Analysis

  • max time kernel
    154s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 05:50

General

  • Target

    5824addc5cace9168fb18810a557998d.exe

  • Size

    2.3MB

  • MD5

    5824addc5cace9168fb18810a557998d

  • SHA1

    f6578c7764eafd0f62027781e131e182cf840786

  • SHA256

    fa6a68e4dff9c701b5a7e4d621dfd67dda338e2c1eae3180d69abae2b2abafcd

  • SHA512

    fd5722eb620fb181ba19be493baa27baaf2a6556575ab6a15b31bdd184a0de88d8e3407c141a4e87c52f37b117d82444ef50c477cd2e0398cfdc8e24a705f4f8

  • SSDEEP

    49152:M5+hFb9qaxBvTd8gNzZLNWT5VJtzFrzezgvGjo+WXxiz8lVHTIioOFZQ+/:M5aFb5kczTWT9tzFrKlhmxiqZ7/

Malware Config

Extracted

Family

redline

Botnet

@Makarenaq

C2

45.14.49.109:21295

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe
    "C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Windows\system32\mode.com
        mode 65,10
        3⤵
          PID:4736
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e file.zip -p -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3948
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_5.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:416
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_4.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4620
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_3.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4252
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_2.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3044
        • C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
          "build.exe"""
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2132
        • C:\Windows\system32\attrib.exe
          attrib +H "build.exe"""
          3⤵
          • Views/modifies file attributes
          PID:2808
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_1.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3668

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            243KB

            MD5

            3106aead3385431dfb7b721988e170c1

            SHA1

            ea118631dd8b39d01436bdab216eb6e6f64cecad

            SHA256

            86954c3b19c12b7544524c384c009764625f5f73d93b2ddff7c1874694ec6767

            SHA512

            778d1b5269920211ee093b9091460d9636444d6c724f51ce9f8ab0597a8060c9fcb6868937dbd0409c178cabb192f1612a6f6c7ddbded2b2a6cff7577ad266d8

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            174KB

            MD5

            6fc2d66a31dbe7c220740f67b9a78446

            SHA1

            a0d99c03e5f7b295f3f9a16bcf4997fe32d8e5b0

            SHA256

            52b789686f4ebd770c5753fa8d3f6a79178189f68bcc0c77b6c94142e1756a8c

            SHA512

            7a9eb7301d04f1f3883892f09b1bc2a21a3d830837410cdb612da19beec970fac005cfd7a81d9cc231ae201025c60a08f4f339e5372087a65be9eae62ed82e5d

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            88KB

            MD5

            99ad3c8da0219defebec5055eb5156a6

            SHA1

            0acedc3c5239eccb2d370537b30cdd894696126f

            SHA256

            a94601caec8af183dac7e36d8ea8e81cf2f12f4f2e3b2e4ae6447ca476b6ae6e

            SHA512

            3ac3621afac898c4a9630a020e25b342e42c6b050b89f015290fad62928f43a98251c6ca6eb1b594c931b2c779fef5c7e7c6a2dd61b209e2c775a448142a3adf

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            237KB

            MD5

            853fe0a01cd4a2c084b994e3de9b5d04

            SHA1

            859582d323692779f28da1adf4b250ef2733a408

            SHA256

            986d8fe9e773b9e103484618bb60d6802c7a9c9192bfc1deccb7e20e69fa265d

            SHA512

            9a9489894b9b62ad81029ce8765288e2ea5d0f7ac0cbdffeaab9c089f837ee1a3fcd2be56083d91db5a2db895de9c429fc162f2b0c3777c8ab4e09d95598ed94

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            238KB

            MD5

            5ed0c1872a6c94b31ae3cccbea45dc3e

            SHA1

            17b9a252f26b77941b74d6eaf8da94bc1cead204

            SHA256

            7875069172719d2d1ebb2d5d656076b946a058b6a3ee6edce222c638be745ee9

            SHA512

            d81ebcda3602b1c2a6e31975f27c1e53cd19ef7bf2c01d5a5e6c78f09b7ffbef0e9c449218ddd84bca60db7beeeebf14407a412c32a28c9782c3d2131cd9925e

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            282KB

            MD5

            34e4a8246286929b1c1827358c1b14cf

            SHA1

            8a91b6272e68945707e3f307e076c0e736b339b0

            SHA256

            710ffba46739131673867faa35ab6488c39395cb7f254e788ea28ac03b8d362b

            SHA512

            0721153762c062e7c45b37440e492a6fdef8ad90ef51d0782ac06f5a5e04ae39a15c869164e39e1698b449e4eef0dc711d0cd0106406cc1188162b71bf4323a4

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            249KB

            MD5

            b0e2e6e782fc477e48a2a1ee0acb753b

            SHA1

            62fad9e245a7661d89daaf01427cc21b82506921

            SHA256

            a83ecdcca5d65497b9d6c53530f29184ced10bdab6bafa97c727433d9e4b7bbf

            SHA512

            f833376e8876a4d2bca61ce7cbbaff497395cf80ba38d0dc7a5300c3fd8afb34b7e5893cfa42eefe19edb78aaa0fff136b654b4b9592ebc6082dbac14b3ff425

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            381KB

            MD5

            2dcff3a04cb4c1e9cf4d11eb603485cb

            SHA1

            50a37bbc50f15714bc69589d1fd263d269d2be75

            SHA256

            9b7dd38d09d05b5c1c92b495e7ef1a10e673998cf8ae6381128e5ce5f35d786e

            SHA512

            137628a35593e1011c36e18b3dad4494ec8bdfc6772616534aee31cf2d214c406f3cff8c8c9d53d96dc7ae564a48b96a106c7b491707cb46551583064a9fe5f7

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            235KB

            MD5

            f2fc35f8e523bd7fea8dd5b5e35d065d

            SHA1

            bec86a0ad6e876603a6e510ae42fc90cfc2c9573

            SHA256

            a975a7e8bd95d5a716c7c1a09f7da255b81eaa8c7743fd23e32d1f7c734543d4

            SHA512

            71d045befb79ab1fac6b4e352088d4e7fa60ffd611e226d9ddf7e38c828f833713a78c9e7167fc23d1daa3b96605b1235fa5b8c6f013c47c9aa75c04d1abb91d

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            304KB

            MD5

            907a24cca3f4ecdaafdbc44de583e991

            SHA1

            7abcf97404a9f7d88ca98d6c3c3d1cc551ff2c67

            SHA256

            80ed4237c239f81f2e672854047aefe163b0692513fd0c268d703a27f12dabc6

            SHA512

            948505d3f5867f77d2602fb9fd5d4adc2e5dabd02c8315c9b9bfbd623056b9f7918c740134b89714a015efafe403a902aed7af423e07fdc519965662f43c084a

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            416KB

            MD5

            436531a989f0f4f71d680c02afa93bd2

            SHA1

            d6c38babc51d5a7823dec7b214adf16c17e902fc

            SHA256

            633fadc577209823ab29d3197d0e8442f7a3a695f348652687d10b6cd45e53d4

            SHA512

            dff6cc2502318026d8fc1b961ec455ab0dd30d7987270b111f37d2e8868eb05cdd5894eaeae47f24cd23a894f44716d0e7d671979635372a988a7b072b9d9445

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            245KB

            MD5

            2fc87fc7c838b7a1b298248f949af3b4

            SHA1

            8f525685a31195811545b40b2bb65b58db5a144c

            SHA256

            5ab69ed126b15337f376dc1a04ab0aa1f47f7d1b52dd0e265b01f917a9b97fa3

            SHA512

            b6a1a2abb500abfff3b18c8beca193e22fb61c967f2a1be3e8a3ea3b015ea886e3ec8a7fd4f874a106aa8da34f551b75e70af12d1355edf508b389f6bff56ee6

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            236KB

            MD5

            109ff78fdae41cc0a02cbb3cdc64ef28

            SHA1

            d973c263d8910893f6cac14c77b23343f9c1445b

            SHA256

            db4eb81bcfeb99b888aa340b9fc3ce1244cf72aa090bf14caf56bf3d49ae87df

            SHA512

            3971b1dd7241931c6e94e824e7da0da080b090e9ec4ddfaa9fea0f1dba37e4b0095447aa4b4298daa013416cac270945022d2f37bdca23753fbe19571df38f11

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            213KB

            MD5

            659736d1295e7bcbf111267c0a522e7e

            SHA1

            9027624b3fbde81d8da8b9c6d8bee6ffbfd3b9b9

            SHA256

            508f8dfa3049115a13f19ccdbe5bebd123e700894f0b4bcf2083feacfb296b84

            SHA512

            974ce7c57c094c60541fd23c3a8bb2946fab12c23bcb93fa533e1e3baf376491db0c4e14136a0d1270c8ebf2e8b7da1baf3d96d13683f671e41dd8dee5480cb2

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

            Filesize

            161KB

            MD5

            b6c5464b92816f3c4af70dd3b6ea48bd

            SHA1

            a0754528f059c9076393438ee0ff1be4b72c71bb

            SHA256

            2c9fc7ff57d9289217f339644078f21903d5ec45fea5b00c7023668f76269aae

            SHA512

            ec6a17aeb4ee780540fca628a0f7fd08fd1ffb6581e36d6a10ca5d6ed6107cb35767318fc4728669443272cfc074bfb2b05f14704f2d70d7213cd482f7aa6b2f

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\build.exe

            Filesize

            92KB

            MD5

            840ce01435f45bd7cfb31949c5790443

            SHA1

            8ce20196db0eea2e1b04f575b8de95f1c09fc31e

            SHA256

            550d93df062facfe817ff3794e0703ce020c1c18fd21c4d9ebc92a96cba9f991

            SHA512

            117992191ad03e3016429b94d8ad8152527d1643197bdff60d7ec7fb8554d93613b0c3d9d892c64016426133dfefa2f0d14c280074a888b8ad1f9fcfe51b55c1

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

            Filesize

            38KB

            MD5

            580eab814576665d16a0faa6fff2bab6

            SHA1

            dca3a9c3936179181c3b5e08926d4d02a43221d7

            SHA256

            ee626cc556542301f01b701999b779f7cece5c8f133cdebf9bcd84012e0a0e19

            SHA512

            4e9e02b9b2ff37702e857032065f9672d18325884dfa69fa292a4f74b76dff3b564a0b0fbaf0f6492f10e0e31dc90b8e6ccea46ef635398a24c330e6049d8b5c

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

            Filesize

            38KB

            MD5

            1a1abb9d3c276d49b82533a01e5749de

            SHA1

            9afe72a88ef8416d4766765e849e4938db2cc347

            SHA256

            03b5c136ce10551c43bbb8e241481bb14528bc86dd9981b05dcb13f7257043b1

            SHA512

            7670ff5ca9fb150bdfb720b64ddb8b78c9899ea5022935a64de9f8e0e9f684110c347fb361122f20b46ee9c6feeba410f89012488f03d0a95a65748395d67bcd

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

            Filesize

            38KB

            MD5

            88353e8a3843ec7ea0bb8ede2a66b820

            SHA1

            12ad7b4843c9000a7c6fb3b4f0f7fbb61589cff4

            SHA256

            d8126f64b41cd5ea9fd3e5e7b2d11b156006d12c11878be6f9af30ecb0ca70be

            SHA512

            86e954104e83a01203dd78b56df0dacccfb2b42f394bef98f2281406ae37729a53ebc91f5b08ea3a86bbeb222c3f72dcaef44a2d31d121ad987564a48c417870

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

            Filesize

            39KB

            MD5

            4551328bc2245d4635af4b457bf0ee61

            SHA1

            21c020d83ed6591496719587f4b8efe471cd1f10

            SHA256

            54fe8a83fc59379b6eb9ea6f5592bee6ac6eb238abdc878f5e526a8f51127522

            SHA512

            59205295b0acd34ea4d23bffe121fe0550f22d7c99e16e1d42989d3adbf3600c7f3dc90fa7283c3ec3c8118a276f1fec8205e8d8553a55459ec36398f99d4293

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip

            Filesize

            91KB

            MD5

            90a6d11c3707ba1364c5720af0df689b

            SHA1

            7fbcf4152aef298c70450157130a42d049289a78

            SHA256

            abe99cd56670d3e3f919742bd74edd9d0c67051405293190e03d74408aca1592

            SHA512

            51da79a50b5eb3c7c0e20b2b76659bf703c1ea64b3d126c8a0acea91ee0f42d3c564e63fea8e3d8bbfde5459e89e0f884ef51155c6b42ddba952196bf1b199c5

          • C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

            Filesize

            1.1MB

            MD5

            db146e678cb0230409098475c9e690dd

            SHA1

            e1823eb225c041963915638eac72934bfb47273b

            SHA256

            1fc874d05d430c4dd9561cf9616755f5a1b3ce626cb4bc1cfbbeb8cef2533e85

            SHA512

            06e16cc98c44065a92bbd66fc17b3ee62d9c3235e4099a10f14c3fadeeb1fc86b6f6233d5425fbe2de35fba8c75a9f864999c9c40574e7de4ebf5c03d7c02f41

          • C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

            Filesize

            447B

            MD5

            b8d0fdde29b49c27a22b6d5418505832

            SHA1

            6d7e3ac153bc8d49ec2ae043095fd32cd7c57a69

            SHA256

            87651ba0e7d43c146d25f912afe049fd75ba8f62d32148001caf8c379a4e1002

            SHA512

            42aa76a3c602b1d65f38bf1a16ec83844fd6523f58df24e54f557b9cf07302cb568385ef079fac39c64b28dc6098925532270a74913b1f070b90f36ad46b8eb0

          • memory/2132-55-0x0000000005340000-0x0000000005958000-memory.dmp

            Filesize

            6.1MB

          • memory/2132-54-0x0000000000400000-0x000000000041E000-memory.dmp

            Filesize

            120KB

          • memory/2132-53-0x0000000073340000-0x0000000073AF0000-memory.dmp

            Filesize

            7.7MB

          • memory/2132-56-0x0000000004C80000-0x0000000004C92000-memory.dmp

            Filesize

            72KB

          • memory/2132-57-0x0000000004D20000-0x0000000004D5C000-memory.dmp

            Filesize

            240KB

          • memory/2132-58-0x0000000004D10000-0x0000000004D20000-memory.dmp

            Filesize

            64KB

          • memory/2132-59-0x0000000004CA0000-0x0000000004CEC000-memory.dmp

            Filesize

            304KB

          • memory/2132-60-0x0000000004F90000-0x000000000509A000-memory.dmp

            Filesize

            1.0MB

          • memory/2132-61-0x0000000073340000-0x0000000073AF0000-memory.dmp

            Filesize

            7.7MB

          • memory/2132-62-0x0000000004D10000-0x0000000004D20000-memory.dmp

            Filesize

            64KB