Overview

overview

10

Static

static

1

new.ps1

windows7-x64

6

new.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-07-2024 12:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new.ps1

  • Size

    242KB

  • MD5

    aa0d92ff6d6a1d18f6149f6d0ad03139

  • SHA1

    6a33134bf530a61b764bf2287baf8fd0aea603ab

  • SHA256

    f97c9c2965a77ff2bc0cfd54b6d6102d1aab09a4e66a3a19b1b633adfecb874f

  • SHA512

    4fff4cb24271e0cd74d1eec0cca903abb8dfb8dc02f574f606a6e32a0e0181cc0c0a36884d1132932a154bf84440c10066b76972a990c3114fe3b088103b8ea3

  • SSDEEP

    3072:OArNzTVf/Cjx58ri12gF5p2wgy36JEpG5bOxD0qc+8IZLFV2rKppKtpgEezbInG:OARx/65rp2wgy5psqxDrv2epEPezbInG

Score
10/10
redlinesectopratmaxexecutioninfostealerpersistenceratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

MAX

C2

maxwiz1221.duckdns.org:45867

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\new.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sehKCN.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3344
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exEc byPaSS -fiLe C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2072
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gieti5jc\gieti5jc.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3628
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB12F.tmp" "c:\Users\Admin\AppData\Local\Temp\gieti5jc\CSC967E456A7074299BFD3185A7A16F6B5.TMP"
            5⤵
              PID:5076
      • C:\Windows\system32\reg.exe
        "C:\Windows\system32\reg.exe" Add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v aeZaeCPwTj /t REG_SZ /d C:\Users\Admin\AppData\Roaming\sehKCN.vbs /f
        2⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:1052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      50a8221b93fbd2628ac460dd408a9fc1

      SHA1

      7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

      SHA256

      46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

      SHA512

      27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESB12F.tmp
      Filesize

      1KB

      MD5

      9feb93e2746b57bd00861a0a0a706ee0

      SHA1

      6647f0c8ad77d967ad931d90489c554e8f18894a

      SHA256

      2d7d9c697ac91990f8d42348391804323cd345c45301b12f28aff30664a750e5

      SHA512

      5885660e232517382c74d076989c53d8f4831541f3eb6705af1fd385758b373d38fad5a672e51c61e8c923f135b19614bba641ad942639f303d0b93d852182df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k325v5qj.ypa.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gieti5jc\gieti5jc.dll
      Filesize

      96KB

      MD5

      d2fc81787190b8a04f08a545068506fd

      SHA1

      3837568e87d316278e760d5e4547e9cbcd1d166f

      SHA256

      e7c673b65377c02cb244beeb3d6178e08b1226f4a92f230c0f4a5318ceb7ccc5

      SHA512

      9bb9518a8863dc428a1b88cc69bb689aa98dc835decbf863a32ee6314dbe3a17bc504238a39b4954ec733dc75199e0112606dfd92ee186c395394a78310cdcd8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCAB3.tmp
      Filesize

      46KB

      MD5

      8f5942354d3809f865f9767eddf51314

      SHA1

      20be11c0d42fc0cef53931ea9152b55082d1a11e

      SHA256

      776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

      SHA512

      fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCAC9.tmp
      Filesize

      100KB

      MD5

      efc72f037edcd2520a10b12170fe8987

      SHA1

      fce398b581347e571670e5471ad95324969ef9db

      SHA256

      75eaf0258332ca565ad3f58e1b42f227fb01e2825ebc8334228d220c3489027e

      SHA512

      1b3756c59b0b4fae8168c17a86e51174bc810dab61e4b6a5984d0aa425df1f93f03b7cc6050a5e165d468cf0bb8314abd56e7f7ab6ca903b6e18704b0845f16e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCB14.tmp
      Filesize

      48KB

      MD5

      349e6eb110e34a08924d92f6b334801d

      SHA1

      bdfb289daff51890cc71697b6322aa4b35ec9169

      SHA256

      c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

      SHA512

      2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCB39.tmp
      Filesize

      20KB

      MD5

      49693267e0adbcd119f9f5e02adf3a80

      SHA1

      3ba3d7f89b8ad195ca82c92737e960e1f2b349df

      SHA256

      d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

      SHA512

      b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCB3F.tmp
      Filesize

      116KB

      MD5

      f70aa3fa04f0536280f872ad17973c3d

      SHA1

      50a7b889329a92de1b272d0ecf5fce87395d3123

      SHA256

      8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

      SHA512

      30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpCB5A.tmp
      Filesize

      96KB

      MD5

      d367ddfda80fdcf578726bc3b0bc3e3c

      SHA1

      23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

      SHA256

      0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

      SHA512

      40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1
      Filesize

      179KB

      MD5

      4f7d1b610c3154a148e0c3787cd8ec58

      SHA1

      81b7e5ea9dfcc05890f4e1574c8496a882291b86

      SHA256

      ac2216db81d8b78950a74601205b638d8c9076e11903d13efe82cfd7fd126845

      SHA512

      2b87fcb60288f3ff363ae7e054a3ab1be5b0f2a57a8e40996b94c9a934f962d14a1af1ca2f681a62fb08cf2dbb4bd9f69c2284322fbc185734b672478d89e68a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\sehKCN.vbs
      Filesize

      2KB

      MD5

      e5671d6bb4b7c012a32158fadea3c560

      SHA1

      e05b3e5897ee5c521ac5f71210d203b146f8dc52

      SHA256

      780df088a515769d8880fec4b674886aaa6969b923915dd20de59ac15fd5dc45

      SHA512

      82965d196eae0be74a2b1a408ced7daa198d634cb35b5a4fe746eb8fdc5bb52d1134509bb4ab69a2cf8e6f8dd8b195fb07bca183ce260b0b492e89ebc3f997f0

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\gieti5jc\CSC967E456A7074299BFD3185A7A16F6B5.TMP
      Filesize

      652B

      MD5

      94c4f55ac91def118eaddd37c2bbd57e

      SHA1

      7040446205a2cf380b2bdbdc7b9fc938ed2c3cc2

      SHA256

      1c0a73644b1c55c4c7f4adfffdf7204f194657e27fab4bf8505bbec6a1d56f01

      SHA512

      73716bb293350225c6da99d73344c5ba5edcf659536898f338b6792a753fd009f52fccb0d42fc771c1ed7607827dd12e6a48f09a30af31f0c401c03396334e95

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\gieti5jc\gieti5jc.0.cs
      Filesize

      50KB

      MD5

      37f63f0f16b64ce7d236cd71617be27a

      SHA1

      da34f42ade8f9a59819daf8f7aee8641ac759d9f

      SHA256

      2df77f6e41d5554787155f07d45751ab3b4a62f49c350197cafdd3f3159beed3

      SHA512

      3d6fec1c6269cdd0d9ca8ca8ba9a77fdf8b26d5cd3a936c578f3e7e7eb14efd0becc3aa64d4429deab03f03eeb07f6830d2f8d99e2dd6f330f62884149b0c518

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\gieti5jc\gieti5jc.cmdline
      Filesize

      369B

      MD5

      c3541548e70abc6a07308b28e0ba9e0d

      SHA1

      e11d49a0ef724287372535ff5642ce9f31203e4e

      SHA256

      81e648ec2a8fb2334379c9fa0ba87ada0c5404aeb4f1867fcb3e91d77c86d1db

      SHA512

      a49b6d731c4e8cd800842d42ee67ba786a7a573a3bd9864edc8bdbff903b2e8906cb66d93fa66f78b066c5ffe2e294c9da9d877832d63b78bc49b6ccc2a60ea3

      Download Submit

    • memory/1760-20-0x00007FFD576E0000-0x00007FFD581A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1760-0-0x00007FFD576E3000-0x00007FFD576E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1760-10-0x000001DA9A5D0000-0x000001DA9A5F2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1760-11-0x00007FFD576E0000-0x00007FFD581A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1760-12-0x00007FFD576E0000-0x00007FFD581A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1760-19-0x000001DAB2B60000-0x000001DAB2D7C000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2072-52-0x000001526F360000-0x000001526F39C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2072-45-0x000001526EB30000-0x000001526EB4E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2072-54-0x000001526FDB0000-0x00000152702D8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/2072-53-0x000001526F6B0000-0x000001526F872000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2072-47-0x000001526EE40000-0x000001526EE46000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2072-51-0x000001526EE90000-0x000001526EEA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2072-50-0x000001526EE50000-0x000001526EE6E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2072-209-0x000001526F5C0000-0x000001526F636000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2072-210-0x000001526F570000-0x000001526F58E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2072-229-0x000001526E810000-0x000001526EA2C000-memory.dmp

      Filesize

      2.1MB

      Download