redline | 34a265197110995c087e43edde1d1425b1c4c809443491b480cdef4d89a1d302

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2Bob_Download/Update.exe
Size

210KB
MD5

d412df3af3c10af259fd4cc58e68f00b
SHA1

2de05f08b05fb0abb4b24616db00d0ce1dec420e
SHA256

083f0f217bff41523e9faa49bb13e9e5d691a3c51341b12d0c4829d8cfc33292
SHA512

9bcf5dca3811bed78e59bca04ca934965a93b00c53769de477f33d465279ec10d6355a66e841cecf439d783721784378fd570c0a7ce6af00c3c16aa58a29d808
SSDEEP

3072:01hoF2jJ6wiPa1XzwIxJLp7tUE1NgBS5Bs//dm63NzzEfWw:01hnJ6D1IxPtUyNrsHdmqEf

Score

10^/10

redline sectoprat xworm metin defense_evasion discovery execution infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

Metin

duclog23.duckdns.org:37552

Extracted

Family

xworm

duclog23.duckdns.org:7000

Attributes

Install_directory
%AppData%
install_file
Chrome.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x00060000000191d2-8.dat	family_xworm
behavioral1/memory/1856-16-0x0000000000EA0000-0x0000000000EB4000-memory.dmp	family_xworm
behavioral1/memory/2208-47-0x00000000009E0000-0x00000000009F4000-memory.dmp	family_xworm
behavioral1/memory/2784-50-0x0000000000D30000-0x0000000000D44000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000122ea-5.dat	family_redline
behavioral1/memory/2836-15-0x0000000000070000-0x000000000008E000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000122ea-5.dat	family_sectoprat
behavioral1/memory/2836-15-0x0000000000070000-0x000000000008E000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2888	powershell.exe
1988	powershell.exe
1552	powershell.exe
536	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	Metin.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	Metin.exe

Executes dropped EXE 4 IoCs

pid	Process
2836	M2.exe
1856	Metin.exe
2208	Chrome.exe
2784	Chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	Update.exe
1316	Update.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe"	Metin.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2704	powershell.exe
2888	powershell.exe
1988	powershell.exe
1552	powershell.exe
536	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1856	Metin.exe
Token: SeDebugPrivilege	2836	M2.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1856	Metin.exe
Token: SeDebugPrivilege	2208	Chrome.exe
Token: SeDebugPrivilege	2784	Chrome.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2704	1316	Update.exe	30
PID 1316 wrote to memory of 2704	1316	Update.exe	30
PID 1316 wrote to memory of 2704	1316	Update.exe	30
PID 1316 wrote to memory of 2704	1316	Update.exe	30
PID 1316 wrote to memory of 2836	1316	Update.exe	32
PID 1316 wrote to memory of 2836	1316	Update.exe	32
PID 1316 wrote to memory of 2836	1316	Update.exe	32
PID 1316 wrote to memory of 2836	1316	Update.exe	32
PID 1316 wrote to memory of 1856	1316	Update.exe	34
PID 1316 wrote to memory of 1856	1316	Update.exe	34
PID 1316 wrote to memory of 1856	1316	Update.exe	34
PID 1316 wrote to memory of 1856	1316	Update.exe	34
PID 1856 wrote to memory of 2888	1856	Metin.exe	36
PID 1856 wrote to memory of 2888	1856	Metin.exe	36
PID 1856 wrote to memory of 2888	1856	Metin.exe	36
PID 1856 wrote to memory of 1988	1856	Metin.exe	38
PID 1856 wrote to memory of 1988	1856	Metin.exe	38
PID 1856 wrote to memory of 1988	1856	Metin.exe	38
PID 1856 wrote to memory of 1552	1856	Metin.exe	40
PID 1856 wrote to memory of 1552	1856	Metin.exe	40
PID 1856 wrote to memory of 1552	1856	Metin.exe	40
PID 1856 wrote to memory of 536	1856	Metin.exe	42
PID 1856 wrote to memory of 536	1856	Metin.exe	42
PID 1856 wrote to memory of 536	1856	Metin.exe	42
PID 1856 wrote to memory of 1672	1856	Metin.exe	44
PID 1856 wrote to memory of 1672	1856	Metin.exe	44
PID 1856 wrote to memory of 1672	1856	Metin.exe	44
PID 840 wrote to memory of 2208	840	taskeng.exe	47
PID 840 wrote to memory of 2208	840	taskeng.exe	47
PID 840 wrote to memory of 2208	840	taskeng.exe	47
PID 840 wrote to memory of 2784	840	taskeng.exe	48
PID 840 wrote to memory of 2784	840	taskeng.exe	48
PID 840 wrote to memory of 2784	840	taskeng.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2Bob_Download\Update.exe
"C:\Users\Admin\AppData\Local\Temp\2Bob_Download\Update.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Users\Admin\AppData\Roaming\M2.exe
  "C:\Users\Admin\AppData\Roaming\M2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Users\Admin\AppData\Roaming\Metin.exe
  "C:\Users\Admin\AppData\Roaming\Metin.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Metin.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Metin.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\Admin\AppData\Roaming\Chrome.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1672

C:\Windows\system32\taskeng.exe
taskeng.exe {4FC14616-E797-40C4-B330-BE2A90E08D1E} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Roaming\Chrome.exe
  C:\Users\Admin\AppData\Roaming\Chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Users\Admin\AppData\Roaming\Chrome.exe
  C:\Users\Admin\AppData\Roaming\Chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\M2.exe

Filesize
95KB

MD5
2598b5fee38d9c0979f009e77f94ea33

SHA1
9c2c0f0734fbf16853de911868024dfbed91e5ec

SHA256
00a709baca231f15267526d7b5db11cd94b0089ed6cfd1667a1ff2ebd584c266

SHA512
d6fa07fdfa6493c3abe95c650dca114b1737d8812fe86476ef8afbb1d34e50b537821a7958acdc243246484fc4f28dd208db4328663bbc22ec79ae34f3340c8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZLMJ19OON8IDEP9BAM7K.temp

Filesize
7KB

MD5
3a62e9706b804fbde6cf591d30a67e79

SHA1
750e18acce513a5fafbb4a3e1c396e0ab54d0ac0

SHA256
e628572110682055fc3ab76075f9d32bbcccc1e7ff4d4e20f81699aee8e8359d

SHA512
9c01c26c906079f8c7d089bcc71aa5c83602fe0a9e793726918b95f58e6638faf131c25ede155c40617fd9ee351c22eb78852d5e4989ce13b226a291fb1619bc

Download Submit
\Users\Admin\AppData\Roaming\Metin.exe

Filesize
51KB

MD5
1d846637aa409d6dd4fd14f70a63f907

SHA1
a0f494b321ef5bd5b95f60d4ee9e4ae836d73b8a

SHA256
08a5ab51f8eee96d3837aaef4d74bf672d937056118003ecfa0e4df9dae49125

SHA512
259bd4d63bd69cdfd9a29303dc5ef3174136353daad23747c4589ed5b760d9905285211850bf49fde37c0ba355f3e463df6633a518affb270cfeb9f24885508c

Download Submit
memory/1856-16-0x0000000000EA0000-0x0000000000EB4000-memory.dmp

Filesize
80KB

Download
memory/1988-28-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1988-29-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2208-47-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/2784-50-0x0000000000D30000-0x0000000000D44000-memory.dmp

Filesize
80KB

Download
memory/2836-15-0x0000000000070000-0x000000000008E000-memory.dmp

Filesize
120KB

Download
memory/2888-21-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2888-22-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download