Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 14:44
Static task
static1
Behavioral task
behavioral1
Sample
13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe
Resource
win7-20240704-en
General
-
Target
13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe
-
Size
776KB
-
MD5
7d2707c4a1d779e025917f865c103e4b
-
SHA1
62c0d32e2662d32951b4aa172a2be8be7f3b0fbb
-
SHA256
13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5
-
SHA512
c9ae482eba6b3eef6d1a96838862fa79a96b99297effa99255647f45e73045e9a2bbeb287a13486ac49d647947a0a7fad0f43aa59fe65174a328b227e08dbb6f
-
SSDEEP
24576:LYYSZ54auRRAfJhXwlsnGSKxyBp9eGqqxO5X:2GyjUP9X
Malware Config
Extracted
redline
cheat
185.222.57.153:55615
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1732-46-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1732-49-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1732-44-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1732-51-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/1732-52-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1732-46-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1732-49-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1732-44-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1732-51-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/1732-52-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2192 powershell.exe 2372 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
PO.exePO.exepid process 2812 PO.exe 1732 PO.exe -
Loads dropped DLL 5 IoCs
Processes:
13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exePO.exepid process 2800 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe 2800 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe 2800 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe 2800 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe 2812 PO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 2812 set thread context of 1732 2812 PO.exe PO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
PO.exepowershell.exepowershell.exepid process 2812 PO.exe 2812 PO.exe 2812 PO.exe 2812 PO.exe 2372 powershell.exe 2192 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PO.exepowershell.exepowershell.exePO.exedescription pid process Token: SeDebugPrivilege 2812 PO.exe Token: SeDebugPrivilege 2372 powershell.exe Token: SeDebugPrivilege 2192 powershell.exe Token: SeDebugPrivilege 1732 PO.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 2684 DllHost.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exePO.exedescription pid process target process PID 2800 wrote to memory of 2812 2800 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe PO.exe PID 2800 wrote to memory of 2812 2800 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe PO.exe PID 2800 wrote to memory of 2812 2800 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe PO.exe PID 2800 wrote to memory of 2812 2800 13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe PO.exe PID 2812 wrote to memory of 2192 2812 PO.exe powershell.exe PID 2812 wrote to memory of 2192 2812 PO.exe powershell.exe PID 2812 wrote to memory of 2192 2812 PO.exe powershell.exe PID 2812 wrote to memory of 2192 2812 PO.exe powershell.exe PID 2812 wrote to memory of 2372 2812 PO.exe powershell.exe PID 2812 wrote to memory of 2372 2812 PO.exe powershell.exe PID 2812 wrote to memory of 2372 2812 PO.exe powershell.exe PID 2812 wrote to memory of 2372 2812 PO.exe powershell.exe PID 2812 wrote to memory of 2412 2812 PO.exe schtasks.exe PID 2812 wrote to memory of 2412 2812 PO.exe schtasks.exe PID 2812 wrote to memory of 2412 2812 PO.exe schtasks.exe PID 2812 wrote to memory of 2412 2812 PO.exe schtasks.exe PID 2812 wrote to memory of 1732 2812 PO.exe PO.exe PID 2812 wrote to memory of 1732 2812 PO.exe PO.exe PID 2812 wrote to memory of 1732 2812 PO.exe PO.exe PID 2812 wrote to memory of 1732 2812 PO.exe PO.exe PID 2812 wrote to memory of 1732 2812 PO.exe PO.exe PID 2812 wrote to memory of 1732 2812 PO.exe PO.exe PID 2812 wrote to memory of 1732 2812 PO.exe PO.exe PID 2812 wrote to memory of 1732 2812 PO.exe PO.exe PID 2812 wrote to memory of 1732 2812 PO.exe PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe"C:\Users\Admin\AppData\Local\Temp\13905f844c59906aaf353a12fc820dfeb56f5f1d781ca5b20e24bb20d1542ab5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AdCwxzRPlmXEbv.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AdCwxzRPlmXEbv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FF6.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpgFilesize
48KB
MD5e83ccb51ee74efd2a221be293d23c69a
SHA14365ca564f7cdd7337cf0f83ac5fd64317fb4c32
SHA256da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc
SHA5120252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46
-
C:\Users\Admin\AppData\Local\Temp\tmp2FF6.tmpFilesize
1KB
MD5abf5f4e9a31411bbd95e2a3933145f77
SHA178accd11dd4fe969df861f512b9d30e51c01ef1a
SHA256f22386dc8644f0e213de1a74676ee3379f868f3b091cd77e0d96071a40c5ef6b
SHA5124964ff4251ba79ca05419b2d8d45f09d0fb10aef361ffcd77001ca92d0638e0a9f4354ca85e3fcb8c9c04c8a6e10555f8f27c156c12834a190d0173cff801af2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5d23037b0eff19060ac445852dd082445
SHA1a41c1f658cd6ce05d56a208b4c46412abce40e74
SHA2564dc2b43cad929d8f754c61673fda31bd6824ebc0080cdaa505fb987c24e09653
SHA5124293060b0767430f33a2826b88948e8890ff7f84238595be648f16ed84d16fb20b29d4e0af976e4744df16fe68a7e27df46b5327482e8c31da81b8cbe22339a8
-
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exeFilesize
675KB
MD522c86949178066a53d70309553f8b44e
SHA1eb4a99acdc4b638528902c8e8480bc1f58a457b5
SHA256b9d43a80163b702f8c3d2aac0409bb2d945368e68b9c4cbe29e888ceff2fb953
SHA5120364deec86a6658b6d5b9085fd84f4cfef57b59a45ecfa5625de6a0e8bb6c5387644af66a0374f053c23045a370717abf3c97a8376deed3ed8cb01a7206cbb72
-
memory/1732-40-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1732-52-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1732-51-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1732-42-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1732-44-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1732-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1732-49-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1732-46-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2684-5-0x0000000000180000-0x0000000000182000-memory.dmpFilesize
8KB
-
memory/2684-6-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/2684-53-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/2800-4-0x00000000004E0000-0x00000000004E2000-memory.dmpFilesize
8KB
-
memory/2812-26-0x0000000005270000-0x00000000052D0000-memory.dmpFilesize
384KB
-
memory/2812-25-0x0000000000540000-0x000000000054E000-memory.dmpFilesize
56KB
-
memory/2812-24-0x0000000000370000-0x0000000000380000-memory.dmpFilesize
64KB
-
memory/2812-23-0x0000000004890000-0x0000000004902000-memory.dmpFilesize
456KB
-
memory/2812-21-0x0000000000960000-0x0000000000A0A000-memory.dmpFilesize
680KB