Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/01/2024, 16:12

General

  • Target

    5928745f1d5cab62de613b4c5f558df1.exe

  • Size

    2.3MB

  • MD5

    5928745f1d5cab62de613b4c5f558df1

  • SHA1

    4a511b360df83b69f9144e6fb23f3ea0b133ccfd

  • SHA256

    10cdc1c1b8112716b5aec0caba5db1cef422176c550288f4952473c216357466

  • SHA512

    e81ce51d581ac136d5884730a8af696f006ddc2e6d6f334cfab9195f6db5e1f75adcddd53a6d4ebed60753e45cd65d19a15f25886b3dd3a988f5794b4e71df9a

  • SSDEEP

    49152:/5+hFVRTb0i5i+7baItMOV861aT0Sxiz8lVHTIioOFZQ+A:/5aFVSi5B7OICOV83ISxiqZ7A

Malware Config

Extracted

Family

redline

Botnet

@lovefuckwithyourmom

C2

xetadycami.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 4 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe
    "C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2772
      • C:\Windows\system32\mode.com
        mode 65,10
        3⤵
          PID:2764
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e file.zip -p -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2672
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_4.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2800
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_2.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2732
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_3.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2592
        • C:\Windows\system32\attrib.exe
          attrib +H "@lovefuckwithyourmom.exe"
          3⤵
          • Views/modifies file attributes
          PID:2124
        • C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe
          "@lovefuckwithyourmom.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of AdjustPrivilegeToken
          PID:2612
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_1.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2588

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            390KB

            MD5

            e7937dd57b97cefa8983a76e784a8f9c

            SHA1

            bf5f1c9d615b0309357fdf5b4c8a1017210d24c7

            SHA256

            624050639c0943244b253e7371ce0770f0ac27ec23736e7699d4924e03cb2b50

            SHA512

            0f147d3afd70aac0e8fe325f5b33d149443583973b00dc3865b6b3aeec0127957a9c2eb9a5beb15f7151034b04d84bca3307148eff1bc283c8198447750fc574

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            458KB

            MD5

            619f7135621b50fd1900ff24aade1524

            SHA1

            6c7ea8bbd435163ae3945cbef30ef6b9872a4591

            SHA256

            344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

            SHA512

            2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            311KB

            MD5

            86d15c117cd9e112c658d5dae6ebbaad

            SHA1

            eb26dd6256282600d581fa0ff9b4b8392133b4c8

            SHA256

            00552e1ec01089fc17e6e363b9daaca689a07063e9582cc253d735a4ee37d76d

            SHA512

            a25d378af9a348a5de91e1bdd838b05f86aa1a80a980f16761be6222883ed52154c6157bf537d012bb921fe7939feed7db79607972b26b1f0ee930ea3bb72b6f

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            377KB

            MD5

            df991835b44cdf4a49813b2470bed70e

            SHA1

            f5a3aec8b312db18663d5c9eb231c3632cfeb867

            SHA256

            91a9aa869359f01e8078163e33a04a299fb6a3d57d255a79116e5f7a46e8068a

            SHA512

            1303b76c7186329149b8215f987e9a35a9bb50ed2525d392173dd15063971c2cc2b54d3e1c5ba954d1044ac8891e29290afd71eff932b681e35015537b80dd26

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            281KB

            MD5

            0ef2ed03ea1507ce522d8a8189e22cf9

            SHA1

            e83646afdf8c96fed1212784e013561793def91c

            SHA256

            49cc8266f73dd2a8771fb6ffcc6d77522ad8a78e37d8dc50afe06153a53f9e38

            SHA512

            1fc16f9bfb6e3d8aab79c544e06c25c2ff0387c6b117934d4d78d0dd5706afc98a2c854e1114723b95bab7a93d47e27951b2cec0829171fab1098c340d6d940c

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            183KB

            MD5

            7a6ff8658b727035517d2364f3c3d330

            SHA1

            dac86fc03309964b32f9c929060df3cd920c26eb

            SHA256

            9a83666f30fa552e95ccec8072fecbd16f6cc293ecd0a1bdd798fdb0b0a02588

            SHA512

            32b5acda35a99551da599fd4835ae95d28e306b4acddd4ab6592345d37b5444da01784ed0064137dfe6e87c49474eed5b72b42e124098c0e345f9e8f85469b4a

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            150KB

            MD5

            fafd0a4a565be90cee0b1e7f3a7b27a6

            SHA1

            7c99b311f30d9a2247f7a72cbf6c0b376a5ee64c

            SHA256

            0e47473107c2d8f9578cfdc6a977de769d35ad4d234184acd7088936c97844fd

            SHA512

            243c84e6c2dd61916b8b3d4f626ccbd73ba52946c03e275ba26924075cbb7ed302ca24a5c148e51dd69f985a0e40991920e17f3798e8f05074ccd6795da0694b

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\@lovefuckwithyourmom.exe

            Filesize

            100KB

            MD5

            f715021bca8947192b494a037ddae36b

            SHA1

            d2a70a50a0258a7d471d3f8043808f962282fc7e

            SHA256

            3508971255c901dccbe8a461de9fa390add18675e44bfa55a2c792f62cf7db62

            SHA512

            ce3801a52248785a41d1db4c284b3c06f18d7753555659bbb36ac960d5cf4990c33d5981620090dbf07bd009951d0760b5c8e529ac64c973deade35d36c0d35f

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

            Filesize

            195KB

            MD5

            634d6c3f5f2db3c90c31bd36cb840181

            SHA1

            523f20c550bcebf938f883913001feca14d12233

            SHA256

            841f9f9d31efcc110ad8ba8a550e285ba5398c322fe20d0843db23a9c027079a

            SHA512

            41c02f3d2293a775fbbc1c45b355155a89dafa62b1c8b38a0d9935c248545c9944c8d36ac4b1b58139785bdec2280d4cbdc8f5357b6187635f181755362aaa0c

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

            Filesize

            40KB

            MD5

            f8fdd24daf1aa469ac0e32e9b1459ab6

            SHA1

            23dd9dd5b626c364a964cf583b045c8197b12d74

            SHA256

            e8f4204e1b3ceca11d1865e28201761c1b4017b30377ca4c1639c7ccac952949

            SHA512

            05843ad3518438b825c7864854e6a8f7a3538bfd76327b8fb652a073ad38df60051c1ab420e89d78b9b02a14f74a535f03b0f0340259c13c4aad200c60898aba

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

            Filesize

            40KB

            MD5

            9679f15a03e532c442b86b99d901637f

            SHA1

            43e4579628d2201dc556ebf4d29464fb777e2238

            SHA256

            487f4d740ba3d9c42a5c6e624f34d3e20a330418d2925e2fec2fde37bb64a7d1

            SHA512

            8097846f22e81885844a42e63fc34218affad7d4cc659b94350f45955353d324d8f107eb2228606b7f14a6fedce2f1184e69c2dec07b6625d1ca00771fa03236

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

            Filesize

            40KB

            MD5

            9082560582b613a65120dcde6c3c4897

            SHA1

            e8d50dfc85abe2aa00a51d917f35487c25e711c4

            SHA256

            3e324d0ff36a51529101b45bb9102260292a6bbb6ffbf55d01fea881cc038704

            SHA512

            180c1025f16d0e227e432ed7bb3c52ca0bcecd5a8390e6d3af28a2425cc1e31801dbd6df377c2abcc982c3a06f15940a654bd6b488e8d595ee41de5a56e1ef2f

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

            Filesize

            361KB

            MD5

            d2512657ddd302bf130294d2fb0e0de7

            SHA1

            42bf5e5c89945fa328960fd5357d69513ed80223

            SHA256

            b70df0fb66a696e92dbc92e519b105befcd34f9f0c0c01b8986b2deff2294bce

            SHA512

            addfaab755b1ce4b0e2941bfaee6cc33ee616885daf07e7abd0874aa82b8118d6e84ef9a03bd05e4b08ea6dc5babbb0dc8506b2adac459929ff51c6cce6d4dc4

          • C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

            Filesize

            1.5MB

            MD5

            0c4d8185c244c378dd2635dd5e842235

            SHA1

            79bed7df4511237ce5a9571dae2819b4ffe88001

            SHA256

            23afd877f0a4f916f69f778ad94a90a1c615625a8c55645a13285040590fec32

            SHA512

            c663c849b0b305ee1b40c46d4c2605640e89ba5af218f41f0d61c0248de1b74eb4bb6240dac2e1ffd5bc85884fa75af4d04adb0f7aa5601a5d5350415c6c9347

          • C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

            Filesize

            512B

            MD5

            14ed47f526671c43880f44b6c4b6fc83

            SHA1

            687323418a481503326bf7daf95ce722adcfbec4

            SHA256

            7d37fd2c4ce79dd8decfb14fd1390f4d7867af812204865fc91194b63ef4c1c9

            SHA512

            212614fa1b92a3e5520ca91442d6d21eebfd479f50bba032b320bea3d367a26f4296e08c7474bf2e03f1720dacbd5697eb8113a7102b8a10d76273b0c93a495c

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            323KB

            MD5

            ede747df5a8ff1072cd7a76ec4460015

            SHA1

            30b0322866df61c3b0fec85a069085c6c18f2eba

            SHA256

            43db1dba9645809a890effb4303404c528601a576ef78cac58ef23c7cd52fc44

            SHA512

            e0393b5075e0e017079ecf4373ec879ba93a184318aa89ea6c576726debe936418573190db951eafb32930cf690642da7c1eeb61ce04e797c1e098043c4c9474

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            271KB

            MD5

            37f21b197d07387261fc6c728e2562d2

            SHA1

            63a019358f9eb1caa0bd5927f3847e0150be0e4e

            SHA256

            779735a446e61fdb5773925a8ea9c21e468562ccc66d5d18953cb28ceb883a3f

            SHA512

            f9a0590bee7559a3ce4edb386192baedd12c454ed8de5ebc686363b4fed507693a14215ad55819648651b7b27c92b72c3e02bae6fdf85a6755606552043ca8bc

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            129KB

            MD5

            a9556a9583021f75ca2567bc98b5f28e

            SHA1

            5af46dcd462b4ae84632e929693a547cdf04c1ea

            SHA256

            21f50574ee333fcc187659ed0ffa8cfe8fc62a272442a56ef24902f77df29057

            SHA512

            90c133d03f0904f44da501162bd531b62f2d4b985474cdb190e6a39c1ce52a9d7e6ba9db8fc780d6e99fa3888e25dea572fd814595609f90571b6d8d353fd9df

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            211KB

            MD5

            91d23974b3b147cf00786ff79be1fbb6

            SHA1

            ec4f7f9db4ca98084cd56b04fc5d8a3b7428c0d2

            SHA256

            d80c2d9352b15cba2747ee7d0dfdc85dbf7bd43a3b8ef7407ff671cc3c3762ff

            SHA512

            5d3fedb74ac6acdbfba520c540a19ee5b7790b489681a62938b8df78714f29e7681845e4cf53a2d3158d48af8d53c2e607ccf905faf71d424b330f21244a6d8a

          • \Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            152KB

            MD5

            01b4d7a25878352f6099baf08ffc4e98

            SHA1

            00f135b1f057aaf13c7de98f2ccf4eee83a6c538

            SHA256

            554b10a2d4487368d996c035c09fd521d25df2f411659abd03aff9ed91f4e641

            SHA512

            8a7a5e249bd2fb6c678c52bc25dca4a4d7ff9e16e962ca0dfb6d0c02b4ca27688b0163c7a146e87310d7c3b70235e5357a095a56a7c1f0024c5d31e036dd3e33

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            437KB

            MD5

            fd3639e8268a12e045750a3bea2e94c0

            SHA1

            ed32180613c3335e9e0e365b48947a1d8871966e

            SHA256

            fa5499591946494e41a6e63230af10c327beab1cda4cf9bfa571d342a66bcb65

            SHA512

            108b1bf31f6b4fe967c6a429188ae0e73f6e83018eaacc2b419bb521b02bfdd520fd02cb251c09c734e6b6896aad960d132bdbd1ad2859fcc0c23d4c54b62173

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            246KB

            MD5

            6e55341c9a0ce67ba366176da388aa04

            SHA1

            e794ecd906a9687daaf6b63e50bd9b45a69d594d

            SHA256

            b9a8642098cba990aefc2b297c70d491f956e3b29e63f1ca91c416d39f6f97c5

            SHA512

            8709af88259c3132c95d2cdd966ed24a257de0ff0acee7628a9c119c87e70489491c58abef0e352a26ca6867fc2ad97f587085b7a2d0741af939eb7b2e9aebcc

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            227KB

            MD5

            3640c9c0bbccb95531eee53bd6f49e33

            SHA1

            2d174c44091c73b5d486cc6a513d8d64580b20df

            SHA256

            24e2c8f03c401e5195e5de727fd1b5dc675992301b6d344a38906d813a9efa0d

            SHA512

            dee29fc01a00d165863b8cd2ace6f9f5f3f533a3da34869eb7b201cdfdffce4b96741b7d7cd38d9c46ccde278fe553eb33125bb49d38ab3edc51f155be405ea5

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            229KB

            MD5

            92d3f23ea3013eb5288fa129258a95d1

            SHA1

            e1678a1e7b6bed32deb57eaa8bd50ec208a00a3b

            SHA256

            a18cd1947980cfe11a62838ab8fb46b5392099eb8f3311375e0105a5b7838fd7

            SHA512

            f8899a1440157385e7f34c2d3935a200caf51426a2387ccee00cd4d4d9c794a34703a688b51b5c370534afce00d159488f226c483145ec8047e8988750e9f015

          • \Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            136KB

            MD5

            af5233f6d4c806ecc112ee4b7623e4f8

            SHA1

            53dcfd03b40a0dc7a6491745cfbeb8db23e3113c

            SHA256

            c7722d8aad2e6a1d1c300d057c3674a894fac996bbf78feba48bfabf4214ae41

            SHA512

            1181c1c0b4c7ef6464bf5d0be164601b3ad8c21b50ea7c1dc33fa60f0f629b7a4d1f8f2ff15298536e4c5b4a720d6d321e289e92cffe2b7a880e874ed6a1be84

          • memory/2612-58-0x00000000749D0000-0x00000000750BE000-memory.dmp

            Filesize

            6.9MB

          • memory/2612-57-0x0000000000BB0000-0x0000000000BCE000-memory.dmp

            Filesize

            120KB

          • memory/2612-59-0x0000000000B40000-0x0000000000B80000-memory.dmp

            Filesize

            256KB

          • memory/2612-60-0x00000000749D0000-0x00000000750BE000-memory.dmp

            Filesize

            6.9MB

          • memory/2612-61-0x0000000000B40000-0x0000000000B80000-memory.dmp

            Filesize

            256KB