Overview

overview

10

Static

static

5

66ecdd9e82...96.exe

windows7-x64

10

66ecdd9e82...96.exe

windows10-2004-x64

10

88b889a147...73.exe

windows7-x64

10

88b889a147...73.exe

windows10-2004-x64

10

a0527f548f...67.exe

windows7-x64

10

a0527f548f...67.exe

windows10-2004-x64

10

e2ea3676e2...d2.exe

windows7-x64

10

e2ea3676e2...d2.exe

windows10-2004-x64

10

f419ddfc11...08.exe

windows7-x64

10

f419ddfc11...08.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 01:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe

  • Size

    809KB

  • MD5

    15f948da0e0786ee883bc9714ee6b47a

  • SHA1

    13d0747a12ce2783ac3a1d225d760cd5b2ed1aa1

  • SHA256

    88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573

  • SHA512

    006913022a08797087c1a47e89f1fba3beef5eb7f925631d507e841f361b56fe7dbefa1a1a60c0f5542742ad71c0b142ab5f4d280bfd9bc50bf5f7018c6bb31e

  • SSDEEP

    24576:aJr8tE+sQJRRGM3sU+7sdCGNcArcotgiko7ehxaFpmx9:aJ4LP1MsdV5c+g5OiaFM/

Score
10/10
redlinesectopratcheatexecutioninfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.68:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe
    "C:\Users\Admin\AppData\Local\Temp\88b889a1477c81510c62a46c9eb1d77d386c59dceb0523e8b5734b6dde252573.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2652
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1544
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gsGRKUB.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1484
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gsGRKUB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58EE.tmp"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1948
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Executes dropped EXE
        PID:2076
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:780
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
    Filesize

    48KB

    MD5

    e83ccb51ee74efd2a221be293d23c69a

    SHA1

    4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

    SHA256

    da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

    SHA512

    0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar1B45.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp58EE.tmp
    Filesize

    1KB

    MD5

    e454a1426c70effa82894c54096d3abb

    SHA1

    94d0ef330de0482aec2dc205f0ec20408096c815

    SHA256

    fc4df0cb427e56387f82531dc752f90dc396146e8d3cf61c70e56182d12f2016

    SHA512

    62cf7aa6ab129a062f833fa527ffd82ba59e5390cfc8f39618b71195ae009a66af9118cc46ff1e87133b0cb5cdeb8e24bab8ddffb4da1ef20570fe321aefd503

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JG1CVSST7G30NF2PCFKQ.temp
    Filesize

    7KB

    MD5

    1f6731fb17b0252c56d3678677574efe

    SHA1

    24a2db5d6a2d60f22ab6153952a3b518515e8cd5

    SHA256

    8c358711f50eccfa414382b6956f400c16a5130eca0cf1c46fb66197059cf7d9

    SHA512

    65c9121ee40600c7d14c0c983f8880ee9d610e4cbf16665ff30b5c81f28e539483b6dc9397ea8ed13aa9b7be59addb801a35e945b9a3b84716658d9e0c091435

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    Filesize

    716KB

    MD5

    6da58e4a005e57e0eee2faf662dfd4ae

    SHA1

    2146c9d021ac262c918c4cdf5d5c842568ee2c87

    SHA256

    364a57fff4c2f5d8f2b35945016f4660ea9e583250e81c13d3da523d21cf33cf

    SHA512

    f0895ce9160e05c434f3b3bb5ab6907dd4a767b38ea19f276de446e1d62476b00b912f4fb432bb12a4cadf19e25310b5c7a716b6d51a0156a47bc6c31a10ceeb

    Download Submit

  • memory/780-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/780-147-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/780-155-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/780-153-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/780-141-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/780-143-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/780-145-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/780-150-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2036-4-0x0000000000E00000-0x0000000000E02000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2576-5-0x0000000000140000-0x0000000000142000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2576-7-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2576-156-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2652-24-0x0000000000FB0000-0x0000000001064000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2652-126-0x0000000000EB0000-0x0000000000F10000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2652-125-0x0000000000B00000-0x0000000000B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2652-124-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2652-123-0x00000000009B0000-0x00000000009C6000-memory.dmp

    Filesize

    88KB

    Download