Malware Analysis Report

2024-09-11 08:41

Sample ID 240514-b5wmfaeb7w
Target cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe
SHA256 cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635
Tags
redline sectoprat cheat execution infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635

Threat Level: Known bad

The file cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe was found to be: Known bad.

Malicious Activity Summary

redline sectoprat cheat execution infostealer rat trojan

SectopRAT payload

SectopRAT

RedLine

RedLine payload

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects executables packed with SmartAssembly

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-14 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 01:44

Reported

2024-05-14 01:52

Platform

win7-20231129-en

Max time kernel

122s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1372 set thread context of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2360 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2360 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 2360 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1372 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1372 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe

"C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

Network

Country Destination Domain Proto
NL 45.137.22.143:55615 45.137.22.143 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/2360-4-0x0000000002490000-0x00000000024A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

MD5 fc6a889a68e4e87468288d91c1824686
SHA1 b193395d7268b7ebe99bb439669c8d0a2ca6c977
SHA256 ecb28ee9d8ef2922481e0b2c4f45296fc541d759019078b7454a278edbde73c5
SHA512 a41cce8958566a0951f73aa16d4e02196574bb0d8f929fda0b7975fa286f6cef66f5ea3c3e6b40e24b44b7c9d6f81ccb960f1a3587b3ba67e5096c2f5f6051ed

memory/1372-15-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

memory/1372-16-0x0000000000BB0000-0x0000000000C40000-memory.dmp

memory/1372-17-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/1372-18-0x0000000000590000-0x00000000005AC000-memory.dmp

memory/1372-20-0x0000000000B40000-0x0000000000B56000-memory.dmp

memory/1372-19-0x0000000000B30000-0x0000000000B3E000-memory.dmp

memory/1372-21-0x0000000005200000-0x0000000005260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

MD5 e83ccb51ee74efd2a221be293d23c69a
SHA1 4365ca564f7cdd7337cf0f83ac5fd64317fb4c32
SHA256 da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc
SHA512 0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

memory/2744-36-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1372-37-0x0000000074B70000-0x000000007525E000-memory.dmp

memory/2744-35-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

MD5 03b53340c7e8f4b2a82917da49bb799e
SHA1 fe8ecd3b4f81fe4714dc8ab193e6e0f18f4ad0c4
SHA256 681b4d66630a2d0ad33b1dda83928164febf8b8f9bd73be7bdfb25638ca24297
SHA512 7bc8e90e287698b49c7c7ddb75e2baa568201a52fe752f1a518dc06be4559e9a2282f218a3ef0f138b63ecf691ead5a7fa99ebd8db5740c798de83db4d7dd2d6

memory/2744-28-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-24-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-33-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2744-30-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2744-26-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 019304b63e74f13fd3db074acf4bd8f5
SHA1 d365ae8bf413baad6b3786966ebfa1c9d267e960
SHA256 b4919c1412f160ebdef63329f5c24bea6df388c74bd3c3717d78d44500c77459
SHA512 f0c5d3038196b2790f2cf3be499eb3d9318a8e9f1f0789ed0f1c19b99a2792905484870c44b415fa8ae41eadcd8efef3a59f1ab15f1701b0217f2c694a691c25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d427bb6b5a02540cc767cb2cf847cebd
SHA1 5e5d94a01ef22e422134e6e26273f6c4a4a38553
SHA256 08b92fb832d9512fdad22be15fbf2bd951ac5ec843712bce4cff4ef0158872f4
SHA512 afafb5eb712cc2c1023e2a64e47e222b4bd12588c80394dabd67ffdbc8d4f89e09ffa1c2abf19d28c1560cdecfe4d54e3f81924901d7d8735d137a6b04af246c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Temp\Tar6CCC.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 01:44

Reported

2024-05-14 01:52

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4160 set thread context of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1020 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 1020 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 4160 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4160 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 4160 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 4160 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 4160 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 4160 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 4160 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 4160 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
PID 4160 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe

"C:\Users\Admin\AppData\Local\Temp\cbf26eb04d7e44410aff2c8768f380ff4c2c83bd98d338d53dbe0d8ec6aeb635.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
NL 45.137.22.143:55615 45.137.22.143 tcp
US 8.8.8.8:53 143.22.137.45.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe

MD5 03b53340c7e8f4b2a82917da49bb799e
SHA1 fe8ecd3b4f81fe4714dc8ab193e6e0f18f4ad0c4
SHA256 681b4d66630a2d0ad33b1dda83928164febf8b8f9bd73be7bdfb25638ca24297
SHA512 7bc8e90e287698b49c7c7ddb75e2baa568201a52fe752f1a518dc06be4559e9a2282f218a3ef0f138b63ecf691ead5a7fa99ebd8db5740c798de83db4d7dd2d6

memory/4160-14-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/4160-15-0x0000000000420000-0x00000000004B0000-memory.dmp

memory/4160-16-0x0000000005420000-0x00000000059C4000-memory.dmp

memory/4160-17-0x0000000004F10000-0x0000000004FA2000-memory.dmp

memory/4160-18-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4160-19-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

memory/4160-20-0x0000000005170000-0x000000000520C000-memory.dmp

memory/4160-21-0x0000000005120000-0x000000000513C000-memory.dmp

memory/4160-22-0x0000000005380000-0x000000000538E000-memory.dmp

memory/4160-23-0x00000000053C0000-0x00000000053D6000-memory.dmp

memory/4160-24-0x0000000006940000-0x00000000069A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg

MD5 e83ccb51ee74efd2a221be293d23c69a
SHA1 4365ca564f7cdd7337cf0f83ac5fd64317fb4c32
SHA256 da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc
SHA512 0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

memory/2684-26-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/2428-31-0x0000000005370000-0x00000000053A6000-memory.dmp

memory/4160-30-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2428-32-0x0000000005AE0000-0x0000000006108000-memory.dmp

memory/2684-34-0x0000000005220000-0x0000000005232000-memory.dmp

memory/2684-33-0x0000000005990000-0x0000000005FA8000-memory.dmp

memory/2684-35-0x0000000005280000-0x00000000052BC000-memory.dmp

memory/2428-36-0x0000000005870000-0x0000000005892000-memory.dmp

memory/2684-39-0x00000000052C0000-0x000000000530C000-memory.dmp

memory/2428-38-0x0000000005980000-0x00000000059E6000-memory.dmp

memory/2428-37-0x0000000005910000-0x0000000005976000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xe24jxw5.gla.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2428-49-0x0000000006310000-0x0000000006664000-memory.dmp

memory/2684-50-0x0000000005530000-0x000000000563A000-memory.dmp

memory/2428-51-0x0000000006950000-0x000000000696E000-memory.dmp

memory/2428-52-0x0000000006F70000-0x0000000006FA2000-memory.dmp

memory/2428-53-0x0000000071290000-0x00000000712DC000-memory.dmp

memory/2428-63-0x0000000006F00000-0x0000000006F1E000-memory.dmp

memory/2428-64-0x0000000007980000-0x0000000007A23000-memory.dmp

memory/2428-65-0x00000000082B0000-0x000000000892A000-memory.dmp

memory/2428-66-0x0000000007C60000-0x0000000007C7A000-memory.dmp

memory/2428-67-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

memory/2428-68-0x0000000007EE0000-0x0000000007F76000-memory.dmp

memory/2428-69-0x0000000007E60000-0x0000000007E71000-memory.dmp

memory/2428-70-0x0000000007E90000-0x0000000007E9E000-memory.dmp

memory/2428-71-0x0000000007EA0000-0x0000000007EB4000-memory.dmp

memory/2428-72-0x0000000007FA0000-0x0000000007FBA000-memory.dmp

memory/2428-73-0x0000000007F80000-0x0000000007F88000-memory.dmp

memory/2684-76-0x0000000006840000-0x0000000006A02000-memory.dmp

memory/2684-77-0x0000000006F40000-0x000000000746C000-memory.dmp