f4ecdaafdbc44de583e991
SHA17abcf97404a9f7d88ca98d6c3c3d1cc551ff2c67
SHA25680ed4237c239f81f2e672854047aefe163b0692513fd0c268d703a27f12dabc6
SHA512948505d3f5867f77d2602fb9fd5d4adc2e5dabd02c8315c9b9bfbd623056b9f7918c740134b89714a015efafe403a902aed7af423e07fdc519965662f43c084a
-
Filesize
416KB
MD5436531a989f0f4f71d680c02afa93bd2
SHA1d6c38babc51d5a7823dec7b214adf16c17e902fc
SHA256633fadc577209823ab29d3197d0e8442f7a3a695f348652687d10b6cd45e53d4
SHA512dff6cc2502318026d8fc1b961ec455ab0dd30d7987270b111f37d2e8868eb05cdd5894eaeae47f24cd23a894f44716d0e7d671979635372a988a7b072b9d9445
-
Filesize
245KB
MD52fc87fc7c838b7a1b298248f949af3b4
SHA18f525685a31195811545b40b2bb65b58db5a144c
SHA2565ab69ed126b15337f376dc1a04ab0aa1f47f7d1b52dd0e265b01f917a9b97fa3
SHA512b6a1a2abb500abfff3b18c8beca193e22fb61c967f2a1be3e8a3ea3b015ea886e3ec8a7fd4f874a106aa8da34f551b75e70af12d1355edf508b389f6bff56ee6
-
Filesize
236KB
MD5109ff78fdae41cc0a02cbb3cdc64ef28
SHA1d973c263d8910893f6cac14c77b23343f9c1445b
SHA256db4eb81bcfeb99b888aa340b9fc3ce1244cf72aa090bf14caf56bf3d49ae87df
SHA5123971b1dd7241931c6e94e824e7da0da080b090e9ec4ddfaa9fea0f1dba37e4b0095447aa4b4298daa013416cac270945022d2f37bdca23753fbe19571df38f11
-
Filesize
213KB
MD5659736d1295e7bcbf111267c0a522e7e
SHA19027624b3fbde81d8da8b9c6d8bee6ffbfd3b9b9
SHA256508f8dfa3049115a13f19ccdbe5bebd123e700894f0b4bcf2083feacfb296b84
SHA512974ce7c57c094c60541fd23c3a8bb2946fab12c23bcb93fa533e1e3baf376491db0c4e14136a0d1270c8ebf2e8b7da1baf3d96d13683f671e41dd8dee5480cb2
-
Filesize
161KB
MD5b6c5464b92816f3c4af70dd3b6ea48bd
SHA1a0754528f059c9076393438ee0ff1be4b72c71bb
SHA2562c9fc7ff57d9289217f339644078f21903d5ec45fea5b00c7023668f76269aae
SHA512ec6a17aeb4ee780540fca628a0f7fd08fd1ffb6581e36d6a10ca5d6ed6107cb35767318fc4728669443272cfc074bfb2b05f14704f2d70d7213cd482f7aa6b2f
-
Filesize
92KB
MD5840ce01435f45bd7cfb31949c5790443
SHA18ce20196db0eea2e1b04f575b8de95f1c09fc31e
SHA256550d93df062facfe817ff3794e0703ce020c1c18fd21c4d9ebc92a96cba9f991
SHA512117992191ad03e3016429b94d8ad8152527d1643197bdff60d7ec7fb8554d93613b0c3d9d892c64016426133dfefa2f0d14c280074a888b8ad1f9fcfe51b55c1
-
Filesize
38KB
MD5580eab814576665d16a0faa6fff2bab6
SHA1dca3a9c3936179181c3b5e08926d4d02a43221d7
SHA256ee626cc556542301f01b701999b779f7cece5c8f133cdebf9bcd84012e0a0e19
SHA5124e9e02b9b2ff37702e857032065f9672d18325884dfa69fa292a4f74b76dff3b564a0b0fbaf0f6492f10e0e31dc90b8e6ccea46ef635398a24c330e6049d8b5c
-
Filesize
38KB
MD51a1abb9d3c276d49b82533a01e5749de
SHA19afe72a88ef8416d4766765e849e4938db2cc347
SHA25603b5c136ce10551c43bbb8e241481bb14528bc86dd9981b05dcb13f7257043b1
SHA5127670ff5ca9fb150bdfb720b64ddb8b78c9899ea5022935a64de9f8e0e9f684110c347fb361122f20b46ee9c6feeba410f89012488f03d0a95a65748395d67bcd
-
Filesize
38KB
MD588353e8a3843ec7ea0bb8ede2a66b820
SHA112ad7b4843c9000a7c6fb3b4f0f7fbb61589cff4
SHA256d8126f64b41cd5ea9fd3e5e7b2d11b156006d12c11878be6f9af30ecb0ca70be
SHA51286e954104e83a01203dd78b56df0dacccfb2b42f394bef98f2281406ae37729a53ebc91f5b08ea3a86bbeb222c3f72dcaef44a2d31d121ad987564a48c417870
-
Filesize
39KB
MD54551328bc2245d4635af4b457bf0ee61
SHA121c020d83ed6591496719587f4b8efe471cd1f10
SHA25654fe8a83fc59379b6eb9ea6f5592bee6ac6eb238abdc878f5e526a8f51127522
SHA51259205295b0acd34ea4d23bffe121fe0550f22d7c99e16e1d42989d3adbf3600c7f3dc90fa7283c3ec3c8118a276f1fec8205e8d8553a55459ec36398f99d4293
-
Filesize
91KB
MD590a6d11c3707ba1364c5720af0df689b
SHA17fbcf4152aef298c70450157130a42d049289a78
SHA256abe99cd56670d3e3f919742bd74edd9d0c67051405293190e03d74408aca1592
SHA51251da79a50b5eb3c7c0e20b2b76659bf703c1ea64b3d126c8a0acea91ee0f42d3c564e63fea8e3d8bbfde5459e89e0f884ef51155c6b42ddba952196bf1b199c5
-
Filesize
1.1MB
MD5db146e678cb0230409098475c9e690dd
SHA1e1823eb225c041963915638eac72934bfb47273b
SHA2561fc874d05d430c4dd9561cf9616755f5a1b3ce626cb4bc1cfbbeb8cef2533e85
SHA51206e16cc98c44065a92bbd66fc17b3ee62d9c3235e4099a10f14c3fadeeb1fc86b6f6233d5425fbe2de35fba8c75a9f864999c9c40574e7de4ebf5c03d7c02f41
-
Filesize
447B
MD5b8d0fdde29b49c27a22b6d5418505832
SHA16d7e3ac153bc8d49ec2ae043095fd32cd7c57a69
SHA25687651ba0e7d43c146d25f912afe049fd75ba8f62d32148001caf8c379a4e1002
SHA51242aa76a3c602b1d65f38bf1a16ec83844fd6523f58df24e54f557b9cf07302cb568385ef079fac39c64b28dc6098925532270a74913b1f070b90f36ad46b8eb0