a4e10fe06bb5202f8b07f3264adf23bd3d3825e214fef6b096adbe5d6a530e91

Analysis

max time kernel
131s
max time network
133s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 21:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMPLATES/redalert3.exe
Size

49KB
MD5

9a0d407e720246d6a48ef7cc369c49ef
SHA1

cd7e422b3130298e2075838a7ccdd6eaedd2ca1f
SHA256

5cd375441e87c3e728694fa7d956fedde62e5bc537e4c615a60107902f5fe58e
SHA512

b70d8068a69b54dfe598852178d3c88b71a5d445108d5aab0a1f068dda58b71906740a838a1497fae543c8bf276812164f50b0103a5828b9cc278c9d6e94d215
SSDEEP

768:2hMZ0dF4ZFvQbn+eePu3cIQGCGbiC4k42M3wJJEX7NQz2r0/djiJXj+Jp:2yZMSZFvknTePMZd4k4kJJELR6dkG

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
804	redalert3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.i4455.com/?005"	regedit.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	redalert3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}	redalert3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	redalert3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	redalert3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32	redalert3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "G:\\\\Program Files\\\\360safe\\\\safemon\\\\safemon.dll"	redalert3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}\InprocServer32\ = "G:\\\\WINDOWS\\\\system32\\\\urlFilter.dll"	redalert3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	redalert3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	redalert3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	redalert3.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	redalert3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}	redalert3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{98B7C13A-E9CD-4959-8B46-FBEAB41E42A8}\InprocServer32	redalert3.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1448	regedit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	804	redalert3.exe
Token: SeBackupPrivilege	804	redalert3.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 1448	804	redalert3.exe	30
PID 804 wrote to memory of 1448	804	redalert3.exe	30
PID 804 wrote to memory of 1448	804	redalert3.exe	30
PID 804 wrote to memory of 1448	804	redalert3.exe	30
PID 804 wrote to memory of 1448	804	redalert3.exe	30
PID 804 wrote to memory of 1448	804	redalert3.exe	30
PID 804 wrote to memory of 1448	804	redalert3.exe	30

C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\redalert3.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMPLATES\redalert3.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kjfs.reg"
  2⤵
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Runs .reg file with regedit
  PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kjfs.reg

Filesize
292B

MD5
cfb618699ec57373511da638964db3e1

SHA1
db21b9920309072ab99fd6ae186d807c5033f224

SHA256
5fe9110e3d21d291d9d55d4830ed71597b60b671987067435b97888c7074bbde

SHA512
76f445ffea81e71c28c3785e91f74213950ed73eaeece926e194005dbbe3d92368d3cd6323a496528f2bcd3da851259e93fabbc22db7cbbe23c911c9c1e0ac75

Download Submit
\Users\Admin\AppData\Local\Temp\nsp7C04.tmp\System.dll

Filesize
10KB

MD5
2b54369538b0fb45e1bb9f49f71ce2db

SHA1
c20df42fda5854329e23826ba8f2015f506f7b92

SHA256
761dcdf12f41d119f49dbdca9bcab3928bbdfd8edd67e314d54689811f9d3e2f

SHA512
25e4898e3c082632dfd493756c4cc017decbef43ffa0b68f36d037841a33f2a1721f30314a85597ac30c7ecc99b7257ea43f3a903744179578a9c65fcf57a8b7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads