Overview

overview

10

Static

static

1

ad86c5cb9f...0N.exe

windows7-x64

10

ad86c5cb9f...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    15-07-2024 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ad86c5cb9f936936ffbae85f43bf2a40N.exe

  • Size

    797KB

  • MD5

    ad86c5cb9f936936ffbae85f43bf2a40

  • SHA1

    8c3916a0807b528dfbc52f2c7826d7e6cbc2320d

  • SHA256

    6e4a44c3de0e80fecece030c2d219e2d20f8bb73366172533f62297d1d5b1d6c

  • SHA512

    7ad6645e4c7365ead5ce38853e3002ad184e2f67604439f32be8c13217e5f5e5c9df68f568d2c6bb16ceb947b6ecb949fad95032fc770ef88be8f7e93efe7c93

  • SSDEEP

    12288:hVVx0xC0+wZHVUXLCZLiF/d6/7iDlpOWphcotUTEvkR:TVxEC7wZ6cLiFa7YlpOqhcotUEq

Score
10/10
redlinesectopratcommanderkingexecutioninfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

Commanderking

C2

185.216.70.15:65012

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ad86c5cb9f936936ffbae85f43bf2a40N.exe
    "C:\Users\Admin\AppData\Local\Temp\ad86c5cb9f936936ffbae85f43bf2a40N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ad86c5cb9f936936ffbae85f43bf2a40N.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Users\Admin\AppData\Local\Temp\ad86c5cb9f936936ffbae85f43bf2a40N.exe
      "C:\Users\Admin\AppData\Local\Temp\ad86c5cb9f936936ffbae85f43bf2a40N.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2276-18-0x0000000074A40000-0x000000007512E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2276-1-0x0000000000C80000-0x0000000000D44000-memory.dmp
    Filesize

    784KB

    Download
  • memory/2276-2-0x0000000074A40000-0x000000007512E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2276-3-0x0000000000500000-0x0000000000512000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2276-4-0x0000000000650000-0x0000000000658000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2276-5-0x0000000000660000-0x000000000066E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2276-6-0x0000000002250000-0x00000000022B0000-memory.dmp
    Filesize

    384KB

    Download
  • memory/2276-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2584-20-0x0000000074A40000-0x000000007512E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2584-24-0x0000000074A40000-0x000000007512E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2584-7-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2584-9-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2584-8-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2584-17-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2584-15-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2584-10-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2584-19-0x0000000074A40000-0x000000007512E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2584-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2584-23-0x0000000074A40000-0x000000007512E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2584-13-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download