Overview

overview

10

Static

static

3

RFQ_TFS-15...NG.exe

windows7-x64

1

RFQ_TFS-15...NG.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 10:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ_TFS-1508-AL NASR ENGINEERING.exe

  • Size

    1.4MB

  • MD5

    d49ddb40b2037ac73988f82b820f4cd1

  • SHA1

    a3b36cc36bdcf59c03794b3366a454ee0cb888d3

  • SHA256

    24050e65286707adf974167b31a7443dbc40fe475d1cf2515fe1b318dfc0d4d7

  • SHA512

    96deb0ffe41998f2866a71d9304877c1c20bd86b5cc5b48cb44398a516fb989473bbbf7084df2fe7f933d2ce594992966085df31276b324acc0f2c4950dc11a6

  • SSDEEP

    12288:H3XhFxpSPO4ZhtlsiVWKDXbn849nKxqt7Q2:HhFxcmEhtfXxdV

Score
10/10
redlinesectoprathycediscoveryevasionexecutioninfostealerratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

hyce

C2

193.70.111.186:13484

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Sectoprat family
    sectoprat
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ_TFS-1508-AL NASR ENGINEERING.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ_TFS-1508-AL NASR ENGINEERING.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4552
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ_TFS-1508-AL NASR ENGINEERING.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4376
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:2696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s24jpyvi.ymj.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpC6A1.tmp
      Filesize

      40KB

      MD5

      a182561a527f929489bf4b8f74f65cd7

      SHA1

      8cd6866594759711ea1836e86a5b7ca64ee8911f

      SHA256

      42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

      SHA512

      9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpC6B6.tmp
      Filesize

      114KB

      MD5

      a1eeb9d95adbb08fa316226b55e4f278

      SHA1

      b36e8529ac3f2907750b4fea7037b147fe1061a6

      SHA256

      2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7

      SHA512

      f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpC6F1.tmp
      Filesize

      48KB

      MD5

      349e6eb110e34a08924d92f6b334801d

      SHA1

      bdfb289daff51890cc71697b6322aa4b35ec9169

      SHA256

      c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

      SHA512

      2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpC6F7.tmp
      Filesize

      20KB

      MD5

      49693267e0adbcd119f9f5e02adf3a80

      SHA1

      3ba3d7f89b8ad195ca82c92737e960e1f2b349df

      SHA256

      d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

      SHA512

      b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpC70D.tmp
      Filesize

      116KB

      MD5

      f70aa3fa04f0536280f872ad17973c3d

      SHA1

      50a7b889329a92de1b272d0ecf5fce87395d3123

      SHA256

      8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

      SHA512

      30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpC738.tmp
      Filesize

      96KB

      MD5

      40f3eb83cc9d4cdb0ad82bd5ff2fb824

      SHA1

      d6582ba879235049134fa9a351ca8f0f785d8835

      SHA256

      cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

      SHA512

      cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

      Download Submit

    • memory/2160-24-0x00007FFB497F0000-0x00007FFB4A2B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2160-13-0x00007FFB497F0000-0x00007FFB4A2B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2160-17-0x00007FFB497F0000-0x00007FFB4A2B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2160-5-0x00007FFB497F0000-0x00007FFB4A2B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2160-11-0x00000229FFF90000-0x00000229FFFB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4376-28-0x0000000006BD0000-0x00000000070FC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4376-43-0x0000000006A70000-0x0000000006B02000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4376-4-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4376-18-0x00000000057A0000-0x0000000005DB8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4376-26-0x0000000005320000-0x000000000542A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4376-27-0x00000000064D0000-0x0000000006692000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4376-20-0x0000000005070000-0x00000000050AC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4376-29-0x0000000006450000-0x00000000064B6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4376-42-0x0000000006950000-0x00000000069C6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4376-21-0x00000000050B0000-0x00000000050FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4376-44-0x00000000076B0000-0x0000000007C54000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4376-45-0x0000000006B80000-0x0000000006B9E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4376-19-0x0000000004FD0000-0x0000000004FE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4552-25-0x00007FFB497F0000-0x00007FFB4A2B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4552-0-0x00007FFB497F3000-0x00007FFB497F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4552-3-0x00007FFB497F0000-0x00007FFB4A2B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4552-2-0x000001D160360000-0x000001D1603D0000-memory.dmp

      Filesize

      448KB

      Download

    • memory/4552-1-0x000001D145FC0000-0x000001D145FDE000-memory.dmp

      Filesize

      120KB

      Download