Analysis
-
max time kernel
142s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-01-2024 09:57
Static task
static1
Behavioral task
behavioral1
Sample
58a192c56eff7d48740607232cea9d49.exe
Resource
win7-20231215-en
General
-
Target
58a192c56eff7d48740607232cea9d49.exe
-
Size
1.3MB
-
MD5
58a192c56eff7d48740607232cea9d49
-
SHA1
6bde1b43b0eabaa2151f5126c102eb3cc5dbb693
-
SHA256
2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10
-
SHA512
cf97dfe3d719f05d0bbbeaf78d8e26cfe3234480e1ef98c1888b2bd316d04777c022f78d09b64f079d07a22520e7df3dc3b5eeba21346ac1f6b1eb464f78beff
-
SSDEEP
6144:HgICFP7B/5KbOPSaCkSF0UcUm2m5haafXbQHtp5lICT+5Bj9hvKtmXmL+DV/bHMN:8Qi8lICT+5Bj9hkJ
Malware Config
Extracted
redline
proliv2
136.243.65.8:48715
Signatures
-
Processes:
58a192c56eff7d48740607232cea9d49.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 58a192c56eff7d48740607232cea9d49.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2720-26-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2720-34-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2720-30-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SectopRAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2720-26-0x0000000000400000-0x0000000000420000-memory.dmp family_sectoprat behavioral1/memory/2720-34-0x0000000000400000-0x0000000000420000-memory.dmp family_sectoprat behavioral1/memory/2720-30-0x0000000000400000-0x0000000000420000-memory.dmp family_sectoprat behavioral1/memory/2752-38-0x00000000024A0000-0x00000000024E0000-memory.dmp family_sectoprat -
Processes:
58a192c56eff7d48740607232cea9d49.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 58a192c56eff7d48740607232cea9d49.exe -
Processes:
58a192c56eff7d48740607232cea9d49.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe = "0" 58a192c56eff7d48740607232cea9d49.exe -
Nirsoft 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepid process 2032 AdvancedRun.exe 2124 AdvancedRun.exe -
Loads dropped DLL 4 IoCs
Processes:
58a192c56eff7d48740607232cea9d49.exeAdvancedRun.exepid process 1972 58a192c56eff7d48740607232cea9d49.exe 1972 58a192c56eff7d48740607232cea9d49.exe 2032 AdvancedRun.exe 2032 AdvancedRun.exe -
Processes:
58a192c56eff7d48740607232cea9d49.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 58a192c56eff7d48740607232cea9d49.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 58a192c56eff7d48740607232cea9d49.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe = "0" 58a192c56eff7d48740607232cea9d49.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 58a192c56eff7d48740607232cea9d49.exe -
Processes:
58a192c56eff7d48740607232cea9d49.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 58a192c56eff7d48740607232cea9d49.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
58a192c56eff7d48740607232cea9d49.exedescription pid process target process PID 1972 set thread context of 2720 1972 58a192c56eff7d48740607232cea9d49.exe jsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exe58a192c56eff7d48740607232cea9d49.exepid process 2032 AdvancedRun.exe 2032 AdvancedRun.exe 2124 AdvancedRun.exe 2124 AdvancedRun.exe 2688 powershell.exe 2752 powershell.exe 1972 58a192c56eff7d48740607232cea9d49.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exe58a192c56eff7d48740607232cea9d49.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2032 AdvancedRun.exe Token: SeImpersonatePrivilege 2032 AdvancedRun.exe Token: SeDebugPrivilege 2124 AdvancedRun.exe Token: SeImpersonatePrivilege 2124 AdvancedRun.exe Token: SeDebugPrivilege 1972 58a192c56eff7d48740607232cea9d49.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
58a192c56eff7d48740607232cea9d49.exeAdvancedRun.exedescription pid process target process PID 1972 wrote to memory of 2032 1972 58a192c56eff7d48740607232cea9d49.exe AdvancedRun.exe PID 1972 wrote to memory of 2032 1972 58a192c56eff7d48740607232cea9d49.exe AdvancedRun.exe PID 1972 wrote to memory of 2032 1972 58a192c56eff7d48740607232cea9d49.exe AdvancedRun.exe PID 1972 wrote to memory of 2032 1972 58a192c56eff7d48740607232cea9d49.exe AdvancedRun.exe PID 2032 wrote to memory of 2124 2032 AdvancedRun.exe AdvancedRun.exe PID 2032 wrote to memory of 2124 2032 AdvancedRun.exe AdvancedRun.exe PID 2032 wrote to memory of 2124 2032 AdvancedRun.exe AdvancedRun.exe PID 2032 wrote to memory of 2124 2032 AdvancedRun.exe AdvancedRun.exe PID 1972 wrote to memory of 2752 1972 58a192c56eff7d48740607232cea9d49.exe powershell.exe PID 1972 wrote to memory of 2752 1972 58a192c56eff7d48740607232cea9d49.exe powershell.exe PID 1972 wrote to memory of 2752 1972 58a192c56eff7d48740607232cea9d49.exe powershell.exe PID 1972 wrote to memory of 2752 1972 58a192c56eff7d48740607232cea9d49.exe powershell.exe PID 1972 wrote to memory of 2688 1972 58a192c56eff7d48740607232cea9d49.exe powershell.exe PID 1972 wrote to memory of 2688 1972 58a192c56eff7d48740607232cea9d49.exe powershell.exe PID 1972 wrote to memory of 2688 1972 58a192c56eff7d48740607232cea9d49.exe powershell.exe PID 1972 wrote to memory of 2688 1972 58a192c56eff7d48740607232cea9d49.exe powershell.exe PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe jsc.exe PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe jsc.exe PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe jsc.exe PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe jsc.exe PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe jsc.exe PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe jsc.exe PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe jsc.exe PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe jsc.exe PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe jsc.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
58a192c56eff7d48740607232cea9d49.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 58a192c56eff7d48740607232cea9d49.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe"C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe" /SpecialRun 4101d8 20323⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5d1cc36485cb6fba97689fc69b1161af4
SHA1f3e09510c6dd182c7aa6b6fb0951da3fddbcb83d
SHA256294396dab7915950df6a842c54f9fe313e81a431bcb2ea6eded3cb8cde2013b4
SHA51204d90139e213d96e2d84c7c5e34bed3a52a970d0f23197f9029ef9d2dd397cdf94dd6726c0e3e726b4f8f20a04880538d0a2d8e8691be14755142c03e3e5bc5b
-
\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exeFilesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/1972-1-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/1972-0-0x00000000000B0000-0x00000000001FC000-memory.dmpFilesize
1.3MB
-
memory/1972-2-0x0000000004AC0000-0x0000000004B00000-memory.dmpFilesize
256KB
-
memory/1972-3-0x0000000000690000-0x0000000000708000-memory.dmpFilesize
480KB
-
memory/1972-42-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/2688-33-0x0000000002610000-0x0000000002650000-memory.dmpFilesize
256KB
-
memory/2688-37-0x000000006FED0000-0x000000007047B000-memory.dmpFilesize
5.7MB
-
memory/2688-27-0x000000006FED0000-0x000000007047B000-memory.dmpFilesize
5.7MB
-
memory/2688-40-0x000000006FED0000-0x000000007047B000-memory.dmpFilesize
5.7MB
-
memory/2688-35-0x0000000002610000-0x0000000002650000-memory.dmpFilesize
256KB
-
memory/2720-39-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/2720-30-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2720-34-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2720-26-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2720-43-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6.9MB
-
memory/2720-44-0x0000000000A60000-0x0000000000AA0000-memory.dmpFilesize
256KB
-
memory/2752-36-0x000000006FED0000-0x000000007047B000-memory.dmpFilesize
5.7MB
-
memory/2752-38-0x00000000024A0000-0x00000000024E0000-memory.dmpFilesize
256KB
-
memory/2752-29-0x000000006FED0000-0x000000007047B000-memory.dmpFilesize
5.7MB
-
memory/2752-41-0x000000006FED0000-0x000000007047B000-memory.dmpFilesize
5.7MB
-
memory/2752-31-0x00000000024A0000-0x00000000024E0000-memory.dmpFilesize
256KB