Overview

overview

10

Static

static

3

7D2707C4A1...4B.exe

windows7-x64

10

7D2707C4A1...4B.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-07-2024 02:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7D2707C4A1D779E025917F865C103E4B.exe

  • Size

    776KB

  • MD5

    7d2707c4a1d779e025917f865c103e4b

  • SHA1

    62c0d32e2662d32951b4aa172a2be8be7f3b0fbb

  • SHA256

    13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5

  • SHA512

    c9ae482eba6b3eef6d1a96838862fa79a96b99297effa99255647f45e73045e9a2bbeb287a13486ac49d647947a0a7fad0f43aa59fe65174a328b227e08dbb6f

  • SSDEEP

    24576:LYYSZ54auRRAfJhXwlsnGSKxyBp9eGqqxO5X:2GyjUP9X

Score
10/10
redlinesectopratcheatexecutioninfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.57.153:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7D2707C4A1D779E025917F865C103E4B.exe
    "C:\Users\Admin\AppData\Local\Temp\7D2707C4A1D779E025917F865C103E4B.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AdCwxzRPlmXEbv.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2536
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AdCwxzRPlmXEbv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp732.tmp"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:568
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:632
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
    Filesize

    48KB

    MD5

    e83ccb51ee74efd2a221be293d23c69a

    SHA1

    4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

    SHA256

    da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

    SHA512

    0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp732.tmp
    Filesize

    1KB

    MD5

    519fc09020c13b12c0352e3b663835d2

    SHA1

    a24c63b613d3bac2c45386b4244d810162faef94

    SHA256

    0f899396dabc9309bf480e7c448c5afc29e802d261132d315880873152f331f3

    SHA512

    bdde13d799e5c80233cf98aaeeabf0ab45cb31514565a310dbebc928c1aff6e176907cd32b488632666b919783b693580f836979c95d09d70e4eda883ea1f4a6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    0b9e96ad035f6053206fb84f8f99ca24

    SHA1

    3e4e626d560aec61f3c772fea5c5b3c83bed9c38

    SHA256

    5ebb0ced8757d0e646c9db4e144da3f023a585059cbd7a561ddadd2c2e59d346

    SHA512

    d9c1d2409b7823e11ce47576f1888f7ad4f296bb34c72cda93632ae65139a96708828d6ab4ab72b1d1b620cbda0d881b85ddbaf6d1e50b913a3b98507d757c00

    Download Submit

  • \Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    Filesize

    675KB

    MD5

    22c86949178066a53d70309553f8b44e

    SHA1

    eb4a99acdc4b638528902c8e8480bc1f58a457b5

    SHA256

    b9d43a80163b702f8c3d2aac0409bb2d945368e68b9c4cbe29e888ceff2fb953

    SHA512

    0364deec86a6658b6d5b9085fd84f4cfef57b59a45ecfa5625de6a0e8bb6c5387644af66a0374f053c23045a370717abf3c97a8376deed3ed8cb01a7206cbb72

    Download Submit

  • memory/632-46-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/632-52-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/632-51-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/632-42-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/632-44-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/632-40-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/632-49-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/632-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-53-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-7-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2364-5-0x00000000001B0000-0x00000000001B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2556-4-0x00000000004C0000-0x00000000004C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2916-26-0x00000000051B0000-0x0000000005210000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2916-25-0x0000000000680000-0x000000000068E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2916-23-0x0000000000CF0000-0x0000000000D62000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2916-24-0x00000000005D0000-0x00000000005E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2916-21-0x00000000012D0000-0x000000000137A000-memory.dmp

    Filesize

    680KB

    Download