Overview

overview

10

Static

static

1

new.ps1

windows7-x64

6

new.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new.ps1

  • Size

    242KB

  • MD5

    aa0d92ff6d6a1d18f6149f6d0ad03139

  • SHA1

    6a33134bf530a61b764bf2287baf8fd0aea603ab

  • SHA256

    f97c9c2965a77ff2bc0cfd54b6d6102d1aab09a4e66a3a19b1b633adfecb874f

  • SHA512

    4fff4cb24271e0cd74d1eec0cca903abb8dfb8dc02f574f606a6e32a0e0181cc0c0a36884d1132932a154bf84440c10066b76972a990c3114fe3b088103b8ea3

  • SSDEEP

    3072:OArNzTVf/Cjx58ri12gF5p2wgy36JEpG5bOxD0qc+8IZLFV2rKppKtpgEezbInG:OARx/65rp2wgy5psqxDrv2epEPezbInG

Score
10/10
redlinesectopratmaxexecutioninfostealerpersistencerattrojan

Malware Config

Extracted

Family

redline

Botnet

MAX

C2

maxwiz1221.duckdns.org:45867

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\new.ps1
    1⤵
    • Command and Scripting Interpreter: PowerShell
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sehKCN.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:792
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exEc byPaSS -fiLe C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2204
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hdlt2ne4\hdlt2ne4.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4532
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1DB.tmp" "c:\Users\Admin\AppData\Local\Temp\hdlt2ne4\CSC4E0C4D6E45734CFF8B63B834773E89B.TMP"
            5⤵
              PID:3196
      • C:\Windows\system32\reg.exe
        "C:\Windows\system32\reg.exe" Add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v aeZaeCPwTj /t REG_SZ /d C:\Users\Admin\AppData\Roaming\sehKCN.vbs /f
        2⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:388

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      a6c9d692ed2826ecb12c09356e69cc09

      SHA1

      def728a6138cf083d8a7c61337f3c9dade41a37f

      SHA256

      a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

      SHA512

      2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESB1DB.tmp
      Filesize

      1KB

      MD5

      bc6fa6ef45c727ee5895fbaf56494a0c

      SHA1

      653d1c52175714938abe0cfc62c2c0a8062b6d03

      SHA256

      eb36fcd4664265aead0ceb965296b4ef0bae4d7d61be1aaa9dce64e5acd8cbd5

      SHA512

      08a91f6f4250436cbb127c986fca9a0dbfca435411539f76ca940a3fcf947e6e543b5bfbdb79c3f97a17132714077b71cc4ff19362976cc0a89e4815c562c111

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3lqgtrnm.4bc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\hdlt2ne4\hdlt2ne4.dll
      Filesize

      96KB

      MD5

      43c82bb1652ae0353923ec45c45f7329

      SHA1

      73a4914e513a878284c89f57a6fc07fbedfdfaeb

      SHA256

      251b61c17c981416ba04bd606b2a71e82e27f106048ab720ed04b65ff580a859

      SHA512

      4c7e6f50599d323efb698e1a38513e902d1dc7aafe52f15524d689946269c54bf689b20f6a3ae6177171bbd3e1de54e77b86ac67764ad0b4158d1e0bfbc74fd2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1
      Filesize

      179KB

      MD5

      4f7d1b610c3154a148e0c3787cd8ec58

      SHA1

      81b7e5ea9dfcc05890f4e1574c8496a882291b86

      SHA256

      ac2216db81d8b78950a74601205b638d8c9076e11903d13efe82cfd7fd126845

      SHA512

      2b87fcb60288f3ff363ae7e054a3ab1be5b0f2a57a8e40996b94c9a934f962d14a1af1ca2f681a62fb08cf2dbb4bd9f69c2284322fbc185734b672478d89e68a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\sehKCN.vbs
      Filesize

      2KB

      MD5

      e5671d6bb4b7c012a32158fadea3c560

      SHA1

      e05b3e5897ee5c521ac5f71210d203b146f8dc52

      SHA256

      780df088a515769d8880fec4b674886aaa6969b923915dd20de59ac15fd5dc45

      SHA512

      82965d196eae0be74a2b1a408ced7daa198d634cb35b5a4fe746eb8fdc5bb52d1134509bb4ab69a2cf8e6f8dd8b195fb07bca183ce260b0b492e89ebc3f997f0

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\hdlt2ne4\CSC4E0C4D6E45734CFF8B63B834773E89B.TMP
      Filesize

      652B

      MD5

      f2af1abec7de9c189c4f3738775d71d7

      SHA1

      cdd7829541e042a164f99bcc154ad6bd0165bcfa

      SHA256

      404a19cfc3df3b793d76e126401d24fb9f359dd4c3eff6475287eb7818a4393c

      SHA512

      933dd5b1ec2999ef4c67d2b502f202f28ee7aea832bd7b5300a5c9dfd04ff03773c280b750da93ba60972e81e7dd757c089be0aff9069d75c6d43db53969748d

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\hdlt2ne4\hdlt2ne4.0.cs
      Filesize

      50KB

      MD5

      37f63f0f16b64ce7d236cd71617be27a

      SHA1

      da34f42ade8f9a59819daf8f7aee8641ac759d9f

      SHA256

      2df77f6e41d5554787155f07d45751ab3b4a62f49c350197cafdd3f3159beed3

      SHA512

      3d6fec1c6269cdd0d9ca8ca8ba9a77fdf8b26d5cd3a936c578f3e7e7eb14efd0becc3aa64d4429deab03f03eeb07f6830d2f8d99e2dd6f330f62884149b0c518

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\hdlt2ne4\hdlt2ne4.cmdline
      Filesize

      369B

      MD5

      f58abd2439f2944c8a76e9afc967f6b4

      SHA1

      a08814badd18953ad37008b089eec23223116abf

      SHA256

      424329f04f635311c44c4df596b29a7b75078ee06ace2c9ea9674a598a1fde2c

      SHA512

      babefafd9a136c00df29239a7426543ea44f1b8198b6eb954e5de2ec0a0dd4a14dfcd7ffd846321d67a11acd779981c60f1e5823b8b130ff376b0a4e622d56fc

      Download Submit

    • memory/748-14-0x00007FF848A80000-0x00007FF849541000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/748-0-0x00007FF848A83000-0x00007FF848A85000-memory.dmp

      Filesize

      8KB

      Download

    • memory/748-20-0x00000253E70E0000-0x00000253E72FC000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/748-21-0x00007FF848A80000-0x00007FF849541000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/748-11-0x00007FF848A80000-0x00007FF849541000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/748-10-0x00000253E4F10000-0x00000253E4F32000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2204-47-0x0000018622A10000-0x0000018622A2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2204-49-0x00000186250F0000-0x00000186250F6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2204-52-0x0000018625100000-0x000001862511E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2204-53-0x0000018625160000-0x0000018625172000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2204-54-0x00000186251C0000-0x00000186251FC000-memory.dmp

      Filesize

      240KB

      Download