Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13/01/2024, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
5928745f1d5cab62de613b4c5f558df1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5928745f1d5cab62de613b4c5f558df1.exe
Resource
win10v2004-20231215-en
General
-
Target
5928745f1d5cab62de613b4c5f558df1.exe
-
Size
2.3MB
-
MD5
5928745f1d5cab62de613b4c5f558df1
-
SHA1
4a511b360df83b69f9144e6fb23f3ea0b133ccfd
-
SHA256
10cdc1c1b8112716b5aec0caba5db1cef422176c550288f4952473c216357466
-
SHA512
e81ce51d581ac136d5884730a8af696f006ddc2e6d6f334cfab9195f6db5e1f75adcddd53a6d4ebed60753e45cd65d19a15f25886b3dd3a988f5794b4e71df9a
-
SSDEEP
49152:/5+hFVRTb0i5i+7baItMOV861aT0Sxiz8lVHTIioOFZQ+A:/5aFVSi5B7OICOV83ISxiqZ7A
Malware Config
Extracted
redline
@lovefuckwithyourmom
xetadycami.xyz:80
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000014a45-54.dat family_redline behavioral1/memory/2612-57-0x0000000000BB0000-0x0000000000BCE000-memory.dmp family_redline behavioral1/memory/2612-59-0x0000000000B40000-0x0000000000B80000-memory.dmp family_redline -
SectopRAT payload 4 IoCs
resource yara_rule behavioral1/files/0x0006000000014a45-54.dat family_sectoprat behavioral1/memory/2612-57-0x0000000000BB0000-0x0000000000BCE000-memory.dmp family_sectoprat behavioral1/memory/2612-59-0x0000000000B40000-0x0000000000B80000-memory.dmp family_sectoprat behavioral1/memory/2612-61-0x0000000000B40000-0x0000000000B80000-memory.dmp family_sectoprat -
Executes dropped EXE 6 IoCs
pid Process 2672 7z.exe 2800 7z.exe 2592 7z.exe 2732 7z.exe 2588 7z.exe 2612 @lovefuckwithyourmom.exe -
Loads dropped DLL 10 IoCs
pid Process 2772 cmd.exe 2672 7z.exe 2772 cmd.exe 2800 7z.exe 2772 cmd.exe 2592 7z.exe 2772 cmd.exe 2732 7z.exe 2772 cmd.exe 2588 7z.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2612 @lovefuckwithyourmom.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeRestorePrivilege 2672 7z.exe Token: 35 2672 7z.exe Token: SeSecurityPrivilege 2672 7z.exe Token: SeSecurityPrivilege 2672 7z.exe Token: SeRestorePrivilege 2800 7z.exe Token: 35 2800 7z.exe Token: SeSecurityPrivilege 2800 7z.exe Token: SeSecurityPrivilege 2800 7z.exe Token: SeRestorePrivilege 2592 7z.exe Token: 35 2592 7z.exe Token: SeSecurityPrivilege 2592 7z.exe Token: SeSecurityPrivilege 2592 7z.exe Token: SeRestorePrivilege 2732 7z.exe Token: 35 2732 7z.exe Token: SeSecurityPrivilege 2732 7z.exe Token: SeSecurityPrivilege 2732 7z.exe Token: SeRestorePrivilege 2588 7z.exe Token: 35 2588 7z.exe Token: SeSecurityPrivilege 2588 7z.exe Token: SeSecurityPrivilege 2588 7z.exe Token: SeDebugPrivilege 2612 @lovefuckwithyourmom.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1936 wrote to memory of 2772 1936 5928745f1d5cab62de613b4c5f558df1.exe 28 PID 1936 wrote to memory of 2772 1936 5928745f1d5cab62de613b4c5f558df1.exe 28 PID 1936 wrote to memory of 2772 1936 5928745f1d5cab62de613b4c5f558df1.exe 28 PID 1936 wrote to memory of 2772 1936 5928745f1d5cab62de613b4c5f558df1.exe 28 PID 2772 wrote to memory of 2764 2772 cmd.exe 30 PID 2772 wrote to memory of 2764 2772 cmd.exe 30 PID 2772 wrote to memory of 2764 2772 cmd.exe 30 PID 2772 wrote to memory of 2672 2772 cmd.exe 31 PID 2772 wrote to memory of 2672 2772 cmd.exe 31 PID 2772 wrote to memory of 2672 2772 cmd.exe 31 PID 2772 wrote to memory of 2800 2772 cmd.exe 32 PID 2772 wrote to memory of 2800 2772 cmd.exe 32 PID 2772 wrote to memory of 2800 2772 cmd.exe 32 PID 2772 wrote to memory of 2592 2772 cmd.exe 34 PID 2772 wrote to memory of 2592 2772 cmd.exe 34 PID 2772 wrote to memory of 2592 2772 cmd.exe 34 PID 2772 wrote to memory of 2732 2772 cmd.exe 33 PID 2772 wrote to memory of 2732 2772 cmd.exe 33 PID 2772 wrote to memory of 2732 2772 cmd.exe 33 PID 2772 wrote to memory of 2588 2772 cmd.exe 38 PID 2772 wrote to memory of 2588 2772 cmd.exe 38 PID 2772 wrote to memory of 2588 2772 cmd.exe 38 PID 2772 wrote to memory of 2124 2772 cmd.exe 35 PID 2772 wrote to memory of 2124 2772 cmd.exe 35 PID 2772 wrote to memory of 2124 2772 cmd.exe 35 PID 2772 wrote to memory of 2612 2772 cmd.exe 37 PID 2772 wrote to memory of 2612 2772 cmd.exe 37 PID 2772 wrote to memory of 2612 2772 cmd.exe 37 PID 2772 wrote to memory of 2612 2772 cmd.exe 37 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2124 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\mode.commode 65,103⤵PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e file.zip -p -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_4.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_2.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2732
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
C:\Windows\system32\attrib.exeattrib +H "@lovefuckwithyourmom.exe"3⤵
- Views/modifies file attributes
PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe"@lovefuckwithyourmom.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe7z.exe e extracted/file_1.zip -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD5e7937dd57b97cefa8983a76e784a8f9c
SHA1bf5f1c9d615b0309357fdf5b4c8a1017210d24c7
SHA256624050639c0943244b253e7371ce0770f0ac27ec23736e7699d4924e03cb2b50
SHA5120f147d3afd70aac0e8fe325f5b33d149443583973b00dc3865b6b3aeec0127957a9c2eb9a5beb15f7151034b04d84bca3307148eff1bc283c8198447750fc574
-
Filesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
Filesize
311KB
MD586d15c117cd9e112c658d5dae6ebbaad
SHA1eb26dd6256282600d581fa0ff9b4b8392133b4c8
SHA25600552e1ec01089fc17e6e363b9daaca689a07063e9582cc253d735a4ee37d76d
SHA512a25d378af9a348a5de91e1bdd838b05f86aa1a80a980f16761be6222883ed52154c6157bf537d012bb921fe7939feed7db79607972b26b1f0ee930ea3bb72b6f
-
Filesize
377KB
MD5df991835b44cdf4a49813b2470bed70e
SHA1f5a3aec8b312db18663d5c9eb231c3632cfeb867
SHA25691a9aa869359f01e8078163e33a04a299fb6a3d57d255a79116e5f7a46e8068a
SHA5121303b76c7186329149b8215f987e9a35a9bb50ed2525d392173dd15063971c2cc2b54d3e1c5ba954d1044ac8891e29290afd71eff932b681e35015537b80dd26
-
Filesize
281KB
MD50ef2ed03ea1507ce522d8a8189e22cf9
SHA1e83646afdf8c96fed1212784e013561793def91c
SHA25649cc8266f73dd2a8771fb6ffcc6d77522ad8a78e37d8dc50afe06153a53f9e38
SHA5121fc16f9bfb6e3d8aab79c544e06c25c2ff0387c6b117934d4d78d0dd5706afc98a2c854e1114723b95bab7a93d47e27951b2cec0829171fab1098c340d6d940c
-
Filesize
183KB
MD57a6ff8658b727035517d2364f3c3d330
SHA1dac86fc03309964b32f9c929060df3cd920c26eb
SHA2569a83666f30fa552e95ccec8072fecbd16f6cc293ecd0a1bdd798fdb0b0a02588
SHA51232b5acda35a99551da599fd4835ae95d28e306b4acddd4ab6592345d37b5444da01784ed0064137dfe6e87c49474eed5b72b42e124098c0e345f9e8f85469b4a
-
Filesize
150KB
MD5fafd0a4a565be90cee0b1e7f3a7b27a6
SHA17c99b311f30d9a2247f7a72cbf6c0b376a5ee64c
SHA2560e47473107c2d8f9578cfdc6a977de769d35ad4d234184acd7088936c97844fd
SHA512243c84e6c2dd61916b8b3d4f626ccbd73ba52946c03e275ba26924075cbb7ed302ca24a5c148e51dd69f985a0e40991920e17f3798e8f05074ccd6795da0694b
-
Filesize
100KB
MD5f715021bca8947192b494a037ddae36b
SHA1d2a70a50a0258a7d471d3f8043808f962282fc7e
SHA2563508971255c901dccbe8a461de9fa390add18675e44bfa55a2c792f62cf7db62
SHA512ce3801a52248785a41d1db4c284b3c06f18d7753555659bbb36ac960d5cf4990c33d5981620090dbf07bd009951d0760b5c8e529ac64c973deade35d36c0d35f
-
Filesize
195KB
MD5634d6c3f5f2db3c90c31bd36cb840181
SHA1523f20c550bcebf938f883913001feca14d12233
SHA256841f9f9d31efcc110ad8ba8a550e285ba5398c322fe20d0843db23a9c027079a
SHA51241c02f3d2293a775fbbc1c45b355155a89dafa62b1c8b38a0d9935c248545c9944c8d36ac4b1b58139785bdec2280d4cbdc8f5357b6187635f181755362aaa0c
-
Filesize
40KB
MD5f8fdd24daf1aa469ac0e32e9b1459ab6
SHA123dd9dd5b626c364a964cf583b045c8197b12d74
SHA256e8f4204e1b3ceca11d1865e28201761c1b4017b30377ca4c1639c7ccac952949
SHA51205843ad3518438b825c7864854e6a8f7a3538bfd76327b8fb652a073ad38df60051c1ab420e89d78b9b02a14f74a535f03b0f0340259c13c4aad200c60898aba
-
Filesize
40KB
MD59679f15a03e532c442b86b99d901637f
SHA143e4579628d2201dc556ebf4d29464fb777e2238
SHA256487f4d740ba3d9c42a5c6e624f34d3e20a330418d2925e2fec2fde37bb64a7d1
SHA5128097846f22e81885844a42e63fc34218affad7d4cc659b94350f45955353d324d8f107eb2228606b7f14a6fedce2f1184e69c2dec07b6625d1ca00771fa03236
-
Filesize
40KB
MD59082560582b613a65120dcde6c3c4897
SHA1e8d50dfc85abe2aa00a51d917f35487c25e711c4
SHA2563e324d0ff36a51529101b45bb9102260292a6bbb6ffbf55d01fea881cc038704
SHA512180c1025f16d0e227e432ed7bb3c52ca0bcecd5a8390e6d3af28a2425cc1e31801dbd6df377c2abcc982c3a06f15940a654bd6b488e8d595ee41de5a56e1ef2f
-
Filesize
361KB
MD5d2512657ddd302bf130294d2fb0e0de7
SHA142bf5e5c89945fa328960fd5357d69513ed80223
SHA256b70df0fb66a696e92dbc92e519b105befcd34f9f0c0c01b8986b2deff2294bce
SHA512addfaab755b1ce4b0e2941bfaee6cc33ee616885daf07e7abd0874aa82b8118d6e84ef9a03bd05e4b08ea6dc5babbb0dc8506b2adac459929ff51c6cce6d4dc4
-
Filesize
1.5MB
MD50c4d8185c244c378dd2635dd5e842235
SHA179bed7df4511237ce5a9571dae2819b4ffe88001
SHA25623afd877f0a4f916f69f778ad94a90a1c615625a8c55645a13285040590fec32
SHA512c663c849b0b305ee1b40c46d4c2605640e89ba5af218f41f0d61c0248de1b74eb4bb6240dac2e1ffd5bc85884fa75af4d04adb0f7aa5601a5d5350415c6c9347
-
Filesize
512B
MD514ed47f526671c43880f44b6c4b6fc83
SHA1687323418a481503326bf7daf95ce722adcfbec4
SHA2567d37fd2c4ce79dd8decfb14fd1390f4d7867af812204865fc91194b63ef4c1c9
SHA512212614fa1b92a3e5520ca91442d6d21eebfd479f50bba032b320bea3d367a26f4296e08c7474bf2e03f1720dacbd5697eb8113a7102b8a10d76273b0c93a495c
-
Filesize
323KB
MD5ede747df5a8ff1072cd7a76ec4460015
SHA130b0322866df61c3b0fec85a069085c6c18f2eba
SHA25643db1dba9645809a890effb4303404c528601a576ef78cac58ef23c7cd52fc44
SHA512e0393b5075e0e017079ecf4373ec879ba93a184318aa89ea6c576726debe936418573190db951eafb32930cf690642da7c1eeb61ce04e797c1e098043c4c9474
-
Filesize
271KB
MD537f21b197d07387261fc6c728e2562d2
SHA163a019358f9eb1caa0bd5927f3847e0150be0e4e
SHA256779735a446e61fdb5773925a8ea9c21e468562ccc66d5d18953cb28ceb883a3f
SHA512f9a0590bee7559a3ce4edb386192baedd12c454ed8de5ebc686363b4fed507693a14215ad55819648651b7b27c92b72c3e02bae6fdf85a6755606552043ca8bc
-
Filesize
129KB
MD5a9556a9583021f75ca2567bc98b5f28e
SHA15af46dcd462b4ae84632e929693a547cdf04c1ea
SHA25621f50574ee333fcc187659ed0ffa8cfe8fc62a272442a56ef24902f77df29057
SHA51290c133d03f0904f44da501162bd531b62f2d4b985474cdb190e6a39c1ce52a9d7e6ba9db8fc780d6e99fa3888e25dea572fd814595609f90571b6d8d353fd9df
-
Filesize
211KB
MD591d23974b3b147cf00786ff79be1fbb6
SHA1ec4f7f9db4ca98084cd56b04fc5d8a3b7428c0d2
SHA256d80c2d9352b15cba2747ee7d0dfdc85dbf7bd43a3b8ef7407ff671cc3c3762ff
SHA5125d3fedb74ac6acdbfba520c540a19ee5b7790b489681a62938b8df78714f29e7681845e4cf53a2d3158d48af8d53c2e607ccf905faf71d424b330f21244a6d8a
-
Filesize
152KB
MD501b4d7a25878352f6099baf08ffc4e98
SHA100f135b1f057aaf13c7de98f2ccf4eee83a6c538
SHA256554b10a2d4487368d996c035c09fd521d25df2f411659abd03aff9ed91f4e641
SHA5128a7a5e249bd2fb6c678c52bc25dca4a4d7ff9e16e962ca0dfb6d0c02b4ca27688b0163c7a146e87310d7c3b70235e5357a095a56a7c1f0024c5d31e036dd3e33
-
Filesize
437KB
MD5fd3639e8268a12e045750a3bea2e94c0
SHA1ed32180613c3335e9e0e365b48947a1d8871966e
SHA256fa5499591946494e41a6e63230af10c327beab1cda4cf9bfa571d342a66bcb65
SHA512108b1bf31f6b4fe967c6a429188ae0e73f6e83018eaacc2b419bb521b02bfdd520fd02cb251c09c734e6b6896aad960d132bdbd1ad2859fcc0c23d4c54b62173
-
Filesize
246KB
MD56e55341c9a0ce67ba366176da388aa04
SHA1e794ecd906a9687daaf6b63e50bd9b45a69d594d
SHA256b9a8642098cba990aefc2b297c70d491f956e3b29e63f1ca91c416d39f6f97c5
SHA5128709af88259c3132c95d2cdd966ed24a257de0ff0acee7628a9c119c87e70489491c58abef0e352a26ca6867fc2ad97f587085b7a2d0741af939eb7b2e9aebcc
-
Filesize
227KB
MD53640c9c0bbccb95531eee53bd6f49e33
SHA12d174c44091c73b5d486cc6a513d8d64580b20df
SHA25624e2c8f03c401e5195e5de727fd1b5dc675992301b6d344a38906d813a9efa0d
SHA512dee29fc01a00d165863b8cd2ace6f9f5f3f533a3da34869eb7b201cdfdffce4b96741b7d7cd38d9c46ccde278fe553eb33125bb49d38ab3edc51f155be405ea5
-
Filesize
229KB
MD592d3f23ea3013eb5288fa129258a95d1
SHA1e1678a1e7b6bed32deb57eaa8bd50ec208a00a3b
SHA256a18cd1947980cfe11a62838ab8fb46b5392099eb8f3311375e0105a5b7838fd7
SHA512f8899a1440157385e7f34c2d3935a200caf51426a2387ccee00cd4d4d9c794a34703a688b51b5c370534afce00d159488f226c483145ec8047e8988750e9f015
-
Filesize
136KB
MD5af5233f6d4c806ecc112ee4b7623e4f8
SHA153dcfd03b40a0dc7a6491745cfbeb8db23e3113c
SHA256c7722d8aad2e6a1d1c300d057c3674a894fac996bbf78feba48bfabf4214ae41
SHA5121181c1c0b4c7ef6464bf5d0be164601b3ad8c21b50ea7c1dc33fa60f0f629b7a4d1f8f2ff15298536e4c5b4a720d6d321e289e92cffe2b7a880e874ed6a1be84