redline | 27088c28c0f31bf50d35890675acb14a9da0b2bf574a03c79040e640bd1fbe96

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/12/2024, 13:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

perm.exe
Size

4.6MB
MD5

cd15473be3b87cf2f089fe3a652d0d08
SHA1

5fecdc548d7c9e134940509d4b002dd36deda1ef
SHA256

27088c28c0f31bf50d35890675acb14a9da0b2bf574a03c79040e640bd1fbe96
SHA512

cdd2f2dbc59942999082bd62bd869b66bf80b525d7b7244cb6527540bb288a50844f6d078f21c319d6888d02efca5a73ed054c16a544958ef40e215a54336477
SSDEEP

98304:1d7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6KM:u+y4ihkl/Wo/afHP9

Score

10^/10

redline sectoprat xworm discovery evasion infostealer rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2948-3-0x00000000004E0000-0x0000000000574000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2948-3-0x00000000004E0000-0x0000000000574000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2948-3-0x00000000004E0000-0x0000000000574000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	perm.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	perm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	perm.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	perm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	perm.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3020	taskkill.exe
2676	taskkill.exe
2640	taskkill.exe
2752	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2948	perm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe
Token: SeIncBasePriorityPrivilege	2948	perm.exe
Token: 33	2948	perm.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 564	2948	perm.exe	33
PID 2948 wrote to memory of 564	2948	perm.exe	33
PID 2948 wrote to memory of 564	2948	perm.exe	33
PID 2948 wrote to memory of 564	2948	perm.exe	33
PID 564 wrote to memory of 2676	564	cmd.exe	35
PID 564 wrote to memory of 2676	564	cmd.exe	35
PID 564 wrote to memory of 2676	564	cmd.exe	35
PID 564 wrote to memory of 2676	564	cmd.exe	35
PID 2948 wrote to memory of 2728	2948	perm.exe	36
PID 2948 wrote to memory of 2728	2948	perm.exe	36
PID 2948 wrote to memory of 2728	2948	perm.exe	36
PID 2948 wrote to memory of 2728	2948	perm.exe	36
PID 2728 wrote to memory of 2640	2728	cmd.exe	38
PID 2728 wrote to memory of 2640	2728	cmd.exe	38
PID 2728 wrote to memory of 2640	2728	cmd.exe	38
PID 2728 wrote to memory of 2640	2728	cmd.exe	38
PID 2948 wrote to memory of 2832	2948	perm.exe	39
PID 2948 wrote to memory of 2832	2948	perm.exe	39
PID 2948 wrote to memory of 2832	2948	perm.exe	39
PID 2948 wrote to memory of 2832	2948	perm.exe	39
PID 2832 wrote to memory of 2752	2832	cmd.exe	41
PID 2832 wrote to memory of 2752	2832	cmd.exe	41
PID 2832 wrote to memory of 2752	2832	cmd.exe	41
PID 2832 wrote to memory of 2752	2832	cmd.exe	41
PID 2948 wrote to memory of 2736	2948	perm.exe	42
PID 2948 wrote to memory of 2736	2948	perm.exe	42
PID 2948 wrote to memory of 2736	2948	perm.exe	42
PID 2948 wrote to memory of 2736	2948	perm.exe	42
PID 2736 wrote to memory of 3020	2736	cmd.exe	44
PID 2736 wrote to memory of 3020	2736	cmd.exe	44
PID 2736 wrote to memory of 3020	2736	cmd.exe	44
PID 2736 wrote to memory of 3020	2736	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\perm.exe
"C:\Users\Admin\AppData\Local\Temp\perm.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - Kills process with taskkill
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2948-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/2948-1-0x0000000000D80000-0x000000000121E000-memory.dmp

Filesize
4.6MB

Download
memory/2948-2-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2948-3-0x00000000004E0000-0x0000000000574000-memory.dmp

Filesize
592KB

Download
memory/2948-4-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/2948-5-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download