Analysis
-
max time kernel
66s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 15:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe
Resource
win7-20240221-en
windows7-x64
7 signatures
150 seconds
General
-
Target
3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe
-
Size
523KB
-
MD5
e336cd749eb4e599192906f8d61d0bb2
-
SHA1
6d431812efb3c52e0bdd44d2602bca486eacc451
-
SHA256
3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4
-
SHA512
8e18ce1501dbf77ca2af6cf6d7c0813501b2e94c61e859878370e872c93b79d7019430391b4916296e7f62079d2408a37ff0cdab0260d67b437eb88310d1fb84
-
SSDEEP
12288:5cO61A772/5RMH4Gj63oiwKeWq6GXiS+qdYYn86v:U+XQRMYGSFFq6G53nv
Malware Config
Extracted
Family
redline
Botnet
xxl
C2
2.56.59.101:17559
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3780-26-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
resource yara_rule behavioral2/memory/3780-26-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4636 set thread context of 3780 4636 3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe 93 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4952 taskmgr.exe Token: SeSystemProfilePrivilege 4952 taskmgr.exe Token: SeCreateGlobalPrivilege 4952 taskmgr.exe Token: SeDebugPrivilege 3780 3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe Token: 33 4952 taskmgr.exe Token: SeIncBasePriorityPrivilege 4952 taskmgr.exe -
Suspicious use of FindShellTrayWindow 57 IoCs
pid Process 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe 4952 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4636 wrote to memory of 3780 4636 3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe 93 PID 4636 wrote to memory of 3780 4636 3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe 93 PID 4636 wrote to memory of 3780 4636 3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe 93 PID 4636 wrote to memory of 3780 4636 3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe 93 PID 4636 wrote to memory of 3780 4636 3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe 93 PID 4636 wrote to memory of 3780 4636 3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe 93 PID 4636 wrote to memory of 3780 4636 3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe 93 PID 4636 wrote to memory of 3780 4636 3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe"C:\Users\Admin\AppData\Local\Temp\3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe"C:\Users\Admin\AppData\Local\Temp\3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3bd982f82a1b2f074b02fe7cc7413f1e083f19108ae2612b2b5a741a9858f7f4.exe.log
Filesize1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4