Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16/10/2024, 23:56
General
-
Target
12f9806ad64e90f6276302e3c023fb71.exe
-
Size
5KB
-
MD5
12f9806ad64e90f6276302e3c023fb71
-
SHA1
769b8bdcd4e87324fc7b05d07b600842ceba3aed
-
SHA256
8a5b6b6a2d9cd640f59a4c7ed58ad3bbc54268205dd3899356f5cb99a9352a78
-
SHA512
7700b9b3ddf0eae92daa73d098a1c081428b3cdd754293912217b20ef6086e227915d3dfe8cb86d15e00b3a39377bb67ca2c96172b628bff6389f7ec602927f1
-
SSDEEP
48:6LaoejN+CAc+CJrjV6CIndMh0Dc7bVrricqDsKrQ7tieK8CNJjpfbNtm:QWNPAc+CJrR6a0Dclri3DADNizNt
Malware Config
Extracted
redline
7772121777
87.120.127.223:42128
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\12f9806ad64e90f6276302e3c023fb71.exe"C:\Users\Admin\AppData\Local\Temp\12f9806ad64e90f6276302e3c023fb71.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmpA3B2.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA3B2.tmp.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
-
C:\Users\Admin\AppData\Local\Temp\Plain_Checker.exe"C:\Users\Admin\AppData\Local\Temp\Plain_Checker.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew5⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c3f3579faf5abfc023f4e282cff43313
SHA19ad2f1cc766b02b1f7e85d4024969c3079950d6a
SHA25649b47081f5f4a706cd3b70421094b9ddf59a6c18fcbd177d5f6565fc14514ea1
SHA512427c9ca6f2e78c5fd98e6ec4bd8daf916ca46290e8e1cdf935657bd1bd4ea8273c9cd4ee91bbb5176ee06abced7d238622dc697e2cb575041c515585f4072b00
-
Filesize
127KB
MD530f7aac5d8d65200c618c6a0a94c4065
SHA1773f4aa04303897702a468134cf66b2b15665140
SHA2569b7fc6c8743440fb3958135998d2e4a67143dbdb980d18790ce68ff2634e495d
SHA512d7d91352d58ebcf44c3674366e3d76bebc4119a9b060f376166bb99b03b3a894592dc0a3263d0240727a1d8b7cca178e7719778ed8894300ad0b1e2c1d604053
-
Filesize
7KB
MD53a1085797ca3089008cb2b51d2fcdc84
SHA1f5ea90ec6ad07f137c058ef2874dbd3a1b444f95
SHA2568fc221b7c8e3f52f22841c866cf0d842f2a1266e79b472273766ce1704474499
SHA5125e1cf172f3ad81c6bdc5bb3e75743a5a7ac4d4250012112888707a334f3336ba43b5aa71d4cf67f6aa3f8207e21460aa13d06524241e6d0ff9e4d9e7c05f0eac
-
Filesize
32KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
940KB
-
Filesize
424KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
960KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
940KB
-
Filesize
7.7MB
-
Filesize
940KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
336KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
944KB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
752KB
-
Filesize
712KB
-
Filesize
1.2MB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
240KB
-
Filesize
1.0MB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
1.2MB
-
Filesize
104KB
-
Filesize
720KB