Overview

overview

10

Static

static

3

ec853dd162...2N.exe

windows7-x64

10

ec853dd162...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    110s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 18:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec853dd1624cc25d5d80bd8f0d5596904492c7782ab8a2814393cf4fae01b0c2N.exe

  • Size

    696KB

  • MD5

    386f5153971c0c93a5cc465dbe30c860

  • SHA1

    3ebd0c0b5b67e8e4c699a992c1372027ae74df28

  • SHA256

    ec853dd1624cc25d5d80bd8f0d5596904492c7782ab8a2814393cf4fae01b0c2

  • SHA512

    8ee38e90cfb3dd74eafd77ff8bdf923dbf570f36cbdf712e6212dc360811bdc801251c1b52595481fc06db8d5a38828c68956817836c091c2201bc9f7f5356f6

  • SSDEEP

    12288:7kM5KbJvJmZeyjABLpQzhC838e2ugLl4ivw7gpIjw0wy9EXX+uB:DcJmYcABLuzhCsVkuew7gYw0wFOuB

Score
10/10
redlinesectopratcheatdiscoveryexecutioninfostealerrattrojan

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

45.137.22.248:55615

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 5 IoCs
  • Redline family
    redline
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 5 IoCs
  • Sectoprat family
    sectoprat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec853dd1624cc25d5d80bd8f0d5596904492c7782ab8a2814393cf4fae01b0c2N.exe
    "C:\Users\Admin\AppData\Local\Temp\ec853dd1624cc25d5d80bd8f0d5596904492c7782ab8a2814393cf4fae01b0c2N.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ec853dd1624cc25d5d80bd8f0d5596904492c7782ab8a2814393cf4fae01b0c2N.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2736
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\VxgJTjZZ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2868
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VxgJTjZZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1B6.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2716
    • C:\Users\Admin\AppData\Local\Temp\ec853dd1624cc25d5d80bd8f0d5596904492c7782ab8a2814393cf4fae01b0c2N.exe
      "C:\Users\Admin\AppData\Local\Temp\ec853dd1624cc25d5d80bd8f0d5596904492c7782ab8a2814393cf4fae01b0c2N.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1B6.tmp
    Filesize

    1KB

    MD5

    e61ecc6a34c35a1d5db03e27c3aa7957

    SHA1

    2bf84ff1e3f4eeeabb2119bad699a6e73b959ef7

    SHA256

    0267c6749461c82325639cb710f9497bb42cab00f71c2622d0c56ab85ffd35a7

    SHA512

    9982244818765292d61145b733cac94bf37e05221d3f3a263146831ba77dff449b3915242b0155b5f79bc2aa1f69a2761ff15ef70343c77ead0115081a1e27ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    aac6abaa8e4d0e3c1c67c3ac8ed465ec

    SHA1

    7374f12c27ea131469cfabdba3b1e1ddb8d58310

    SHA256

    4a2f5419886497bc03fc2b2d5cebfadf39514cd029473a04848532c8cac1d14b

    SHA512

    d4506bccc200adc40b2874d134c3b710e6b86c317873c73d519e3207e1155b9eb8253a5875a1bb1781b339b5bf3a9c4403696602947f2d421e32d1e955c76d1f

    Download Submit

  • memory/2272-4-0x00000000743FE000-0x00000000743FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2272-31-0x00000000743F0000-0x0000000074ADE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2272-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2272-5-0x00000000743F0000-0x0000000074ADE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2272-6-0x0000000004A80000-0x0000000004AE2000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2272-2-0x00000000743F0000-0x0000000074ADE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2272-1-0x0000000000990000-0x0000000000A44000-memory.dmp

    Filesize

    720KB

    Download

  • memory/2272-3-0x0000000000870000-0x000000000088E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2892-21-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2892-28-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2892-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-23-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2892-19-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2892-30-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2892-29-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2892-25-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download