Overview

overview

10

Static

static

3

c40ba863d1...71.exe

windows7-x64

10

c40ba863d1...71.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2024 18:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c40ba863d18db199355861f3ef34652fb467b1d311d0370b6c035fd9bc27b271.exe

  • Size

    2.7MB

  • MD5

    bd45cc2f5e9358035c7a43d34972146f

  • SHA1

    b54760726527814fedb9ad030f80325da599974c

  • SHA256

    c40ba863d18db199355861f3ef34652fb467b1d311d0370b6c035fd9bc27b271

  • SHA512

    40503df44242dced18622a10d8239a10a8951977ed2efef8a7a41ca65f6b9c519b7bbf73dcd6e3989a6d5ccfed82290bce194c140182c79ea443e7ed9958ffc5

  • SSDEEP

    12288:GVfHSQAvvch1+6XDR/o9hcOPsBwlJgymOvujooTjaX:GZZAvvch06zNo9hcIlJljoTjaX

Score
10/10
redlinesectoprathycediscoveryevasionexecutioninfostealerratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

hyce

C2

193.70.111.186:13484

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Sectoprat family
    sectoprat
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c40ba863d18db199355861f3ef34652fb467b1d311d0370b6c035fd9bc27b271.exe
    "C:\Users\Admin\AppData\Local\Temp\c40ba863d18db199355861f3ef34652fb467b1d311d0370b6c035fd9bc27b271.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c40ba863d18db199355861f3ef34652fb467b1d311d0370b6c035fd9bc27b271.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1520 -s 796
      2⤵
        PID:2044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpE39D.tmp
      Filesize

      46KB

      MD5

      02d2c46697e3714e49f46b680b9a6b83

      SHA1

      84f98b56d49f01e9b6b76a4e21accf64fd319140

      SHA256

      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

      SHA512

      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpE3C2.tmp
      Filesize

      92KB

      MD5

      2cd7a684788f438d7a7ae3946df2e26f

      SHA1

      3e5a60f38395f3c10d9243ba696468d2bb698a14

      SHA256

      2ebed8dd3531958e857c87ddbf46376b8a10ea2f364d2399d9fcc604da0bee1d

      SHA512

      0fec4b36e2173d1ad5eca880e1be1d0c7093d459aeb612d371e4ac92fbeaea55beb36e9228d36d57fe1851bd4d57b26dd5b8edb4620fb17b91441e840669c7d1

      Download Submit

    • memory/1520-0-0x000007FEF58D3000-0x000007FEF58D4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1520-1-0x00000000002F0000-0x00000000002F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/1520-2-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1520-3-0x0000000002050000-0x00000000020C0000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1520-21-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1804-16-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1804-9-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1804-8-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1804-18-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1804-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1804-13-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1804-11-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/1804-10-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2520-14-0x0000000002BB0000-0x0000000002C30000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2520-19-0x000000001B5B0000-0x000000001B892000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2520-20-0x0000000002860000-0x0000000002868000-memory.dmp

      Filesize

      32KB

      Download