Overview

overview

10

Static

static

1

114f1c23da...57.exe

windows7-x64

10

114f1c23da...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    07-07-2024 04:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    114f1c23daae885f851b9cf1fdaf8457.exe

  • Size

    797KB

  • MD5

    114f1c23daae885f851b9cf1fdaf8457

  • SHA1

    82338420d02452dfbd4bed8ed753e50739f27484

  • SHA256

    b77fc538e119d7b94ac123c2fe21b5d403316cbc4510479130f195a18dc61f32

  • SHA512

    262650ad16731df09db9f6f5c816d45e6e2b9bf72a3d8af30ec121d3a1f0fc6e402da3117ecee472af777c7a6e1ac8fa5cd5e7c4ab7517fc7d2d61a9d9659ddb

  • SSDEEP

    24576:jqxzXQRlUnZRJOU3MlrQvB5LcFFVo7S+vRSBJIZJi:jq91ZR0U3MlMvHcFFVo7EBAJi

Score
10/10
redlinesectopratcheatdiscoveryexecutioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.78:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\114f1c23daae885f851b9cf1fdaf8457.exe
    "C:\Users\Admin\AppData\Local\Temp\114f1c23daae885f851b9cf1fdaf8457.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\114f1c23daae885f851b9cf1fdaf8457.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vQYTRFwVF.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2464
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vQYTRFwVF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC320.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2060
    • C:\Users\Admin\AppData\Local\Temp\114f1c23daae885f851b9cf1fdaf8457.exe
      "C:\Users\Admin\AppData\Local\Temp\114f1c23daae885f851b9cf1fdaf8457.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpC320.tmp
    Filesize

    1KB

    MD5

    8058edbb8feaf4655a5d1496bf78de93

    SHA1

    a15a476735b2d3af3682346159e33866f8c313e4

    SHA256

    6bdc8357f1362f0809b158dced562b08e7344aebe48d40932e3f30c525153034

    SHA512

    0bfcffe0093517e84f2055761107ae3927d4953d3420fc66dd7aa0a58db16123e518bc6bdc590224bdb14dcf1a9b595f869062f6a523b2ca47d8374d9e1e2a10

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpDE93.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpDEA9.tmp
    Filesize

    92KB

    MD5

    de7d702f13db499233da2c87959d7696

    SHA1

    8d51283dc6b41cae89ac01928cd0460604ff1d3e

    SHA256

    78e689d13f1ff71daeb36634831fa7457a8c90ea465a3e342aef921d8ca82b34

    SHA512

    a57e198ff5e32453ac99d6aefb5ab71f9cb4c80006f2a75d3c3e0ef28a0ca00f387110788edc1df1e0a7ab9a2503571e82749e51acf7c67e654a586503754045

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    2c8eb4968282de8480a7fea29e3ad66c

    SHA1

    2ac1cb7be5d337baeeb8a5c797ab1185aad537cb

    SHA256

    302279a8119c383ef2c6b47f05e960f004a7677ac0c978b1dd15aac04d873685

    SHA512

    f24d10a40390f9eacf5b599c69413c71e2989bace5efc6892b40e9b4070c57f637217ef1a70c1641a304eb2770e68495447fba627f71cb8135d996a1711ee346

    Download Submit
  • memory/884-30-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/884-21-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/884-29-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/884-23-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/884-25-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/884-19-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/884-28-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/884-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-3-0x00000000009C0000-0x00000000009DA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2632-4-0x00000000006A0000-0x00000000006A8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2632-5-0x0000000000970000-0x000000000097C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2632-0-0x000000007433E000-0x000000007433F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2632-6-0x0000000004490000-0x000000000452A000-memory.dmp
    Filesize

    616KB

    Download
  • memory/2632-31-0x0000000074330000-0x0000000074A1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2632-2-0x0000000074330000-0x0000000074A1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2632-1-0x0000000000FC0000-0x000000000108A000-memory.dmp
    Filesize

    808KB

    Download