Analysis

  • max time kernel
    142s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 09:57

General

  • Target

    58a192c56eff7d48740607232cea9d49.exe

  • Size

    1.3MB

  • MD5

    58a192c56eff7d48740607232cea9d49

  • SHA1

    6bde1b43b0eabaa2151f5126c102eb3cc5dbb693

  • SHA256

    2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10

  • SHA512

    cf97dfe3d719f05d0bbbeaf78d8e26cfe3234480e1ef98c1888b2bd316d04777c022f78d09b64f079d07a22520e7df3dc3b5eeba21346ac1f6b1eb464f78beff

  • SSDEEP

    6144:HgICFP7B/5KbOPSaCkSF0UcUm2m5haafXbQHtp5lICT+5Bj9hvKtmXmL+DV/bHMN:8Qi8lICT+5Bj9hkJ

Malware Config

Extracted

Family

redline

Botnet

proliv2

C2

136.243.65.8:48715

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 4 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Nirsoft 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe
    "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • UAC bypass
    • Windows security bypass
    • Loads dropped DLL
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe" /SpecialRun 4101d8 2032
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      2⤵
        PID:2720

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

            Filesize

            7KB

            MD5

            d1cc36485cb6fba97689fc69b1161af4

            SHA1

            f3e09510c6dd182c7aa6b6fb0951da3fddbcb83d

            SHA256

            294396dab7915950df6a842c54f9fe313e81a431bcb2ea6eded3cb8cde2013b4

            SHA512

            04d90139e213d96e2d84c7c5e34bed3a52a970d0f23197f9029ef9d2dd397cdf94dd6726c0e3e726b4f8f20a04880538d0a2d8e8691be14755142c03e3e5bc5b

          • \Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe

            Filesize

            88KB

            MD5

            17fc12902f4769af3a9271eb4e2dacce

            SHA1

            9a4a1581cc3971579574f837e110f3bd6d529dab

            SHA256

            29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

            SHA512

            036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

          • memory/1972-1-0x00000000749D0000-0x00000000750BE000-memory.dmp

            Filesize

            6.9MB

          • memory/1972-0-0x00000000000B0000-0x00000000001FC000-memory.dmp

            Filesize

            1.3MB

          • memory/1972-2-0x0000000004AC0000-0x0000000004B00000-memory.dmp

            Filesize

            256KB

          • memory/1972-3-0x0000000000690000-0x0000000000708000-memory.dmp

            Filesize

            480KB

          • memory/1972-42-0x00000000749D0000-0x00000000750BE000-memory.dmp

            Filesize

            6.9MB

          • memory/2688-33-0x0000000002610000-0x0000000002650000-memory.dmp

            Filesize

            256KB

          • memory/2688-37-0x000000006FED0000-0x000000007047B000-memory.dmp

            Filesize

            5.7MB

          • memory/2688-27-0x000000006FED0000-0x000000007047B000-memory.dmp

            Filesize

            5.7MB

          • memory/2688-40-0x000000006FED0000-0x000000007047B000-memory.dmp

            Filesize

            5.7MB

          • memory/2688-35-0x0000000002610000-0x0000000002650000-memory.dmp

            Filesize

            256KB

          • memory/2720-39-0x00000000749D0000-0x00000000750BE000-memory.dmp

            Filesize

            6.9MB

          • memory/2720-30-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

          • memory/2720-34-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

          • memory/2720-26-0x0000000000400000-0x0000000000420000-memory.dmp

            Filesize

            128KB

          • memory/2720-43-0x00000000749D0000-0x00000000750BE000-memory.dmp

            Filesize

            6.9MB

          • memory/2720-44-0x0000000000A60000-0x0000000000AA0000-memory.dmp

            Filesize

            256KB

          • memory/2752-36-0x000000006FED0000-0x000000007047B000-memory.dmp

            Filesize

            5.7MB

          • memory/2752-38-0x00000000024A0000-0x00000000024E0000-memory.dmp

            Filesize

            256KB

          • memory/2752-29-0x000000006FED0000-0x000000007047B000-memory.dmp

            Filesize

            5.7MB

          • memory/2752-41-0x000000006FED0000-0x000000007047B000-memory.dmp

            Filesize

            5.7MB

          • memory/2752-31-0x00000000024A0000-0x00000000024E0000-memory.dmp

            Filesize

            256KB