Analysis
-
max time kernel
75s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
-
submitted
24-06-2024 18:43
General
-
Target
https://universalmovies.top/notorious.doc
Malware Config
Extracted
redline
wordfile
185.38.142.10:7474
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload 3 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 59 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://universalmovies.top/notorious.doc1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Downloads\notorious.doc"2⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\notorious53209.exe"C:\Users\Admin\AppData\Roaming\notorious53209.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Roaming\notorious53209.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5a4899c30e3bd4badb4c6b53474b3c6ff
SHA163fc3d8540049110821afa0fbf5e2f50fdc61ec9
SHA256e351ae6a650318a79d43b6ad09b954638b3848f99af646599aaa70b2a0d0ca5b
SHA512a7ae3bb49dfb725f441a4f9466263898015248444572635ef712477abe0fe5c05b760001a17feb01d1a6142183d4cf408f06d7ce3bb55c92b0d8dc80cbefe500
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5082befcb55e9b51659ecb4bedceee7d5
SHA196d222caa867cc736400c228c778cbc9f631d7cb
SHA2563cff8f6bff28e98bca5a545b91a730d04029ff1a5c6aa8b657bb5dcc8330ea01
SHA512cf0822029e688db556cf725be136a6aac57f69499c4a5aaf5146d1d92082c401a99db90b7bcf659f54a2789fb77deb33d1168ea496436b2dd2c32f6fca61cf64
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c55397a03c882832b39d9344683f536b
SHA1075e35d976c6a682656f04e1de600be6e63ab32c
SHA2566598927bd6ebe245afd44271444a38e2f70d983be019eb4ccd5b1de4bf4b762a
SHA5121c939945f0f456d369889f515c96f4a77423ff85ea384370ccfd5c55a927b8f3bf4528a777024850c71ccc9a2954c526b4265bd102171c1d4bc5b3b6364e8408
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54c72a8f388c5f77a61e40235c89eb3ff
SHA1a6af984406aa2b3a076084c7d0ae0579a5136afe
SHA2562dcaf328fe1442c375e1943fc843140edf4b99719b127b91244119135a94b047
SHA512e79a61db004b9cb67eb9911ddc5f4f95ebf1af68c83857ba8b49e43d399ecb6974ce00f865904c8decf027456da2e271e3ab6d2c2122c62676f414f7bb7b21fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD559134bcb4ae9731c294b529d8065020f
SHA1a5efab17cee0efe142aa861a7424a034ccc4e7bb
SHA256dc9715f3f52953311dc61e784bd1dab4d733dd9674278fd022f62f8727bc2018
SHA512e7d796928f01023f925ab015a5a4f4b5385695417f8aafc38e65dcbde088489ee52db456245d4aeda7c25d9bc89e2cc151c2fd9136c57b8e4ca2b483d3ddb0ce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD540ffc4d7af67bf33f8c416fea1e2e6eb
SHA1c981d6cb194233957cbe03c7f82cb7649fbc60c8
SHA256ad2c92383963ad8e7d48fa0953b7042dfa60c707de83bb8699d4e48cef2a08db
SHA512d614c95896d0536f4a50bf7f747bf4036314bccde889ab2f076e07d679db30c503727f694bbca94fcb2d1e5e3edd0116fc7c2b9cca08bc01b15df15a9be4cec9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD512da944b3388430902e1df073547c97e
SHA1e740fa669ca949b8d7be32550e6aa0360225afab
SHA256cd783343f523515daf9ec5fd883a385577f91e051523d6aecd24af3825a291a7
SHA512a647f682ccddb1c4707bd66b989281636f5adad0630ba7d829b86f195b5f47cb6fabdf59a2fc0131fdde06229456d5962c5d0834e2e543c1e6f6f13dbcefe9eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c451990dc0566b72403488763be7a43c
SHA12413d8adebb1bcd75483eeec356777cd13f3b61a
SHA25641209558ce8fbcb3d2d4b28d02a6f28c94e90ce0e43b2ea0f087d9940858ecba
SHA5125915a2b4524111285aca237e0caa8b403261d9eba83418222867c0c80f97b2ce8f483330686c25b5def2590197ddd91988b9c5efe1d8f1b3930284f92bd2571c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ad4aeb2e21cc5c4d98f98abd1e587ad4
SHA19116c6f2069ec3af55df70a75cb5d3be5a195f71
SHA2561dc568f1dc45bd6e198ad5a07c9f2f092934f8867a696bc2b9c1ff2a06615f2b
SHA512047318dbcdd51b078f7afc395a94bcb6c18834faaa2b57ca5dcf32dc85fd2e6337f35022fe9b27074e280f026b655ea3bfa457e0376e2b1bebf86bf35b5c02d0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a0dcbb3022594c02bed390a4b925e19b
SHA16a2a0bf4b64d365ae66125f5fea501a0aca2fec9
SHA256c379f28ad414308e7fc01ba3e19f7305fe76a317a9d5b222926269701c9eac4a
SHA512e89decf6de88c23d2f306c8b0edf58f9a142b5560b14838acd3db37b3927808c0475623f9f12872108201bb6667ffedaba00fb8a5c623f2a7cd3b6901a2d89f6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD579871fb5358e797256c7505072a3eae9
SHA1cf9df61aa3954fbc7a4738a6b6d34a2f35a15c33
SHA256c938b34b3ea29d4f764df270b340e40b488e1bf8c3523fb176c3a282c239ed59
SHA5126edc3e4a90e87e94c746f4503b08d1d8f0370cd6736f2f494b6c7ff44caea03c68d2d532ef6691ce4338526f2b7c1173f644f178d3663c22e1ab702aaf26b45d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD500e556c51641991efa5f9154df0575d6
SHA1b9dad8f5b9de59e3cd0a5a0194d4dc7ed8ee8505
SHA2565b7c2c93beb09e44f7f29cd1f4c1f9a867c24c2ab219c1faa5eb39ba4e9a2966
SHA5126a016c25c2cf1b6ed2813170cbed74f2f89c71327a70e06c4d97089c047e5c66ca3b8f178c00aa441c753aa07be2a08842c688221f50fc5f98fc1b039fc13625
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD551ad92d0f9624981f7bb91ed43ac9229
SHA1bb2dae8c27a6dc62a5c78f088807d3a889403195
SHA256ea19b1281eff2cacaf439523df48c3b28a9bc577a120a7744b9996a4146b66ce
SHA512a9fe2d95ccef1350a82d2aa433acccbf1caaaa3cf744e42ec009982155ddab84890cdc9a6824db2c379e56800b810811ee066ecb83c2f123aea3ff0841fc5f72
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD585c257ef989a5e6ae0ac635e08994983
SHA1a69592007498f17114d3beda7541df031e245751
SHA2566c8188efc618f9fd32129a2226df4d18c5118862ef075caf98ef23f36ee1020d
SHA512ffc26c0f51f811343f04245a2aa9a837051d3e64bdc86aa6e3648b969ca2dde3254336df6ddc7fa4bb485d60a966bbd83386226a53baf547ca959dc806b53aae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD553f41f2c960217a617634b80bada1d29
SHA1cd8da3a1d5598dd58f5f02620cc5f611ece1acd6
SHA25693db6bdd5d8e9999be1e47cb9edf52da008a9d8a0e667e1413079d5d1d6f4aea
SHA512d4fe816f8676d9479604c0461324d18ed440913bed428e1f376bdfff9b87ead0944f15e5984a9d9978604bbf0857cb5ade3643b8e4a64cba1fd9606665ea706d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\notorious[1].docFilesize
604KB
MD52d1b096a33d1b673fd06db9f3e861761
SHA13c0a1d1bd1b54381df8769ecc173e8635fea366e
SHA256bf89362748b9e66c11aaa49ddf83b1665fe038d04225b36de4f26cffc11a0f3d
SHA51232156517472c8c4a6998e58bb90e0a684516a11c403d87524a8561f647901cdb9413dd71b55df4de52c88e5e522e06ee9565fc6dc653ec8f49ba5c58a3d5034e
-
C:\Users\Admin\AppData\Local\Temp\Cab9869.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\TarC3EC.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\tmpCF24.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmpCFA7.tmpFilesize
92KB
MD59da83032394b54144d4c2a3ae7cdfbce
SHA1b85d3a0ff5006c2c1d7270500d7849d373f597b7
SHA25690708648aa3da58b81497a0bc395507906d89d39583d6ad8dcb4e0d417bdc084
SHA51217cb5c7cf40433e75a6240c2eaffd22bd77f5076c1904041670dd8609769e9c970499f85fc18354782c548fc0739df954dc44a9e1ff40d427a5b4f0d278417f3
-
\Users\Admin\AppData\Roaming\notorious53209.exeFilesize
629KB
MD5901a623dbccaa22525373cd36195ee14
SHA19adb6dddb68cd7e116da9392e7ee63a8fa394495
SHA256b5e250a95073b5dfe33f66c13cc89da0fc8d3af226e5efb06bb8fcfd9a4cd6ec
SHA512eabeba0eb9ae7e39577a7e313e50807cee1b888f1c8ff0fa375e5de9451a66471c791c23ea4f4af85151f96b065d55e8c1320026d8503a048a3e5968f8effc1d
-
memory/1612-78-0x00000000011E0000-0x0000000001347000-memory.dmpFilesize
1.4MB
-
memory/1612-55-0x00000000011E0000-0x0000000001347000-memory.dmpFilesize
1.4MB
-
memory/2464-235-0x000000006F99D000-0x000000006F9A8000-memory.dmpFilesize
44KB
-
memory/2464-31-0x000000006F99D000-0x000000006F9A8000-memory.dmpFilesize
44KB
-
memory/2464-30-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2464-29-0x000000002F3D1000-0x000000002F3D2000-memory.dmpFilesize
4KB
-
memory/2768-77-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2768-79-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2768-80-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2792-236-0x00000000049D0000-0x0000000004B37000-memory.dmpFilesize
1.4MB
-
memory/2792-54-0x00000000049D0000-0x0000000004B37000-memory.dmpFilesize
1.4MB