Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-08-2021 06:46
Static task
static1
Behavioral task
behavioral1
Sample
bfa14859432cc51e9f8a9b632dc38713.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
bfa14859432cc51e9f8a9b632dc38713.exe
Resource
win10v20210408
General
-
Target
bfa14859432cc51e9f8a9b632dc38713.exe
-
Size
302KB
-
MD5
bfa14859432cc51e9f8a9b632dc38713
-
SHA1
b76262d0b04a555f9ddbef1e3f8a99fe8bf50f5f
-
SHA256
940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e
-
SHA512
92df1e4440a47ac40a7a32fcd064632b4ca414e85a8b607d53dee0c95980159db198aff55247a73df59914eb0db4828685d5d21a0659ead1674d252bc9ac01d9
Malware Config
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
redline
SewPalpadin
185.215.113.114:8887
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/396-65-0x0000000004680000-0x000000000469B000-memory.dmp family_redline behavioral1/memory/396-71-0x00000000049A0000-0x00000000049B9000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
C764.exepid process 396 C764.exe -
Deletes itself 1 IoCs
Processes:
pid process 1208 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
bfa14859432cc51e9f8a9b632dc38713.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bfa14859432cc51e9f8a9b632dc38713.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bfa14859432cc51e9f8a9b632dc38713.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bfa14859432cc51e9f8a9b632dc38713.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bfa14859432cc51e9f8a9b632dc38713.exepid process 1052 bfa14859432cc51e9f8a9b632dc38713.exe 1052 bfa14859432cc51e9f8a9b632dc38713.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1208 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
bfa14859432cc51e9f8a9b632dc38713.exepid process 1052 bfa14859432cc51e9f8a9b632dc38713.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
C764.exedescription pid process Token: SeDebugPrivilege 396 C764.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1208 1208 1208 1208 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1208 1208 1208 1208 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
description pid process target process PID 1208 wrote to memory of 396 1208 C764.exe PID 1208 wrote to memory of 396 1208 C764.exe PID 1208 wrote to memory of 396 1208 C764.exe PID 1208 wrote to memory of 396 1208 C764.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfa14859432cc51e9f8a9b632dc38713.exe"C:\Users\Admin\AppData\Local\Temp\bfa14859432cc51e9f8a9b632dc38713.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C764.exeC:\Users\Admin\AppData\Local\Temp\C764.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C764.exeMD5
9cd5c89d6bd650cc18fbaa26337e84f0
SHA1fdd3183b0031b78fc6e3281f984da185ddc07430
SHA256fd6edc411a9392fe0b965408b4bb6f2bc83907aed60806fdb011ecbfc7feaa49
SHA51293907e7329bd86d1ea910d7bd2fef46cce4158bee1e420f4484a6b126f103393211b58364914f9760df6c5b27e85828129f38d95c3359f92ff73a7c719719115
-
memory/396-68-0x0000000007011000-0x0000000007012000-memory.dmpFilesize
4KB
-
memory/396-63-0x0000000000000000-mapping.dmp
-
memory/396-65-0x0000000004680000-0x000000000469B000-memory.dmpFilesize
108KB
-
memory/396-67-0x0000000000400000-0x0000000002C85000-memory.dmpFilesize
40.5MB
-
memory/396-66-0x00000000002E0000-0x000000000030F000-memory.dmpFilesize
188KB
-
memory/396-70-0x0000000007013000-0x0000000007014000-memory.dmpFilesize
4KB
-
memory/396-69-0x0000000007012000-0x0000000007013000-memory.dmpFilesize
4KB
-
memory/396-71-0x00000000049A0000-0x00000000049B9000-memory.dmpFilesize
100KB
-
memory/396-72-0x0000000007014000-0x0000000007016000-memory.dmpFilesize
8KB
-
memory/1052-61-0x0000000000400000-0x0000000000902000-memory.dmpFilesize
5.0MB
-
memory/1052-60-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1052-59-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB
-
memory/1208-62-0x0000000003B30000-0x0000000003B46000-memory.dmpFilesize
88KB