Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2024, 16:12

General

  • Target

    5928745f1d5cab62de613b4c5f558df1.exe

  • Size

    2.3MB

  • MD5

    5928745f1d5cab62de613b4c5f558df1

  • SHA1

    4a511b360df83b69f9144e6fb23f3ea0b133ccfd

  • SHA256

    10cdc1c1b8112716b5aec0caba5db1cef422176c550288f4952473c216357466

  • SHA512

    e81ce51d581ac136d5884730a8af696f006ddc2e6d6f334cfab9195f6db5e1f75adcddd53a6d4ebed60753e45cd65d19a15f25886b3dd3a988f5794b4e71df9a

  • SSDEEP

    49152:/5+hFVRTb0i5i+7baItMOV861aT0Sxiz8lVHTIioOFZQ+A:/5aFVSi5B7OICOV83ISxiqZ7A

Malware Config

Extracted

Family

redline

Botnet

@lovefuckwithyourmom

C2

xetadycami.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe
    "C:\Users\Admin\AppData\Local\Temp\5928745f1d5cab62de613b4c5f558df1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3600
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\system32\mode.com
        mode 65,10
        3⤵
          PID:4572
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e file.zip -p -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2224
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_2.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:4900
        • C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe
          "@lovefuckwithyourmom.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2740
        • C:\Windows\system32\attrib.exe
          attrib +H "@lovefuckwithyourmom.exe"
          3⤵
          • Views/modifies file attributes
          PID:4260
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_1.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2568
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_3.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:396
        • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
          7z.exe e extracted/file_4.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:1640

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            558KB

            MD5

            e1fee3d3780c73637252b69e44f3e85f

            SHA1

            ea3255fd0b61ac92323a91e2463dd20b44edf66e

            SHA256

            f01b05966047f5d3931520d1ae7c85dd548e7082699dddc2503a5c42063bda3f

            SHA512

            cd5455f93330f03f9d0f4c2771ee32ea799332b5dc937a2e7b3cae414f22e7b4acc32225abf161c2070163f6e300fce6c5f1b25f3ac2ce51c609d0187c2a5f62

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            561KB

            MD5

            bdac165c36265693370205114caa5ee3

            SHA1

            4f5fe76e41f3cced90330b320bb8144b408f9fd5

            SHA256

            e1f8abc6554a84ccf75d9381de5e2c36fa87ef753195e8de9483de2c0aa3f191

            SHA512

            1bf1d87512878b0075a71c1fb1653fe34c3e4706d7404c89185b7adb29f83477e0d00374a3c4d54a123cf90fff8b317f9a50881b9708513b6e45fc1691e7fd3b

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            455KB

            MD5

            a634e737a02bd2a753244cedd5c7e4c9

            SHA1

            4c62c69503559c20ced8e5e6c5b78e0db0489c47

            SHA256

            d9af7e478af877b40f6874c1c75d5738d92688f1fe94e267652b47f70a27665f

            SHA512

            74084f193187d3fda6f19857b8e366bb24d64e769fc3aa68d3d7c5630bdb2f061fceeaebd91b2a044b41d829539f6f3699e8e3ce462b40af99c9d3557fa1e06c

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            149KB

            MD5

            6e7f44d7e49dd8489800f51c52cf9b42

            SHA1

            ab014142cae263ec1ebcada6cd9386a99f7b34e2

            SHA256

            941b2a461e38971206e4cc7e9c08bae0641580aaecbb12a231e12feec2598566

            SHA512

            6bc1f37ac57c48bd5853dd55348f89ecf0178ae4e44cdb7a0c68ec1ea59165a24a7a241fd4d164c6d9dbba5b31e43937041902a137b6f2f441986c50054e0227

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            143KB

            MD5

            5ccdaa140e9f3518e64b6e8884df5398

            SHA1

            c39a7a3ecca0032e84246a4da17b6b8bab671f91

            SHA256

            aabadb4ab4cfb509ae8be07dae1871e8525f905252d83a57f67da616862e3b35

            SHA512

            ae13ec1ed7ae8b65a490b15fc6024e5051f5ef29c2f9f2daca5c616ab1924e6ed762077f2ecdd96ba2e817d1d6210fbf5d937b5b326ec2950dabbdd619ba6f8c

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll

            Filesize

            294KB

            MD5

            73d18262d494f3b4f7b279096b706022

            SHA1

            2858c5bd367f18a1936ec4fa00d2ea820af927ec

            SHA256

            1191f1207072a5af094b3cbf204b3575d6adf4695d0fdd6c71779a98e150cce8

            SHA512

            3b25da3326fa8fe1acebcb1a315e325f0525beae99114c8f672db5c736ebfd2131ced1beced6f9df71e2ce274ae66787e103c29eeb8f7ec285aab4302d1c748b

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            458KB

            MD5

            619f7135621b50fd1900ff24aade1524

            SHA1

            6c7ea8bbd435163ae3945cbef30ef6b9872a4591

            SHA256

            344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

            SHA512

            2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            366KB

            MD5

            14b6af849c769dca4b2767a278af1631

            SHA1

            0cc2c472f3e6ed2918ec5bfc9eaab2d47ba0222e

            SHA256

            d3a85adace40351dfbdae6be6562e0d5260356355c81663f7ce2955daa0bf24d

            SHA512

            e4e924e2454a849e914ce68b647193773cf7a7afa0e81b50af4c6b8b94faad065901fc33345e66aac59915e7f1b2bd4ea6161560b01d858811096a93cdd85019

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            442KB

            MD5

            a7d8c374a1af75b4ae33ec2d676b18ab

            SHA1

            c569b32fb85d97d75e49570a2bcd4c4b35257e0e

            SHA256

            31f81296189821e78508ba43aeec6fcc36a1e8de4e408a0178802780d293cb0d

            SHA512

            455e6501b0dfbda71bb627ddf8532f2fa664e52ad1796bc25a2aff78766eb327f98263e32538efaf1ae1d6add0ec30f1103ac4eb93da2faabb37c86e3d7dd5dc

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            291KB

            MD5

            b899b8cbf798b772b21f4a66e70d7214

            SHA1

            5f0c1b1d3aaaffd77f5de7ec6e1ab7ad8dad4a8c

            SHA256

            921e44cc8144af642e3e420d66060a97c5b0d04f415783420f7c20d391c6ca09

            SHA512

            2b381a80fc7cc619ffeff8df38af61e95f23b6d09c3a461533c07556285a1dd1a88fecbb7be51416ec0fd83bdebd1c590fb6580ff3c9ef87cfbbb2e5653f2dd9

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            247KB

            MD5

            0ac45708dce897ea32d6812fe54898d3

            SHA1

            496f87ee4c39b8227d21d52d2d534fcec6438345

            SHA256

            f119981b4e6b05c6892e7bd1dea9b2673594f66daaf1176fdceaa4402928b003

            SHA512

            77ed189ca457a1e2632176e46ad872f8edb691ca9d675b41eb3edf096073c664cf69f7fc49d322dddc9eecc0be1f250cfc428b58262d536a271a3fae9b247acd

          • C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe

            Filesize

            335KB

            MD5

            c01f69339fc0f3ef16f8ba3786a1e365

            SHA1

            52db3644a3dfcdff0732a3b743054b72c087283f

            SHA256

            67c037cce11ab150d0e447a3dfe1b502b85bd777e739c2ba4e0d23f79bc9c293

            SHA512

            4720c5e8cb2dc504e9780b178973a342cf805f4076254ecc08876ce609f1a8c36a4f436aae892514de42a0f4398f775f2be4629e583aceb387ac2d03dc87dcea

          • C:\Users\Admin\AppData\Local\Temp\svchost\@lovefuckwithyourmom.exe

            Filesize

            100KB

            MD5

            f715021bca8947192b494a037ddae36b

            SHA1

            d2a70a50a0258a7d471d3f8043808f962282fc7e

            SHA256

            3508971255c901dccbe8a461de9fa390add18675e44bfa55a2c792f62cf7db62

            SHA512

            ce3801a52248785a41d1db4c284b3c06f18d7753555659bbb36ac960d5cf4990c33d5981620090dbf07bd009951d0760b5c8e529ac64c973deade35d36c0d35f

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT

            Filesize

            170KB

            MD5

            2fba0ef603d9b47f29bd69bc7d742bc3

            SHA1

            6ef6ce5db6e19c082e7795ea9638e58b22267da7

            SHA256

            04cd304865c4f2a5a1a40cc60cd8a4165af1a6e299c46486d933e9f4cf9b7652

            SHA512

            fca6b2dbc922351cbf78cd70b37364d8f333f078f34f7cfdc34dca108004f27c3dc9accb69c5fb1469cc9344622976656a7a5979966b1ca272787e46df2713e8

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip

            Filesize

            40KB

            MD5

            f8fdd24daf1aa469ac0e32e9b1459ab6

            SHA1

            23dd9dd5b626c364a964cf583b045c8197b12d74

            SHA256

            e8f4204e1b3ceca11d1865e28201761c1b4017b30377ca4c1639c7ccac952949

            SHA512

            05843ad3518438b825c7864854e6a8f7a3538bfd76327b8fb652a073ad38df60051c1ab420e89d78b9b02a14f74a535f03b0f0340259c13c4aad200c60898aba

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip

            Filesize

            40KB

            MD5

            9679f15a03e532c442b86b99d901637f

            SHA1

            43e4579628d2201dc556ebf4d29464fb777e2238

            SHA256

            487f4d740ba3d9c42a5c6e624f34d3e20a330418d2925e2fec2fde37bb64a7d1

            SHA512

            8097846f22e81885844a42e63fc34218affad7d4cc659b94350f45955353d324d8f107eb2228606b7f14a6fedce2f1184e69c2dec07b6625d1ca00771fa03236

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip

            Filesize

            40KB

            MD5

            9082560582b613a65120dcde6c3c4897

            SHA1

            e8d50dfc85abe2aa00a51d917f35487c25e711c4

            SHA256

            3e324d0ff36a51529101b45bb9102260292a6bbb6ffbf55d01fea881cc038704

            SHA512

            180c1025f16d0e227e432ed7bb3c52ca0bcecd5a8390e6d3af28a2425cc1e31801dbd6df377c2abcc982c3a06f15940a654bd6b488e8d595ee41de5a56e1ef2f

          • C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip

            Filesize

            269KB

            MD5

            574207deb7e8e0c016fe25a825e9ed90

            SHA1

            c98fab2efd8a759da5e49e86644cc9ba21936d6f

            SHA256

            de78464ddca54d3695aa7010ed9d9972d899d76000fd4b4feaa30e756f30bdd7

            SHA512

            d99b762c86fd3d12fac0acb889462fe82ee9d4221b65d984a0c42fff05f14be0cbabfab7f2138eed477edd63f81e9541f386f637e767c86c7c049cfb4ff62bce

          • C:\Users\Admin\AppData\Local\Temp\svchost\payload.data

            Filesize

            1.1MB

            MD5

            2b2666ebfdc9adfd2fc1a0d8a84d2f75

            SHA1

            86a788663a2fb29441e3bb4aa823b609274d85f0

            SHA256

            d16f59ebdd3b51758a753c1503298fe0bd14217e0c8ca648259eff247f4cd403

            SHA512

            5e8ae5ec4d2a89b38f2b57408e90286ec9a4add5adc042ca95e2169f54280b7737e47dd811e53536ff0b3913b2ea692fba87cd799c168f4f51b3a696de45a2d1

          • C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd

            Filesize

            512B

            MD5

            14ed47f526671c43880f44b6c4b6fc83

            SHA1

            687323418a481503326bf7daf95ce722adcfbec4

            SHA256

            7d37fd2c4ce79dd8decfb14fd1390f4d7867af812204865fc91194b63ef4c1c9

            SHA512

            212614fa1b92a3e5520ca91442d6d21eebfd479f50bba032b320bea3d367a26f4296e08c7474bf2e03f1720dacbd5697eb8113a7102b8a10d76273b0c93a495c

          • memory/2740-51-0x0000000004E20000-0x0000000004E5C000-memory.dmp

            Filesize

            240KB

          • memory/2740-49-0x0000000005320000-0x0000000005938000-memory.dmp

            Filesize

            6.1MB

          • memory/2740-48-0x0000000073230000-0x00000000739E0000-memory.dmp

            Filesize

            7.7MB

          • memory/2740-53-0x0000000004E60000-0x0000000004EAC000-memory.dmp

            Filesize

            304KB

          • memory/2740-52-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

            Filesize

            64KB

          • memory/2740-50-0x0000000004DC0000-0x0000000004DD2000-memory.dmp

            Filesize

            72KB

          • memory/2740-47-0x0000000000440000-0x000000000045E000-memory.dmp

            Filesize

            120KB

          • memory/2740-54-0x00000000050D0000-0x00000000051DA000-memory.dmp

            Filesize

            1.0MB

          • memory/2740-55-0x0000000073230000-0x00000000739E0000-memory.dmp

            Filesize

            7.7MB

          • memory/2740-56-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

            Filesize

            64KB