Overview

overview

10

Static

static

3

58a192c56e...49.exe

windows7-x64

10

58a192c56e...49.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    173s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-01-2024 09:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58a192c56eff7d48740607232cea9d49.exe

  • Size

    1.3MB

  • MD5

    58a192c56eff7d48740607232cea9d49

  • SHA1

    6bde1b43b0eabaa2151f5126c102eb3cc5dbb693

  • SHA256

    2bc19a1a48254b0ce6a30f471c0e870ceff05ef8ab66ce5d9bb4ecae869d3b10

  • SHA512

    cf97dfe3d719f05d0bbbeaf78d8e26cfe3234480e1ef98c1888b2bd316d04777c022f78d09b64f079d07a22520e7df3dc3b5eeba21346ac1f6b1eb464f78beff

  • SSDEEP

    6144:HgICFP7B/5KbOPSaCkSF0UcUm2m5haafXbQHtp5lICT+5Bj9hvKtmXmL+DV/bHMN:8Qi8lICT+5Bj9hkJ

Score
10/10
redlinesectopratproliv2evasioninfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

proliv2

C2

136.243.65.8:48715

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 4 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Nirsoft 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe
    "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe"
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • UAC bypass
    • Windows security bypass
    • Loads dropped DLL
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe" /SpecialRun 4101d8 2032
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2124
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\58a192c56eff7d48740607232cea9d49.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      2⤵
        PID:2720

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Defense Evasion

    Modify Registry

    5
    T1112

    Impair Defenses

    4
    T1562

    Disable or Modify Tools

    4
    T1562.001

    Abuse Elevation Control Mechanism

    1
    T1548

    Bypass User Account Control

    1
    T1548.002

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      d1cc36485cb6fba97689fc69b1161af4

      SHA1

      f3e09510c6dd182c7aa6b6fb0951da3fddbcb83d

      SHA256

      294396dab7915950df6a842c54f9fe313e81a431bcb2ea6eded3cb8cde2013b4

      SHA512

      04d90139e213d96e2d84c7c5e34bed3a52a970d0f23197f9029ef9d2dd397cdf94dd6726c0e3e726b4f8f20a04880538d0a2d8e8691be14755142c03e3e5bc5b

      Download Submit
    • \Users\Admin\AppData\Local\Temp\498d14b0-df01-4eaf-96c4-d79157c26603\AdvancedRun.exe
      Filesize

      88KB

      MD5

      17fc12902f4769af3a9271eb4e2dacce

      SHA1

      9a4a1581cc3971579574f837e110f3bd6d529dab

      SHA256

      29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

      SHA512

      036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

      Download Submit
    • memory/1972-1-0x00000000749D0000-0x00000000750BE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1972-0-0x00000000000B0000-0x00000000001FC000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1972-2-0x0000000004AC0000-0x0000000004B00000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1972-3-0x0000000000690000-0x0000000000708000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1972-42-0x00000000749D0000-0x00000000750BE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2688-33-0x0000000002610000-0x0000000002650000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2688-37-0x000000006FED0000-0x000000007047B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2688-27-0x000000006FED0000-0x000000007047B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2688-40-0x000000006FED0000-0x000000007047B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2688-35-0x0000000002610000-0x0000000002650000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2720-39-0x00000000749D0000-0x00000000750BE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2720-30-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2720-34-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2720-26-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/2720-43-0x00000000749D0000-0x00000000750BE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2720-44-0x0000000000A60000-0x0000000000AA0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2752-36-0x000000006FED0000-0x000000007047B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2752-38-0x00000000024A0000-0x00000000024E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2752-29-0x000000006FED0000-0x000000007047B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2752-41-0x000000006FED0000-0x000000007047B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2752-31-0x00000000024A0000-0x00000000024E0000-memory.dmp
      Filesize

      256KB

      Download