Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-11-2024 23:38
General
-
Target
f702a1b2aa5e8f06b47c069afa26909e4a9ea31bfb3328b9efbdb7e396cf250a.exe
-
Size
785KB
-
MD5
d2f542d38d3cf8abab173c4ce668cd08
-
SHA1
de5991f684f5054eb191d327b21b301d90601d18
-
SHA256
f702a1b2aa5e8f06b47c069afa26909e4a9ea31bfb3328b9efbdb7e396cf250a
-
SHA512
f2f92a61fb16630d4de6da59b37b8e1e964916b6831b371900f27ef98c8602a29002bc7edf0f7bd0a75d7e96f941504eed2ae4a34971a8e2c0d1c20ae4cf2f8d
-
SSDEEP
24576:eQNid6hXNmIvZwJAtDWCzglIejIpqG4yPaw:ZRTm/JA4CKILqg
Malware Config
Extracted
redline
MALOY
194.226.121.151:17731
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 1 IoCs
-
Sectoprat family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f702a1b2aa5e8f06b47c069afa26909e4a9ea31bfb3328b9efbdb7e396cf250a.exe"C:\Users\Admin\AppData\Local\Temp\f702a1b2aa5e8f06b47c069afa26909e4a9ea31bfb3328b9efbdb7e396cf250a.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\autoplay.exe"C:\Users\Admin\AppData\Local\Temp\autoplay.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\SZ8pLRsMimenhWA.exe"C:\Users\Admin\AppData\Local\Temp\SZ8pLRsMimenhWA.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SZ8pLRsMimenhWA.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\SZ8pLRsMimenhWA.exe"C:\Users\Admin\AppData\Local\Temp\SZ8pLRsMimenhWA.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
Filesize
567KB
MD5246dc48cada7fba91b7617fe4dfe8433
SHA184867d471f524c14296637b191c1f9deefa3eb04
SHA2568e5ed7d8999d566917e21d2ada4a6c035646387e6d55adf96073fbb18a769eb0
SHA512a8997b6a18ac82b8b74a9f4229c11ed0ff38cbbfb36815f3dad4e43b9a490f5ec9f6ffeb30bf82afa0fe74132e76cd34a63dd984cb5b077c494c775fa078d901
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
185KB
MD576ef16e94f77454aaffdfa4c700be85f
SHA19b45b3826706337a11e43248095fb2c62e42d14d
SHA2563b9dabd99dc58a5242616cb6d1d876bca3046119a9b150c7d7868bf02202ea82
SHA5124185cf9393877fd6d80ecfb7290c10d40a62fc7013d175e5fc91df56870500ea33b518e4f55b4e7d8a7865d3f7707fb5f49f621d5d944bb1edffda4734f99d53
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
5.6MB
-
Filesize
360KB
-
Filesize
4KB
-
Filesize
592KB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB
-
Filesize
1.0MB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
816KB