Overview

overview

10

Static

static

3

Payment slip.exe

windows7-x64

10

Payment slip.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    34s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment slip.exe

  • Size

    512KB

  • MD5

    b92535559e0c12ec6d82c306a9fe005e

  • SHA1

    17c8378cbb1c028a29a980314e42b41882b8d08e

  • SHA256

    8f1b4c576d938b2a1b57711546d753a7d86e37c589d7da3d4c694546ce3fd3c6

  • SHA512

    04c41696a5fa8f19fa966c3c26b35d0708f1f605a354d6a30b645b308cf3e3336ba9c5e710e5dad071ac135d217898c63b2917c5ab490a466f41b7f73868095a

  • SSDEEP

    12288:T22iNeSY+aZrwr1phF+6BUl8X9usdRuZ9dAHWQsWbIwaFIYvuRrwNYow+b:C14/4rLH+6wqvy4HVsxIeoOYoX

Score
10/10
redlinesectopratcheatcredential_accessdiscoveryexecutioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

billred229102.duckdns.org:26546

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SqmOaLo.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1568
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SqmOaLo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFD24.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3024
    • C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1B38.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp1B4E.tmp
    Filesize

    92KB

    MD5

    f4043b9b54cb32b738ca265397e3fa05

    SHA1

    0ee24b3f338b66b3a9f87d2fe4920759f1849cda

    SHA256

    fdbc98007cc9a5c7497e088ffb8841c857d924fa4104bd77ecfff7e917342500

    SHA512

    6b46b0faf55d927c0cfa46a05dc554036992c83e2a4ff47867f2b3dda16c7d4b184514532c88a7c3457de7d19712e07ed3b650de991871a13c0058be1d84496f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpFD24.tmp
    Filesize

    1KB

    MD5

    f5e540457d5eaebc684f625f256c23c2

    SHA1

    faeb982c3879e062fc36d401c5745f062da8fb9f

    SHA256

    6ec04bde3a10287a661c60c29e20e7577e4cb4f0cee8a9cb863104e7733ac22d

    SHA512

    919890f6ba64b1f4cfc2d9513c7caae56f9bcf23e18cafcdcc3d1f41651c1997d99b8f694970b96478c5fa44ddcf6b56f411604fdbbe2ed580bdbac4eeb142d9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    d45df769b2dac075a403a9a26019cde6

    SHA1

    1d6a9fabec700b3f2c5150117c36aa2335ef64aa

    SHA256

    10f48c6942b379c30c92c415c3c5ab858c642f5195b78c227f1a0e5be8205e69

    SHA512

    2659dd8e01386a6b40d21fe73c108040ff2fedcf815bfbac465c2bca2411fa0f989cddfd79355d044d7eb67c87720a38d60ee5b6fd6bc2a415b9c334e9eb1d78

    Download Submit
  • memory/288-32-0x00000000742F0000-0x00000000749DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/288-0-0x00000000742FE000-0x00000000742FF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/288-6-0x0000000004650000-0x00000000046B0000-memory.dmp
    Filesize

    384KB

    Download
  • memory/288-4-0x0000000000AE0000-0x0000000000AEA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/288-3-0x00000000005C0000-0x00000000005D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/288-1-0x00000000010E0000-0x0000000001166000-memory.dmp
    Filesize

    536KB

    Download
  • memory/288-2-0x00000000742F0000-0x00000000749DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/288-5-0x0000000000AF0000-0x0000000000AFE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2684-25-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2684-21-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2684-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2684-23-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2684-31-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2684-29-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2684-28-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2684-19-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download