Overview

overview

10

Static

static

3

6.exe

windows7-x64

10

6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    05-07-2024 14:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6.exe

  • Size

    2.6MB

  • MD5

    908d3656bb401fd8c4cf83d3bd39f19e

  • SHA1

    7cc3652b2064490586b9525f4126e725c5ab878e

  • SHA256

    5e8c7441a376ddad324526a589ee115aed949d6b3ec4c443e44ba758b38325e4

  • SHA512

    37dfd062ec619ac8c8f0f3b89674b3b382950ca7f616e3265f42f6fb81bc407423221351d682bc3010f2b214e2d7c6b60a5b340269278fffc3843eae9bbc80c7

  • SSDEEP

    12288:qI5OHqTR956eJKB1ROcXehK7X7wh0+iEm5wm:q1GRj6RMHU7qqwm

Score
10/10
redlinesectoprathalleevasionexecutioninfostealerratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

halle

C2

194.55.186.180:55123

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\6.exe
    "C:\Users\Admin\AppData\Local\Temp\6.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2268
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2148
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2268 -s 836
      2⤵
        PID:2824

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpE091.tmp
      Filesize

      46KB

      MD5

      02d2c46697e3714e49f46b680b9a6b83

      SHA1

      84f98b56d49f01e9b6b76a4e21accf64fd319140

      SHA256

      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

      SHA512

      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpE0B6.tmp
      Filesize

      92KB

      MD5

      df8f707fde4a4e68ffee7c48f6a9b7db

      SHA1

      6852a7a4c463c3853643439794ed130a41d0c90b

      SHA256

      dc4e84de932df42fc1d78aa17751a6e21e723ae60796cd400e0b01c26d1b0449

      SHA512

      9c99fb4dc2c7727a75a632e28d3d18b6b4736f4484720788f9410a4567bf4aa4ed74fc6448a6a7d7cdff7bb4787e906a0f1c4e05c41ba02473e900f6aee9b7ba

      Download Submit

    • memory/2148-15-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2148-17-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2148-22-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2148-23-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2148-13-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2148-11-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2148-21-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2148-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-3-0x000000001B930000-0x000000001B94E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2268-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-4-0x0000000000710000-0x0000000000782000-memory.dmp

      Filesize

      456KB

      Download

    • memory/2268-24-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2268-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2268-1-0x0000000000240000-0x000000000025E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3060-19-0x0000000001D90000-0x0000000001D98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/3060-10-0x000000001B730000-0x000000001BA12000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/3060-9-0x0000000002920000-0x00000000029A0000-memory.dmp

      Filesize

      512KB

      Download