Resubmissions

31/03/2025, 16:24

250331-twelnsttd1 10

20/09/2021, 11:07

210920-m7864agdhk 10

Analysis

  • max time kernel
    108s
  • max time network
    119s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    31/03/2025, 16:24

General

  • Target

    ttcopy.exe

  • Size

    1.4MB

  • MD5

    eace0039dd2f8fb2a963b0cf8208b8ed

  • SHA1

    3c9095b0e6b423b17abb966bc2dce7092a05fe70

  • SHA256

    3e66d72e6cb4fab3bf03a7a1ba048e661b9669928a021140d4d0cde12ced097f

  • SHA512

    eaf1ffb532deda9424cbfb3655dbe423f6e0ec289dd7eeec02714eef516e068c0fa15c914fc69f146d5d9a3839b6a34d2a81925953c66b4b0252ae28c7345135

  • SSDEEP

    12288:p2hhDcnbPxuhAjGSJTRQ2b+pth7BmwE5Td3o:MEbPAhAiSJTRQ2bSthtmwEp6

Malware Config

Extracted

Family

redline

Botnet

cheat

C2

103.168.67.29:6677

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • Redline family
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 1 IoCs
  • Sectoprat family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ttcopy.exe
    C:\Users\Admin\AppData\Local\Temp\ttcopy.exe bcdedit /c set shutdown /r readonly /f force /t 2
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LvfcqXStYW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE61A.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:4652
    • C:\Users\Admin\AppData\Local\Temp\ttcopy.exe
      "{path}"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ttcopy.exe.log

    Filesize

    1KB

    MD5

    c8849e1d2d560284d0c77c1c2dd7032b

    SHA1

    4cc4060df98bca9d9b7a9ebdd53ac7e5cf2bfa0c

    SHA256

    49455db2409bd28406518ddf4fdaf4329dc26d56c790a806f2f96f57f038750a

    SHA512

    24a61e4917f062477e1e821072008a4880053ab9c8468c449a8f7445a2d6b9293dbccaa1072f4933ce2f78a689ab8a705ba143ae1dd363de7fc9e93fda392d35

  • C:\Users\Admin\AppData\Local\Temp\tmpE61A.tmp

    Filesize

    1KB

    MD5

    a7934f37a037afc3063f3d6e48ccbefe

    SHA1

    a1437ed812c6b63e4c5de75e2a37ac987d9ff5f1

    SHA256

    0305bee95a2981ab9e3475995aa2d0e0b7ee0a05607121502a6a4306b035b1a9

    SHA512

    217aec6416d3fd4985d2a38874836a008858c4f0141f1f33a03cb7eaeb321578eefda43f8897c6b0d1cb20922b1c57d752ec24a963c68995e1c4055a3bf81433

  • memory/2432-12-0x0000000009320000-0x0000000009390000-memory.dmp

    Filesize

    448KB

  • memory/2432-8-0x0000000005BF0000-0x0000000005F47000-memory.dmp

    Filesize

    3.3MB

  • memory/2432-4-0x00000000059B0000-0x0000000005A42000-memory.dmp

    Filesize

    584KB

  • memory/2432-5-0x0000000005A50000-0x0000000005A5A000-memory.dmp

    Filesize

    40KB

  • memory/2432-6-0x00000000751F0000-0x00000000759A1000-memory.dmp

    Filesize

    7.7MB

  • memory/2432-7-0x0000000005AC0000-0x0000000005B16000-memory.dmp

    Filesize

    344KB

  • memory/2432-13-0x0000000003340000-0x000000000335E000-memory.dmp

    Filesize

    120KB

  • memory/2432-9-0x00000000032C0000-0x00000000032D4000-memory.dmp

    Filesize

    80KB

  • memory/2432-10-0x00000000751FE000-0x00000000751FF000-memory.dmp

    Filesize

    4KB

  • memory/2432-11-0x00000000751F0000-0x00000000759A1000-memory.dmp

    Filesize

    7.7MB

  • memory/2432-3-0x0000000005F60000-0x0000000006506000-memory.dmp

    Filesize

    5.6MB

  • memory/2432-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

    Filesize

    4KB

  • memory/2432-2-0x0000000005910000-0x00000000059AC000-memory.dmp

    Filesize

    624KB

  • memory/2432-1-0x0000000000DB0000-0x0000000000F1E000-memory.dmp

    Filesize

    1.4MB

  • memory/2432-19-0x00000000751F0000-0x00000000759A1000-memory.dmp

    Filesize

    7.7MB

  • memory/4804-17-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

  • memory/4804-21-0x00000000751C0000-0x000000007526B000-memory.dmp

    Filesize

    684KB

  • memory/4804-22-0x0000000005590000-0x0000000005BA8000-memory.dmp

    Filesize

    6.1MB

  • memory/4804-23-0x0000000004E50000-0x0000000004E62000-memory.dmp

    Filesize

    72KB

  • memory/4804-24-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

    Filesize

    240KB

  • memory/4804-25-0x00000000751C0000-0x000000007526B000-memory.dmp

    Filesize

    684KB

  • memory/4804-26-0x0000000004EF0000-0x0000000004F3C000-memory.dmp

    Filesize

    304KB

  • memory/4804-27-0x0000000005160000-0x000000000526A000-memory.dmp

    Filesize

    1.0MB

  • memory/4804-28-0x00000000751C0000-0x000000007526B000-memory.dmp

    Filesize

    684KB