Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
01-12-2024 19:56
General
-
Target
6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe
-
Size
2.6MB
-
MD5
55e393da1714013720ddf266c7906f43
-
SHA1
91a636913604184c010c2d9e0b331a804a2c0ab4
-
SHA256
6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957
-
SHA512
40a61e1d461717e45eff3be6b22561ac39c2ef1af39b46f7d149fe823d14a06bb99605a78e794d6447ece43ce6b4854192e47ad993ed4a2e78479bc7e155fe8a
-
SSDEEP
49152:VvONaX/Lpt/IvKfeF4tIDpdIA/gvCRtDKYZ8NfBcPQSqzULJgxl6Y4KB7KkP3C+Y:VGNajwvKfpyMdvCRNZZ8NJcPQSEU9Q6z
Malware Config
Extracted
redline
tg
163.5.112.53:51523
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 2 IoCs
-
Sectoprat family
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 8 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
UPX packed file 13 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 46 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe"C:\Users\Admin\AppData\Local\Temp\6f10a5ac32b9f8b590199dd88c976057d19a6215224aafe45270dd3154d4b957.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAdABpACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGsAcABhACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAVABoAGkAcwAgAGMAbwBtAHAAdQB0AGUAcgAgAGkAcwAgAG4AbwB0ACAAcwB1AHAAcABvAHIAdABlAGQALAAgAHAAbABlAGEAcwBlACAAdAByAHkAIABhAGcAYQBpAG4AIABvAG4AIABhAG4AbwB0AGgAZQByACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB5AGMAYQAjAD4A"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAagBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGwAcAB5ACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\a.exe"C:\Users\Admin\AppData\Roaming\a.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "TDFIYZSJ"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "TDFIYZSJ" binpath= "C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe" start= "auto"3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "TDFIYZSJ"3⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Roaming\b.exe"C:\Users\Admin\AppData\Roaming\b.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exeC:\ProgramData\tcxbtjpidyhi\wfnmgjmvvtwt.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Defense Evasion
Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
17KB
MD57c40566d6ce2b6734472ba4a7e1921ba
SHA14658b6b12b45e7fa1d36095f662b529d1fed2884
SHA256ee7b4d591fa025668cc0d1529c5d06858e542221db2c051d87d94f95a99dc3bb
SHA5125db9e2caf93a47726035de88308728f84981be3963ee56273f6ec27d893d4e84b37be1ff9ae434c83468770eee4aea277b68bf4ebc67924c21b0d8106d314898
-
Filesize
1004B
MD5b2bb0286c3cb23ff10e684f5d46d22e6
SHA19106ccb6273ec134b32ff6c4683efd4a369fbd49
SHA256bb87cbeb83665ec3c69cab76899f5f673bae32993b9cbcd15b95a7757dcc8c23
SHA512f9341f57f3979853d68468e7b7313924b17fe49a0d8d241c70f4359d3810a6499339ecdebc00ff46599f3f20b21bf84421d221c9c58d12deb23058b5b124e8ec
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD56fd62e635b39a02ba8cac6fc124c9475
SHA1e13080b9cc546e44a9f1c419ba86aeb190a14b2d
SHA25678b9d7e485026278b02a1961999ad99cdfa988fbf4403767db5d10d1473e9870
SHA512e77432582e6abcc0fd86ed997c9c4619bd67a044d33a752e1cf3ceb8008cea27c540949183b80f9dee8a41614cff54afe79c5db294efcb72b27685fcf1010cdc
-
Filesize
95KB
MD5184ac479b3a878e9ac5535770ca34a2b
SHA11f99039911cc2cfd1a62ce348429ddd0f4435a60
SHA2568e28a0090832a76cf71c417cb1bf7990b9af86be258b732117a47f624387083c
SHA512e0f5185ae890b902ea5325066df23959106712e7990e120a1b9752bbd0331cac968af5ddd6092f75a1c576d4c83f4093dfbf53a2c90870d1c02b31a0e8282bb4
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
68KB
-
Filesize
104KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
40KB
-
Filesize
724KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
240KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
1.0MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
128KB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB
-
Filesize
8.3MB