9885075a597dba7d0eed56f5809b20d9982cd305ea5f16668b33fffc83808827 | Triage

Analysis

max time kernel
146s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-10-2024 21:41

Sharing

Report Analysis Logs

General

Target

Redline stealer 2024 Crack/OpenPort.bat
Size

94B
MD5

cf1cc90281e28cee22dce7ed013c2678
SHA1

2f213a71b76db3e51ad2d659f84dc1f3f90725fb
SHA256

84399f8bccefa404e156a5351b1de75a2d5290b4fddd1754efb16401ed7218ef
SHA512

2b61c1da7cc66506537719cedab82f172d2ac1af4df69513ba64507a5ed67989974f81791faf08c5855580df53f564600381be34c340b825f1f01919948921e1

Score

8^/10

evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

336 netsh.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

cmd.exe

description pid process target process

PID 1536 wrote to memory of 336 1536 cmd.exe netsh.exe
PID 1536 wrote to memory of 336 1536 cmd.exe netsh.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Redline stealer 2024 Crack\OpenPort.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="RLS" dir=in action=allow protocol=TCP localport=6677
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads