Analysis
-
max time kernel
93s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
05-07-2024 12:54
General
-
Target
new.ps1
-
Size
242KB
-
MD5
aa0d92ff6d6a1d18f6149f6d0ad03139
-
SHA1
6a33134bf530a61b764bf2287baf8fd0aea603ab
-
SHA256
f97c9c2965a77ff2bc0cfd54b6d6102d1aab09a4e66a3a19b1b633adfecb874f
-
SHA512
4fff4cb24271e0cd74d1eec0cca903abb8dfb8dc02f574f606a6e32a0e0181cc0c0a36884d1132932a154bf84440c10066b76972a990c3114fe3b088103b8ea3
-
SSDEEP
3072:OArNzTVf/Cjx58ri12gF5p2wgy36JEpG5bOxD0qc+8IZLFV2rKppKtpgEezbInG:OARx/65rp2wgy5psqxDrv2epEPezbInG
Malware Config
Extracted
redline
MAX
maxwiz1221.duckdns.org:45867
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\new.ps11⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sehKCN.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exEc byPaSS -fiLe C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps13⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gieti5jc\gieti5jc.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB12F.tmp" "c:\Users\Admin\AppData\Local\Temp\gieti5jc\CSC967E456A7074299BFD3185A7A16F6B5.TMP"5⤵
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" Add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v aeZaeCPwTj /t REG_SZ /d C:\Users\Admin\AppData\Roaming\sehKCN.vbs /f2⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Temp\RESB12F.tmpFilesize
1KB
MD59feb93e2746b57bd00861a0a0a706ee0
SHA16647f0c8ad77d967ad931d90489c554e8f18894a
SHA2562d7d9c697ac91990f8d42348391804323cd345c45301b12f28aff30664a750e5
SHA5125885660e232517382c74d076989c53d8f4831541f3eb6705af1fd385758b373d38fad5a672e51c61e8c923f135b19614bba641ad942639f303d0b93d852182df
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k325v5qj.ypa.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\gieti5jc\gieti5jc.dllFilesize
96KB
MD5d2fc81787190b8a04f08a545068506fd
SHA13837568e87d316278e760d5e4547e9cbcd1d166f
SHA256e7c673b65377c02cb244beeb3d6178e08b1226f4a92f230c0f4a5318ceb7ccc5
SHA5129bb9518a8863dc428a1b88cc69bb689aa98dc835decbf863a32ee6314dbe3a17bc504238a39b4954ec733dc75199e0112606dfd92ee186c395394a78310cdcd8
-
C:\Users\Admin\AppData\Local\Temp\tmpCAB3.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmpCAC9.tmpFilesize
100KB
MD5efc72f037edcd2520a10b12170fe8987
SHA1fce398b581347e571670e5471ad95324969ef9db
SHA25675eaf0258332ca565ad3f58e1b42f227fb01e2825ebc8334228d220c3489027e
SHA5121b3756c59b0b4fae8168c17a86e51174bc810dab61e4b6a5984d0aa425df1f93f03b7cc6050a5e165d468cf0bb8314abd56e7f7ab6ca903b6e18704b0845f16e
-
C:\Users\Admin\AppData\Local\Temp\tmpCB14.tmpFilesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
C:\Users\Admin\AppData\Local\Temp\tmpCB39.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\tmpCB3F.tmpFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\tmpCB5A.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1Filesize
179KB
MD54f7d1b610c3154a148e0c3787cd8ec58
SHA181b7e5ea9dfcc05890f4e1574c8496a882291b86
SHA256ac2216db81d8b78950a74601205b638d8c9076e11903d13efe82cfd7fd126845
SHA5122b87fcb60288f3ff363ae7e054a3ab1be5b0f2a57a8e40996b94c9a934f962d14a1af1ca2f681a62fb08cf2dbb4bd9f69c2284322fbc185734b672478d89e68a
-
C:\Users\Admin\AppData\Roaming\sehKCN.vbsFilesize
2KB
MD5e5671d6bb4b7c012a32158fadea3c560
SHA1e05b3e5897ee5c521ac5f71210d203b146f8dc52
SHA256780df088a515769d8880fec4b674886aaa6969b923915dd20de59ac15fd5dc45
SHA51282965d196eae0be74a2b1a408ced7daa198d634cb35b5a4fe746eb8fdc5bb52d1134509bb4ab69a2cf8e6f8dd8b195fb07bca183ce260b0b492e89ebc3f997f0
-
\??\c:\Users\Admin\AppData\Local\Temp\gieti5jc\CSC967E456A7074299BFD3185A7A16F6B5.TMPFilesize
652B
MD594c4f55ac91def118eaddd37c2bbd57e
SHA17040446205a2cf380b2bdbdc7b9fc938ed2c3cc2
SHA2561c0a73644b1c55c4c7f4adfffdf7204f194657e27fab4bf8505bbec6a1d56f01
SHA51273716bb293350225c6da99d73344c5ba5edcf659536898f338b6792a753fd009f52fccb0d42fc771c1ed7607827dd12e6a48f09a30af31f0c401c03396334e95
-
\??\c:\Users\Admin\AppData\Local\Temp\gieti5jc\gieti5jc.0.csFilesize
50KB
MD537f63f0f16b64ce7d236cd71617be27a
SHA1da34f42ade8f9a59819daf8f7aee8641ac759d9f
SHA2562df77f6e41d5554787155f07d45751ab3b4a62f49c350197cafdd3f3159beed3
SHA5123d6fec1c6269cdd0d9ca8ca8ba9a77fdf8b26d5cd3a936c578f3e7e7eb14efd0becc3aa64d4429deab03f03eeb07f6830d2f8d99e2dd6f330f62884149b0c518
-
\??\c:\Users\Admin\AppData\Local\Temp\gieti5jc\gieti5jc.cmdlineFilesize
369B
MD5c3541548e70abc6a07308b28e0ba9e0d
SHA1e11d49a0ef724287372535ff5642ce9f31203e4e
SHA25681e648ec2a8fb2334379c9fa0ba87ada0c5404aeb4f1867fcb3e91d77c86d1db
SHA512a49b6d731c4e8cd800842d42ee67ba786a7a573a3bd9864edc8bdbff903b2e8906cb66d93fa66f78b066c5ffe2e294c9da9d877832d63b78bc49b6ccc2a60ea3
-
memory/1760-20-0x00007FFD576E0000-0x00007FFD581A1000-memory.dmpFilesize
10.8MB
-
memory/1760-0-0x00007FFD576E3000-0x00007FFD576E5000-memory.dmpFilesize
8KB
-
memory/1760-10-0x000001DA9A5D0000-0x000001DA9A5F2000-memory.dmpFilesize
136KB
-
memory/1760-11-0x00007FFD576E0000-0x00007FFD581A1000-memory.dmpFilesize
10.8MB
-
memory/1760-12-0x00007FFD576E0000-0x00007FFD581A1000-memory.dmpFilesize
10.8MB
-
memory/1760-19-0x000001DAB2B60000-0x000001DAB2D7C000-memory.dmpFilesize
2.1MB
-
memory/2072-52-0x000001526F360000-0x000001526F39C000-memory.dmpFilesize
240KB
-
memory/2072-45-0x000001526EB30000-0x000001526EB4E000-memory.dmpFilesize
120KB
-
memory/2072-54-0x000001526FDB0000-0x00000152702D8000-memory.dmpFilesize
5.2MB
-
memory/2072-53-0x000001526F6B0000-0x000001526F872000-memory.dmpFilesize
1.8MB
-
memory/2072-47-0x000001526EE40000-0x000001526EE46000-memory.dmpFilesize
24KB
-
memory/2072-51-0x000001526EE90000-0x000001526EEA2000-memory.dmpFilesize
72KB
-
memory/2072-50-0x000001526EE50000-0x000001526EE6E000-memory.dmpFilesize
120KB
-
memory/2072-209-0x000001526F5C0000-0x000001526F636000-memory.dmpFilesize
472KB
-
memory/2072-210-0x000001526F570000-0x000001526F58E000-memory.dmpFilesize
120KB
-
memory/2072-229-0x000001526E810000-0x000001526EA2C000-memory.dmpFilesize
2.1MB