Overview

overview

10

Static

static

3

de1565a5b5...85.exe

windows7-x64

10

de1565a5b5...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    29-07-2024 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de1565a5b502c4e2ddf7dbeed2cc4ef685adb6f0731c386943ee6daee4c4fd85.exe

  • Size

    795KB

  • MD5

    76a8dd96ad6d6a1f4c1e58fa5781b5ea

  • SHA1

    320a0c397b4165ea4ff449a1cab48a246022c103

  • SHA256

    de1565a5b502c4e2ddf7dbeed2cc4ef685adb6f0731c386943ee6daee4c4fd85

  • SHA512

    16ec6c93ecf63cfa50ed155ef3b1ccd67b26f76f7884a15648d47745fc495a8dee7e79522d0a051724e36b5dfa879a9c1d9d6bd00f5792cb960a7a2d3879678d

  • SSDEEP

    12288:5X4riL9sU/BYuCQHip+hDa/fRRCcDt19QGHPgBWw/FPOl9H8s41UgHsOBAKRg3l:5XB5vC2ipMDGRRbggwNG9C1UgHs2pkl

Score
10/10
redlinesectopratcheatdiscoveryexecutioninfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

185.222.57.151:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de1565a5b502c4e2ddf7dbeed2cc4ef685adb6f0731c386943ee6daee4c4fd85.exe
    "C:\Users\Admin\AppData\Local\Temp\de1565a5b502c4e2ddf7dbeed2cc4ef685adb6f0731c386943ee6daee4c4fd85.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1216
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CzfSCteUcgjTy.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3064
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CzfSCteUcgjTy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A81.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2224
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Executes dropped EXE
        PID:1576
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Executes dropped EXE
        PID:1188
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Executes dropped EXE
        PID:2808
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1916
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    Filesize

    501KB

    MD5

    aeacf1f4574a7d81196ca6d7d84d440e

    SHA1

    b89e2e6a319be2059804cdfddea861f5a071f433

    SHA256

    eccb78602059f4979af2dffcc54c905fdd8a1bd88a8d80de36a2114e5c59fbbd

    SHA512

    96d56d2eddd47b57c36a2bfa932635531990413242e5b8773f8dce5f0c2a2f8a42ec1ec26ea8ceab7128937fb8c7b920722a74cd764c1801aaca26efc52656c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
    Filesize

    48KB

    MD5

    e83ccb51ee74efd2a221be293d23c69a

    SHA1

    4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

    SHA256

    da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

    SHA512

    0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp3A81.tmp
    Filesize

    1KB

    MD5

    ca9f1361d85bc16b2b9b47d9d4fee847

    SHA1

    eb73e5f7e9be3628c55cdfe4f54af77c927bcd7d

    SHA256

    87615c7a476b5047097fd0de04f27196a02019d4368a4e77ecb5f1546e1b4991

    SHA512

    631f0a1eedaaad3fb224343a8b4055c932ef388e3b4daac671a6b6b745bad2623c9a7237b7cccf8e147489dea68c0b778659dfb7d7754e9a4cd0e4a87a92df97

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    9dff1992e5971a52dee9c82f468fe858

    SHA1

    d0341e5f3ff28408a4a5857dee2633eeae3867dd

    SHA256

    63db1a342d1f0fcc33241aa07996ce5fae5551c0faf115662f8f8a2a8ebb9d99

    SHA512

    2333ac9562b749445ddf2cd324201ca9f3c5e34c2fee4807b31655cd2dadf7c5975a45c9187e9e1683e45536f9f0374d331d99ed39cb330d218fdd21789f32f1

    Download Submit

  • memory/1916-51-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1916-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1916-45-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1916-47-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1916-56-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1916-49-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1916-58-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1916-54-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2592-25-0x00000000046D0000-0x0000000004730000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2592-21-0x00000000002F0000-0x000000000036E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2592-24-0x00000000006C0000-0x00000000006CE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2592-23-0x0000000000540000-0x0000000000550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2696-4-0x0000000000830000-0x0000000000832000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2752-5-0x0000000000180000-0x0000000000182000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2752-6-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2752-59-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB

    Download