redline | 81e362d1aae7ca2398219edc502323062fbd06845a42a044668ac808362d58e6

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silent Crypto Miner/Silent Crypto Miner.exe
Size

255KB
MD5

854a42e9a581b2a33ceda0f3d3dd2f04
SHA1

a100a400e570039823c4fd79dc470c13ccfbb266
SHA256

fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80
SHA512

569dc63dc90b1a6efebb9130d2dce133d3600937a1a6440575037b2b8d36b6aff8c607b86ba2ff0192324ed9cbae519e8a4aa3d9dd6e4b3b6f9d8483e043e1c0
SSDEEP

3072:y1hoF2jJ6wiPa1XzwIxJLp7tUE1NgBS5Bs//dm63NzzEfHs/FtMtO2NcSINUc9nR:y1hnJ6D1IxPtUyNrsHdmqEfETrSc9nCu

Score

10^/10

redline sectoprat xworm metin defense_evasion discovery execution infostealer persistence rat trojan

Malware Config

Extracted

Family

redline

Botnet

Metin

duclog23.duckdns.org:37552

Extracted

Family

xworm

duclog23.duckdns.org:7000

Attributes

Install_directory
%AppData%
install_file
Chrome.exe

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral3/files/0x0006000000016df8-8.dat	family_xworm
behavioral3/memory/484-16-0x00000000003B0000-0x00000000003C4000-memory.dmp	family_xworm
behavioral3/memory/2456-50-0x0000000000140000-0x0000000000154000-memory.dmp	family_xworm
behavioral3/memory/2332-53-0x0000000000F00000-0x0000000000F14000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000d000000012272-2.dat	family_redline
behavioral3/memory/2080-15-0x0000000000DA0000-0x0000000000DBE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000d000000012272-2.dat	family_sectoprat
behavioral3/memory/2080-15-0x0000000000DA0000-0x0000000000DBE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1680	powershell.exe
1636	powershell.exe
1236	powershell.exe
1480	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	Metin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk	Metin.exe

Executes dropped EXE 5 IoCs

pid	Process
2080	M2.exe
484	Metin.exe
2456	Chrome.exe
2332	Chrome.exe
1564	Chrome.exe

Loads dropped DLL 2 IoCs

pid	Process
2448	Silent Crypto Miner.exe
2448	Silent Crypto Miner.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Chrome.exe"	Metin.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	M2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silent Crypto Miner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1692	powershell.exe
1236	powershell.exe
1480	powershell.exe
1680	powershell.exe
1636	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	484	Metin.exe
Token: SeDebugPrivilege	2080	M2.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	484	Metin.exe
Token: SeDebugPrivilege	2456	Chrome.exe
Token: SeDebugPrivilege	2332	Chrome.exe
Token: SeDebugPrivilege	1564	Chrome.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1692	2448	Silent Crypto Miner.exe	31
PID 2448 wrote to memory of 1692	2448	Silent Crypto Miner.exe	31
PID 2448 wrote to memory of 1692	2448	Silent Crypto Miner.exe	31
PID 2448 wrote to memory of 1692	2448	Silent Crypto Miner.exe	31
PID 2448 wrote to memory of 2080	2448	Silent Crypto Miner.exe	33
PID 2448 wrote to memory of 2080	2448	Silent Crypto Miner.exe	33
PID 2448 wrote to memory of 2080	2448	Silent Crypto Miner.exe	33
PID 2448 wrote to memory of 2080	2448	Silent Crypto Miner.exe	33
PID 2448 wrote to memory of 484	2448	Silent Crypto Miner.exe	35
PID 2448 wrote to memory of 484	2448	Silent Crypto Miner.exe	35
PID 2448 wrote to memory of 484	2448	Silent Crypto Miner.exe	35
PID 2448 wrote to memory of 484	2448	Silent Crypto Miner.exe	35
PID 484 wrote to memory of 1236	484	Metin.exe	37
PID 484 wrote to memory of 1236	484	Metin.exe	37
PID 484 wrote to memory of 1236	484	Metin.exe	37
PID 484 wrote to memory of 1480	484	Metin.exe	39
PID 484 wrote to memory of 1480	484	Metin.exe	39
PID 484 wrote to memory of 1480	484	Metin.exe	39
PID 484 wrote to memory of 1680	484	Metin.exe	41
PID 484 wrote to memory of 1680	484	Metin.exe	41
PID 484 wrote to memory of 1680	484	Metin.exe	41
PID 484 wrote to memory of 1636	484	Metin.exe	43
PID 484 wrote to memory of 1636	484	Metin.exe	43
PID 484 wrote to memory of 1636	484	Metin.exe	43
PID 484 wrote to memory of 2252	484	Metin.exe	45
PID 484 wrote to memory of 2252	484	Metin.exe	45
PID 484 wrote to memory of 2252	484	Metin.exe	45
PID 2176 wrote to memory of 2456	2176	taskeng.exe	48
PID 2176 wrote to memory of 2456	2176	taskeng.exe	48
PID 2176 wrote to memory of 2456	2176	taskeng.exe	48
PID 2176 wrote to memory of 2332	2176	taskeng.exe	49
PID 2176 wrote to memory of 2332	2176	taskeng.exe	49
PID 2176 wrote to memory of 2332	2176	taskeng.exe	49
PID 2176 wrote to memory of 1564	2176	taskeng.exe	51
PID 2176 wrote to memory of 1564	2176	taskeng.exe	51
PID 2176 wrote to memory of 1564	2176	taskeng.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Silent Crypto Miner\Silent Crypto Miner.exe
"C:\Users\Admin\AppData\Local\Temp\Silent Crypto Miner\Silent Crypto Miner.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Users\Admin\AppData\Roaming\M2.exe
  "C:\Users\Admin\AppData\Roaming\M2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Users\Admin\AppData\Roaming\Metin.exe
  "C:\Users\Admin\AppData\Roaming\Metin.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Metin.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Metin.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\Admin\AppData\Roaming\Chrome.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2252

C:\Windows\system32\taskeng.exe
taskeng.exe {01DD0C72-F4E8-427C-A54E-B34E6B84E04C} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Users\Admin\AppData\Roaming\Chrome.exe
  C:\Users\Admin\AppData\Roaming\Chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Users\Admin\AppData\Roaming\Chrome.exe
  C:\Users\Admin\AppData\Roaming\Chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Users\Admin\AppData\Roaming\Chrome.exe
  C:\Users\Admin\AppData\Roaming\Chrome.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6PYF7QJKDXEOZPWVDOG3.temp

Filesize
7KB

MD5
04717734d6865a5f75901e2219bc69a0

SHA1
d7e3854fc7df8fc4a3fc7f3a6c34741f62ed1c7a

SHA256
e03469717f5f36f98d6943241aaa2004fabe73e359dd63b62dbaf1f1f040926b

SHA512
bbdc6e7af96906674b415839ff403077224b9c898f0d765ac3636ac0e6c399fa2f8997c67d34c43b8aafa3ad0c605d525605422cfaafe9d2964d971b3ce67a79

Download Submit
\Users\Admin\AppData\Roaming\M2.exe

Filesize
95KB

MD5
2598b5fee38d9c0979f009e77f94ea33

SHA1
9c2c0f0734fbf16853de911868024dfbed91e5ec

SHA256
00a709baca231f15267526d7b5db11cd94b0089ed6cfd1667a1ff2ebd584c266

SHA512
d6fa07fdfa6493c3abe95c650dca114b1737d8812fe86476ef8afbb1d34e50b537821a7958acdc243246484fc4f28dd208db4328663bbc22ec79ae34f3340c8e

Download Submit
\Users\Admin\AppData\Roaming\Metin.exe

Filesize
51KB

MD5
1d846637aa409d6dd4fd14f70a63f907

SHA1
a0f494b321ef5bd5b95f60d4ee9e4ae836d73b8a

SHA256
08a5ab51f8eee96d3837aaef4d74bf672d937056118003ecfa0e4df9dae49125

SHA512
259bd4d63bd69cdfd9a29303dc5ef3174136353daad23747c4589ed5b760d9905285211850bf49fde37c0ba355f3e463df6633a518affb270cfeb9f24885508c

Download Submit
memory/484-16-0x00000000003B0000-0x00000000003C4000-memory.dmp

Filesize
80KB

Download
memory/1236-22-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1236-23-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1480-29-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1480-30-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2080-15-0x0000000000DA0000-0x0000000000DBE000-memory.dmp

Filesize
120KB

Download
memory/2332-53-0x0000000000F00000-0x0000000000F14000-memory.dmp

Filesize
80KB

Download
memory/2456-50-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download