93d751506b3639b4e86a04d44731c3651a6dedf15424869903ee681b8266799e

Resubmissions

14/08/2024, 10:11 UTC

240814-l735ea1eql 3

24/06/2024, 03:23 UTC

240624-dxjzsazbkl 6

Analysis

max time kernel
1485s
max time network
1497s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
24/06/2024, 03:23 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RedTiger-Tools-main/Settings/Program/Config/__pycache__/Options.cpython-312.pyc
Size

3KB
MD5

9247538a52d3fb372793cec3042ec8dd
SHA1

3377e5d597c493ad80d1e14de58e7a082b6365f5
SHA256

cd96b9d96ed047b38459708173cad9771cbb93361228c46583695786f6a23a6c
SHA512

7cbb7de6b20135f5cb381cfb559426c5d68533664af26e4365fa2a034c21e51ace7bb036512c74f5279d285c126a557d07468941261634203136d97a246513a9

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2904	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RedTiger-Tools-main\Settings\Program\Config\__pycache__\Options.cpython-312.pyc
1⤵
- Modifies registry class
PID:1204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2904

Network

DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response
DNS

ris.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

ris.api.iris.microsoft.com

IN A

Response

ris.api.iris.microsoft.com

IN CNAME

ris-prod.trafficmanager.net

ris-prod.trafficmanager.net

IN CNAME

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

asf-ris-prod-neu-azsc.northeurope.cloudapp.azure.com

IN A

20.234.120.54

52.111.227.13:443

322 B
7
150.171.27.10:443

tse1.mm.bing.net

tls

1.6kB
7.2kB
17
15
150.171.27.10:443

tse1.mm.bing.net

tls

1.6kB
7.2kB
17
15
150.171.27.10:443

tse1.mm.bing.net

tls

106.3kB
3.1MB
2235
2232
150.171.27.10:443

tse1.mm.bing.net

tls

1.6kB
7.2kB
17
15

8.8.8.8:53

tse1.mm.bing.net

dns

134 B
328 B
2
2

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

144 B
350 B
2
2

DNS Request

10.27.171.150.in-addr.arpa

DNS Request

ris.api.iris.microsoft.com

DNS Response

20.234.120.54

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.