redline | f23362d0bd13b2226f2b422371fef0cf838e1f8aafeb010f4768493ba1053d22

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08-07-2024 09:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new.ps1
Size

242KB
MD5

aa0d92ff6d6a1d18f6149f6d0ad03139
SHA1

6a33134bf530a61b764bf2287baf8fd0aea603ab
SHA256

f97c9c2965a77ff2bc0cfd54b6d6102d1aab09a4e66a3a19b1b633adfecb874f
SHA512

4fff4cb24271e0cd74d1eec0cca903abb8dfb8dc02f574f606a6e32a0e0181cc0c0a36884d1132932a154bf84440c10066b76972a990c3114fe3b088103b8ea3
SSDEEP

3072:OArNzTVf/Cjx58ri12gF5p2wgy36JEpG5bOxD0qc+8IZLFV2rKppKtpgEezbInG:OARx/65rp2wgy5psqxDrv2epEPezbInG

Score

10^/10

redline sectoprat max execution infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

MAX

maxwiz1221.duckdns.org:45867

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4340-55-0x0000023052070000-0x000002305208E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4340-55-0x0000023052070000-0x000002305208E000-memory.dmp	family_sectoprat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 4340 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation WScript.exe

flow	pid	process
5	4340	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aeZaeCPwTj = "C:\\Users\\Admin\\AppData\\Roaming\\sehKCN.vbs"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2800 powershell.exe
4340 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings powershell.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1212 reg.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

2800 powershell.exe
2800 powershell.exe
4340 powershell.exe
4340 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2800 powershell.exe
Token: SeDebugPrivilege 4340 powershell.exe
Token: SeDebugPrivilege 4340 powershell.exe

pid	process
2800	powershell.exe
4340	powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-771719357-2485960699-3367710044-1000_Classes\Local Settings	powershell.exe

pid	process
1212	reg.exe

pid	process
2800	powershell.exe
2800	powershell.exe
4340	powershell.exe
4340	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe
Token: SeDebugPrivilege	4340	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

powershell.exeWScript.exepowershell.execsc.exe

description	pid	process	target process
PID 2800 wrote to memory of 1120	2800	powershell.exe	WScript.exe
PID 2800 wrote to memory of 1120	2800	powershell.exe	WScript.exe
PID 2800 wrote to memory of 1212	2800	powershell.exe	reg.exe
PID 2800 wrote to memory of 1212	2800	powershell.exe	reg.exe
PID 1120 wrote to memory of 4340	1120	WScript.exe	powershell.exe
PID 1120 wrote to memory of 4340	1120	WScript.exe	powershell.exe
PID 4340 wrote to memory of 228	4340	powershell.exe	csc.exe
PID 4340 wrote to memory of 228	4340	powershell.exe	csc.exe
PID 228 wrote to memory of 3420	228	csc.exe	cvtres.exe
PID 228 wrote to memory of 3420	228	csc.exe	cvtres.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\new.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sehKCN.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exEc byPaSS -fiLe C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1vzkwggh\1vzkwggh.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6DF.tmp" "c:\Users\Admin\AppData\Local\Temp\1vzkwggh\CSCB9DF1E1C29364FB5AB2B48CF3194286.TMP"
5⤵
PID:3420

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" Add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v aeZaeCPwTj /t REG_SZ /d C:\Users\Admin\AppData\Roaming\sehKCN.vbs /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1vzkwggh\1vzkwggh.dll

Filesize
96KB

MD5
569fd81ddda70a1c854444e3c7ccfa64

SHA1
b476a1cc757299cba95a307cb3f06a5d668251c2

SHA256
cf14d34e5c8571341a40a342c118315c50fec92c13a6066f183839eef4da1593

SHA512
01c74cb02927b45d70c4adf8905064b82e6f81e2c798665f5607870bab2920de90a3215cfa3eecb426ff09b9a538650101f13453c52ce4fdf2b38a68020095f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA6DF.tmp

Filesize
1KB

MD5
e15a52a07387dc7489fbe04509f67d11

SHA1
cad88279080a39e343170dddc046828ad75c00e2

SHA256
d6b87b1d27384806d695cace44ab1cbaf726c284b9865e2fe8e2752e7c2e5ae7

SHA512
e054a540db1ea442e45703e8145137fab546f6d76d744677c5d2a0f945064d370eddaa7d2460fbb73dc3e29d5524ba3f179c70c0ee3131f218c786be8fb6572c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4v5wgzp.4jq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\VubuyfaVLadTy.ps1

Filesize
179KB

MD5
4f7d1b610c3154a148e0c3787cd8ec58

SHA1
81b7e5ea9dfcc05890f4e1574c8496a882291b86

SHA256
ac2216db81d8b78950a74601205b638d8c9076e11903d13efe82cfd7fd126845

SHA512
2b87fcb60288f3ff363ae7e054a3ab1be5b0f2a57a8e40996b94c9a934f962d14a1af1ca2f681a62fb08cf2dbb4bd9f69c2284322fbc185734b672478d89e68a

Download Submit
C:\Users\Admin\AppData\Roaming\sehKCN.vbs

Filesize
2KB

MD5
e5671d6bb4b7c012a32158fadea3c560

SHA1
e05b3e5897ee5c521ac5f71210d203b146f8dc52

SHA256
780df088a515769d8880fec4b674886aaa6969b923915dd20de59ac15fd5dc45

SHA512
82965d196eae0be74a2b1a408ced7daa198d634cb35b5a4fe746eb8fdc5bb52d1134509bb4ab69a2cf8e6f8dd8b195fb07bca183ce260b0b492e89ebc3f997f0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1vzkwggh\1vzkwggh.0.cs

Filesize
50KB

MD5
37f63f0f16b64ce7d236cd71617be27a

SHA1
da34f42ade8f9a59819daf8f7aee8641ac759d9f

SHA256
2df77f6e41d5554787155f07d45751ab3b4a62f49c350197cafdd3f3159beed3

SHA512
3d6fec1c6269cdd0d9ca8ca8ba9a77fdf8b26d5cd3a936c578f3e7e7eb14efd0becc3aa64d4429deab03f03eeb07f6830d2f8d99e2dd6f330f62884149b0c518

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1vzkwggh\1vzkwggh.cmdline

Filesize
369B

MD5
d8c4a1edff911b87f738423f7d0d2bc9

SHA1
ef30996fb88bea30b84b57f9310e9e6a36a90395

SHA256
3af85c9cdc5d863c6053d2929876cab15a66e48c00e3705450090eb7fcf63715

SHA512
8d1c8c240ef171f2ec4391bc6f589318a234129231b2c31cc0267f6c1a71e0e4a2059e4cad018ca3b8e5baa2d6b8401741bc01caa35667e8dbeb203e2c261a47

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1vzkwggh\CSCB9DF1E1C29364FB5AB2B48CF3194286.TMP

Filesize
652B

MD5
81a54912753b71e8b63f4a3b59768bb9

SHA1
4a26c027d193b960ce3d7e28bbfc5db345082254

SHA256
a95681afb22327e166a4b7f4d97d2be0df2aed8d377c25e257c50e5a12aa05bc

SHA512
8d3be674a557cf6bb1572d18aa12d950bcba387659af31d6e1aec3f6da6c0bf744e842eeb438469f8599db6451bdf21300e18f03fde48121be252b204075e185

Download Submit
memory/2800-0-0x00007FFCB1423000-0x00007FFCB1425000-memory.dmp

Filesize
8KB

Download
memory/2800-22-0x00007FFCB1420000-0x00007FFCB1EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2800-14-0x00007FFCB1420000-0x00007FFCB1EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2800-20-0x000002CF68DF0000-0x000002CF6900C000-memory.dmp

Filesize
2.1MB

Download
memory/2800-10-0x000002CF69140000-0x000002CF69162000-memory.dmp

Filesize
136KB

Download
memory/2800-11-0x00007FFCB1420000-0x00007FFCB1EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2800-15-0x00007FFCB1420000-0x00007FFCB1EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4340-48-0x0000023050E90000-0x0000023050EAE000-memory.dmp

Filesize
120KB

Download
memory/4340-52-0x0000023052060000-0x0000023052066000-memory.dmp

Filesize
24KB

Download
memory/4340-55-0x0000023052070000-0x000002305208E000-memory.dmp

Filesize
120KB

Download
memory/4340-56-0x00000230520B0000-0x00000230520C2000-memory.dmp

Filesize
72KB

Download
memory/4340-57-0x0000023052110000-0x000002305214C000-memory.dmp

Filesize
240KB

Download