Overview

overview

10

Static

static

3

Payment slip.exe

windows7-x64

10

Payment slip.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment slip.exe

  • Size

    504KB

  • MD5

    c4b108f45b87751371fb6e78597772ae

  • SHA1

    e60ae2b84d36714099a929b5af304e9a40857ba6

  • SHA256

    ced3557310b98b8a1ede8c1c24c4997a2eb2e05e561dd0b6ca36627f0d987d14

  • SHA512

    523ccc014c320c2371ed7ed75d67befa83b68b9f22f5e1b2a10c6343a4bf9ec711aa06cddb3631ef373980d3b6fb507bb514e71274e0f66d28e873624df66fbd

  • SSDEEP

    12288:9C/ccUT6hn8ZISOD4CsfmADREaj3qLCaSnAmCwocAMee/c:eccEan8+vD4B76aa6AN4AMp/c

Score
10/10
redlinesectopratcheatcredential_accessdiscoveryexecutioninfostealerratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

billred229102.duckdns.org:26546

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mueIOWjsOyku.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mueIOWjsOyku" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA380.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2740
    • C:\Users\Admin\AppData\Local\Temp\Payment slip.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment slip.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpA380.tmp
    Filesize

    1KB

    MD5

    b2aaedc2b6285afdaaa250bd4e66698e

    SHA1

    35529104bbd54f59f8653cd66beca3c13501e802

    SHA256

    416ed0d36cabef61cc1af5ad54f13b31e9a91000ffe97be565fa0a46e4d104a5

    SHA512

    baaca16708d821d51b39a8b570f1629a579ec76fe270006999cd50cb742cc90ccff4ebaa8eca19e118e0d6fdd8ab158989c7e017dc066a5aca41b6a3b314496f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpC45A.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpC47F.tmp
    Filesize

    92KB

    MD5

    dd6944619a1cff7c63c0e49ed65368ca

    SHA1

    a055ce9efa2206cdc35b924d43a5d06f453ce777

    SHA256

    58ea6de2879649260c0a62b6e8e045e88c3311978e993f63a8dfcdb0dba9f05d

    SHA512

    856d454cd202fc39bec08f7ea7fb9c631e5531c1d5ffc269d3ea4ef2cdd568b176da0f8e00ffd8c80eaad461cecbce213fa4cd46b142a7760fd32815261fddd7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FGHDQD44H5TL1K17JW5W.temp
    Filesize

    7KB

    MD5

    a318ec8999ab8b87246a4e7c98febc8e

    SHA1

    d5bc502868130fa75be62c2da907bd29fab32d46

    SHA256

    f8b02f6e0d97a4530dd4b6810dd89e021e10a0dd61bce446fd25a6f9b97f0d62

    SHA512

    fe3f2b2f6e0405dbf58eb18407edef1ea93a672e39e5374f6d284a6f330042e73a42586eaccad63d3c9beb6581f5101c0d803638098655809dd268fb041f3578

    Download Submit
  • memory/2508-1-0x0000000000890000-0x000000000090E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/2508-2-0x0000000073F80000-0x000000007466E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2508-3-0x00000000004A0000-0x00000000004AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2508-4-0x00000000004E0000-0x00000000004EE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2508-5-0x0000000002130000-0x0000000002190000-memory.dmp
    Filesize

    384KB

    Download
  • memory/2508-0-0x0000000073F8E000-0x0000000073F8F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2508-30-0x0000000073F80000-0x000000007466E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2668-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2668-27-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2668-25-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2668-23-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2668-19-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2668-20-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2668-28-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2668-29-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download