Analysis
-
max time kernel
142s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 09:57
Static task
static1
Behavioral task
behavioral1
Sample
58a192c56eff7d48740607232cea9d49.exe
Resource
win7-20231215-en
General
-
Target
58a192c56eff7d48740607232cea9d49.exe
-
Size
1.3MB
-
MD5
58a192c56eff7d48740607232cea9d49
-
SHA1
6bde1b43b0eabaa2151f5126c102eb3cc5dbb693
-
SHA256
2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10
-
SHA512
cf97dfe3d719f05d0bbbeaf78d8e26cfe3234480e1ef98c1888b2bd316d04777c022f78d09b64f079d07a22520e7df3dc3b5eeba21346ac1f6b1eb464f78beff
-
SSDEEP
6144:HgICFP7B/5KbOPSaCkSF0UcUm2m5haafXbQHtp5lICT+5Bj9hvKtmXmL+DV/bHMN:8Qi8lICT+5Bj9hkJ
Malware Config
Extracted
redline
proliv2
136.243.65.8:48715
Signatures
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 58a192c56eff7d48740607232cea9d49.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/memory/2720-26-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2720-34-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2720-30-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SectopRAT payload 4 IoCs
resource yara_rule behavioral1/memory/2720-26-0x0000000000400000-0x0000000000420000-memory.dmp family_sectoprat behavioral1/memory/2720-34-0x0000000000400000-0x0000000000420000-memory.dmp family_sectoprat behavioral1/memory/2720-30-0x0000000000400000-0x0000000000420000-memory.dmp family_sectoprat behavioral1/memory/2752-38-0x00000000024A0000-0x00000000024E0000-memory.dmp family_sectoprat -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 58a192c56eff7d48740607232cea9d49.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe = "0" 58a192c56eff7d48740607232cea9d49.exe -
Nirsoft 1 IoCs
resource yara_rule behavioral1/files/0x000c000000015c85-7.dat Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 2032 AdvancedRun.exe 2124 AdvancedRun.exe -
Loads dropped DLL 4 IoCs
pid Process 1972 58a192c56eff7d48740607232cea9d49.exe 1972 58a192c56eff7d48740607232cea9d49.exe 2032 AdvancedRun.exe 2032 AdvancedRun.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 58a192c56eff7d48740607232cea9d49.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 58a192c56eff7d48740607232cea9d49.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe = "0" 58a192c56eff7d48740607232cea9d49.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 58a192c56eff7d48740607232cea9d49.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 58a192c56eff7d48740607232cea9d49.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 58a192c56eff7d48740607232cea9d49.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1972 set thread context of 2720 1972 58a192c56eff7d48740607232cea9d49.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2032 AdvancedRun.exe 2032 AdvancedRun.exe 2124 AdvancedRun.exe 2124 AdvancedRun.exe 2688 powershell.exe 2752 powershell.exe 1972 58a192c56eff7d48740607232cea9d49.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 2032 AdvancedRun.exe Token: SeImpersonatePrivilege 2032 AdvancedRun.exe Token: SeDebugPrivilege 2124 AdvancedRun.exe Token: SeImpersonatePrivilege 2124 AdvancedRun.exe Token: SeDebugPrivilege 1972 58a192c56eff7d48740607232cea9d49.exe Token: SeDebugPrivilege 2688 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1972 wrote to memory of 2032 1972 58a192c56eff7d48740607232cea9d49.exe 27 PID 1972 wrote to memory of 2032 1972 58a192c56eff7d48740607232cea9d49.exe 27 PID 1972 wrote to memory of 2032 1972 58a192c56eff7d48740607232cea9d49.exe 27 PID 1972 wrote to memory of 2032 1972 58a192c56eff7d48740607232cea9d49.exe 27 PID 2032 wrote to memory of 2124 2032 AdvancedRun.exe 28 PID 2032 wrote to memory of 2124 2032 AdvancedRun.exe 28 PID 2032 wrote to memory of 2124 2032 AdvancedRun.exe 28 PID 2032 wrote to memory of 2124 2032 AdvancedRun.exe 28 PID 1972 wrote to memory of 2752 1972 58a192c56eff7d48740607232cea9d49.exe 31 PID 1972 wrote to memory of 2752 1972 58a192c56eff7d48740607232cea9d49.exe 31 PID 1972 wrote to memory of 2752 1972 58a192c56eff7d48740607232cea9d49.exe 31 PID 1972 wrote to memory of 2752 1972 58a192c56eff7d48740607232cea9d49.exe 31 PID 1972 wrote to memory of 2688 1972 58a192c56eff7d48740607232cea9d49.exe 30 PID 1972 wrote to memory of 2688 1972 58a192c56eff7d48740607232cea9d49.exe 30 PID 1972 wrote to memory of 2688 1972 58a192c56eff7d48740607232cea9d49.exe 30 PID 1972 wrote to memory of 2688 1972 58a192c56eff7d48740607232cea9d49.exe 30 PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe 33 PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe 33 PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe 33 PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe 33 PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe 33 PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe 33 PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe 33 PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe 33 PID 1972 wrote to memory of 2720 1972 58a192c56eff7d48740607232cea9d49.exe 33 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 58a192c56eff7d48740607232cea9d49.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe"C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe" /SpecialRun 4101d8 20323⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe2⤵PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d1cc36485cb6fba97689fc69b1161af4
SHA1f3e09510c6dd182c7aa6b6fb0951da3fddbcb83d
SHA256294396dab7915950df6a842c54f9fe313e81a431bcb2ea6eded3cb8cde2013b4
SHA51204d90139e213d96e2d84c7c5e34bed3a52a970d0f23197f9029ef9d2dd397cdf94dd6726c0e3e726b4f8f20a04880538d0a2d8e8691be14755142c03e3e5bc5b
-
Filesize
88KB
MD517fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a