Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
08-12-2024 14:07
General
-
Target
2477.exe
-
Size
125KB
-
MD5
02201ab0ffca3905fbf110296fd58298
-
SHA1
4068eb4c09f6e09637588ee3cf62bf7229a25faa
-
SHA256
4d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe
-
SHA512
4f2d86d8dbdb6946bdd982b7c48aea803eccd99c51ddbd6edcb1f7301f9a8f255953210b5b47ecd6e6a8f1bf93269bb519b3a83548f7d3ea63ded3980bef3705
-
SSDEEP
1536:Rn7TvjnE1RowM/gZbgjx1LAYivy6sDOsyrXdtyVt3A7HPd4n+lbeRZIbSQPYU:RHovoX/0bgAoORHyHQbPRyZ2pPYU
Malware Config
Extracted
redline
l3monlogs
78.70.235.238:1912
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 3 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
-
Stormkitty family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2477.exe"C:\Users\Admin\AppData\Local\Temp\2477.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2477.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '2477.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "spoolsv" /tr "C:\Users\Admin\AppData\Roaming\spoolsv.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\rexjvc.exe"C:\Users\Admin\AppData\Local\Temp\rexjvc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F2069F36-F78B-45EE-B09D-926B6E3CD92B} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\spoolsv.exeC:\Users\Admin\AppData\Roaming\spoolsv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\spoolsv.exeC:\Users\Admin\AppData\Roaming\spoolsv.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD5b83554c8de164b68df531646012e9fd3
SHA1e3798f3e34fc2b0124a9538d48eb030163c27d99
SHA2567fda4e47fe287ce368efacdf37b280df7565fdc434997df0dbc8f2cb2e704c81
SHA512f04575e6f27b850279e1601c20aef560920228309f0c16149c685343afc5fa152482f3bb8ef3e58bdd18b9c9d218239ce25f7f99a87010b99e2c82e23c03c81f
-
Filesize
342B
MD56f497a25a067fb690ae56179efa918d6
SHA10bc03d6744d0ab62fd1c95090306a492a5c2ca7c
SHA256b6c645626dc7030c580922cff89a8930505480030c50408370939370548eeceb
SHA512fe86e37cab5289176ba38b3fe1a63f846b79733633ab5d22a9e0171eacecf7aa8837a0979a1534a291901b6a8878ca1d0178500097b4f5849559e0a53780bfd8
-
Filesize
342B
MD52af3458335ca261b36bbc07f5e864254
SHA155dc412952bfa623a3b83226a0d7698a00506c71
SHA2563feaba753bc4396e5cba84b4bacab6a1a958b7d8275f0cc785daca94012b128f
SHA512d2b39cb173ccc519367700e78b12eebc2d712dde6517682e8e2ec34db731cc7385ba7717cc9554bacf9aee5f18aa672ee6d574da7ebdf10971b80d0a5ce5d683
-
Filesize
342B
MD5092dc880f33f8eb116905f0fec28a127
SHA18189c43b65b233e70369cb23302f0732e11ad5c8
SHA25684a2113fbc3e750e6948b4085e429942c4cff9ebedd85e4c68a34eb1741bd3af
SHA512ede2dfc191fdcc24317bd9c20c8d843fc72dac6fd64b5b72d4f0f561fe9d7d29234464b7ee9329b122b04dd90cb136f5bdf9bd9b5cdc4a010ea8c2093178077e
-
Filesize
342B
MD508c2c21615fd245cad7f1e3a347507af
SHA1c0afa7bb5cd268cdd7fa586187ffa5a345589cf6
SHA2566ae562344b1172871d2b17622fc9ba337acf5d346a4f5efc68ab087fbc70b891
SHA512d35a5ccacba0d91c38e8f44c45a2ba247603689422e7aa9470dd94eb2aec5238ddb169734277bff672deed0c2adeef037f42bf5506dc8421944a0c7b51e40b58
-
Filesize
342B
MD50982e6c8d1baeaac347baea37c8f26fb
SHA1a7927540d52b0f4552317331eaf8916e027942b7
SHA2565438bb3ff909024f36f7d90511de90ca1d833ae6b17128d92fdd8613c681e34b
SHA512799323ff51d04c85b8ae11e1d0abd5535107fe7301b360e23296eb63f7c9d555b99672fb029fbe92146c39476877bb52e0d1e390dc8d56b8762d49c6ce18bc22
-
Filesize
342B
MD56b019a38e4cddc0784ac53e0d6232699
SHA12cdf5885b6f5626a58cb6dc6cb9fc0f39feb190b
SHA2567fd7ff89696f6128ff8d05659396bee8cd866393a32f3978b2d4c3f37722eb84
SHA512888beb113a9809939ceabe9b3013dee899fc66c17f59dbfe8860d954b56b0f7bae95d45c11a3b4e572747519f74c636dc128c7cd720742008630db638cb1f30e
-
Filesize
342B
MD5b8c80b66373aae542700b682c0bdd0bb
SHA1f80bb80c029c8bde3d875f6cb175fe482d2e828b
SHA256b6a15a44e50e9cd4a66accde96d9f60e54b504ceb99a79e05889b330326febda
SHA51271a9136c9e587a6d9ccc5906830ce6657f7973d9d4924e13b3c6cd198f149c2f55bcc7ecf2f8a61700f663818c299af5b43fbcf7a6508236d5fe4677deb2ce06
-
Filesize
342B
MD59c28a07836cff28c51101be89195664e
SHA120380ccf3eb437771b3e4dc1d4661a8f4463ac62
SHA256aa2a1094ce27b2d4b6014663bf7af199747861aaff03f8c7c3b2921551557508
SHA5121746f601f65acddbb967000a9a172356d014f41eb40454d69ed307936eb4cc1b4daf824d05164dd50fbe4a5665ad832da6804fcc18846d9e5b7ec17d5728a1c5
-
Filesize
342B
MD564858cf41644ec0e65e7d672490dd810
SHA1e576c90e0f8cc8991eb6fc8d177457b420ad77a0
SHA256b20e027c490d03b40d50a180fa7621d1997535dfdd74cd0daac94450e5e1b5f8
SHA5127f70240a96548e3336c6781080a67fe4b69aa0a432c21889de1c213e73a2895a7c292c8ff01d34040bd06a991231600c61e71dcb63f24b262c0e28303b8db3bf
-
Filesize
342B
MD59ef756669dc942d26cbefc0e993aaee7
SHA1ed3b9e41cf6e3e7ec7f4777d716ac8570305a4ed
SHA2568e1dc57f6d732b57adc7a0079546a19a47cd2a0c1a659e271ab07611c29f63c9
SHA5126750abd8ce42f6476c450c113ba5e85eaa5451a9dbf2d42125ecb0b69de78c350e5e8e20057b7f99f73b5ad6165785756bf5ce39b03933662cb964dc836a2513
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
300KB
MD5dfefdd2e554fd23f3b87f68c3e0f9622
SHA18be107d3c7e0aba6346ccdac289e29e3a8127af2
SHA256f47c2bb84ce619d0d69445b0a1dce760482f2dd508815ba2667bab5c3a3541e9
SHA5128f11525da059c6aa655d5ad2c41f89ce535ebb7a2bd4d7ce197c2ea244f28947e2338b1f97378130179490e49fd73402ee3dcdc507901f48b41ce9acf79ca182
-
Filesize
7KB
MD509c38fe8165f50fe35c03c3128c25e71
SHA1f8d24830436b049d709174ab4a9178472f79e5fd
SHA2563cb3007608cb3f7634fb437e81a64a59830e2deb4f56d00ab17d90c085331888
SHA512f70cc36dbf755b207b99d184214b2ed499d4edb98890faf21b9fc976225acf620da403b4ddb8a0ffe752bfdb5c10091f105e819ac47bb6a280c3c4b181d313b3
-
Filesize
125KB
MD502201ab0ffca3905fbf110296fd58298
SHA14068eb4c09f6e09637588ee3cf62bf7229a25faa
SHA2564d0f2f8fd89fec7e4f1348b5b6a0ea528d2b391f48e69df140b91845c0989abe
SHA5124f2d86d8dbdb6946bdd982b7c48aea803eccd99c51ddbd6edcb1f7301f9a8f255953210b5b47ecd6e6a8f1bf93269bb519b3a83548f7d3ea63ded3980bef3705
-
Filesize
639B
MD5d2dbbc3383add4cbd9ba8e1e35872552
SHA1020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA2565ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66
-
Filesize
1.9MB
MD55feec801de3274f8d8f077c1af52a63a
SHA1f73c21469034d13554393ad15e06bf1f5f964850
SHA2560e5e4465975697f2066fdcd093c59132bfa813b8e401d9839e449f6af2e8bdbd
SHA512593b2567d7adfe7c01fd41402392f72dc9b3b76686a78afacc88c60e8780884cd4f50ba290974ae6e116b610aa0d8198193c090743f30e98618634a322ac85b0
-
Filesize
14KB
MD519aba95cd19c4a7df9b898e8e96018bc
SHA10fd81d2bf951fa50a4d05a16d791ddb0d1e90ffc
SHA25631622ce1b1875f3aee9f30e82d48e8deefe2d6a4dbf914b2f53c20e39dfde28d
SHA5126e7dc5b51e43dc721cdbea75acb4935de6a9255161dffe424b025c259a5021740e54afab082f407a05c52ed464466e10b83e72177af8fe6154813e48035387d2
-
Filesize
18KB
MD5086c5024e30fbc436c9637e1d8d92591
SHA1c5e56fe4ae09027838497eb0c5145feead56f112
SHA256ebacc57ee7f237653771802b53d58aeee7406ee5ad1c2590be2ec2ac80442218
SHA512869cbccf52ff4e07ea346bc43e62e2aab5dd5391dc40e3a59c0c8f333b798d6f16e6d266166d85988fceb8a6594a1a2858b09d65dac99facdb75b27589168433
-
Filesize
16KB
MD5fe5071307bbad918bf894303c927a1d2
SHA198d4f2e2bd2fa5ecff77e04ba12b040849b97e07
SHA2569611930f0db7936356489ff435229d7dafb5b64541f93a2c1e5e068bf32ceb2b
SHA512f6b39bc3bae326f68f35065447ad19af21e6d19810d389f0b608fa5a7dfd5710f19aca13f826e96197a8f65c79fe989d8ed41e059d3eb78255947d3d519ee56b
-
Filesize
16B
MD5d5c75a7d2cf4360668a33a441270d729
SHA174ac64a322c850641e7fb786ab8ac1f67ce08c88
SHA256433514db18c955c65e66330a2a4488b7e876d78488c1f59cecd8fc35ce6abb49
SHA51201e3628ec48fe004698827ee4a695213269d163e9f72f7a44b7bd0db0d79f428ada7c7c840d6b5a72058a8466d12ceed20a21b57939e1d470eac8474c1940bd7
-
Filesize
152KB
-
Filesize
9.9MB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
56KB
-
Filesize
2.9MB
-
Filesize
112KB
-
Filesize
288KB
-
Filesize
32KB
-
Filesize
664KB
-
Filesize
208KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
152KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
328KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
32KB