Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
Contract Quotation Details - Rotational Suppl.exe
Resource
win7-20240705-en
General
-
Target
Contract Quotation Details - Rotational Suppl.exe
-
Size
1.0MB
-
MD5
715d0979fbadb19889e7963f7c33f501
-
SHA1
3ad746befebb85f942868a1f5338cb4e36f355e1
-
SHA256
1b57c64883831484a42351afc0319f33f2dd4ed19b60461a9f65cba5bae1ecd5
-
SHA512
639a322cf569f6d8aeb03c4ddfc8db30f81cc13ab0f3ec1fa19f644c88393adfac24964392c61b0ec213499fd5603b9d51af240aba447226b4357ff8c4571d8a
-
SSDEEP
24576:7AHnh+eWsN3skA4RV1Hom2KXMmHa7cGNS5Z5:Wh+ZkldoPK8Ya7crx
Malware Config
Extracted
redline
french
91.92.243.245:47477
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2804-11-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2804-15-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2804-13-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2804-11-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2804-15-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2804-13-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Contract Quotation Details - Rotational Suppl.exedescription pid process target process PID 2228 set thread context of 2804 2228 Contract Quotation Details - Rotational Suppl.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2804 RegSvcs.exe 2804 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Contract Quotation Details - Rotational Suppl.exepid process 2228 Contract Quotation Details - Rotational Suppl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2804 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Contract Quotation Details - Rotational Suppl.exedescription pid process target process PID 2228 wrote to memory of 2804 2228 Contract Quotation Details - Rotational Suppl.exe RegSvcs.exe PID 2228 wrote to memory of 2804 2228 Contract Quotation Details - Rotational Suppl.exe RegSvcs.exe PID 2228 wrote to memory of 2804 2228 Contract Quotation Details - Rotational Suppl.exe RegSvcs.exe PID 2228 wrote to memory of 2804 2228 Contract Quotation Details - Rotational Suppl.exe RegSvcs.exe PID 2228 wrote to memory of 2804 2228 Contract Quotation Details - Rotational Suppl.exe RegSvcs.exe PID 2228 wrote to memory of 2804 2228 Contract Quotation Details - Rotational Suppl.exe RegSvcs.exe PID 2228 wrote to memory of 2804 2228 Contract Quotation Details - Rotational Suppl.exe RegSvcs.exe PID 2228 wrote to memory of 2804 2228 Contract Quotation Details - Rotational Suppl.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Contract Quotation Details - Rotational Suppl.exe"C:\Users\Admin\AppData\Local\Temp\Contract Quotation Details - Rotational Suppl.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Contract Quotation Details - Rotational Suppl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6BC0.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp6BD5.tmpFilesize
92KB
MD5de7d702f13db499233da2c87959d7696
SHA18d51283dc6b41cae89ac01928cd0460604ff1d3e
SHA25678e689d13f1ff71daeb36634831fa7457a8c90ea465a3e342aef921d8ca82b34
SHA512a57e198ff5e32453ac99d6aefb5ab71f9cb4c80006f2a75d3c3e0ef28a0ca00f387110788edc1df1e0a7ab9a2503571e82749e51acf7c67e654a586503754045
-
memory/2228-10-0x0000000000150000-0x0000000000154000-memory.dmpFilesize
16KB
-
memory/2804-11-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2804-15-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2804-13-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2804-16-0x0000000074D2E000-0x0000000074D2F000-memory.dmpFilesize
4KB
-
memory/2804-17-0x0000000074D20000-0x000000007540E000-memory.dmpFilesize
6.9MB
-
memory/2804-87-0x0000000074D20000-0x000000007540E000-memory.dmpFilesize
6.9MB