Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
11-08-2021 06:46
General
-
Target
bfa14859432cc51e9f8a9b632dc38713.exe
-
Size
302KB
-
MD5
bfa14859432cc51e9f8a9b632dc38713
-
SHA1
b76262d0b04a555f9ddbef1e3f8a99fe8bf50f5f
-
SHA256
940856f93e56ecd69b6833c94a78247b3f8d60348ac9b73928fd338113fbbc9e
-
SHA512
92df1e4440a47ac40a7a32fcd064632b4ca414e85a8b607d53dee0c95980159db198aff55247a73df59914eb0db4828685d5d21a0659ead1674d252bc9ac01d9
Malware Config
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
redline
SewPalpadin
185.215.113.114:8887
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfa14859432cc51e9f8a9b632dc38713.exe"C:\Users\Admin\AppData\Local\Temp\bfa14859432cc51e9f8a9b632dc38713.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C764.exeC:\Users\Admin\AppData\Local\Temp\C764.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C764.exeMD5
9cd5c89d6bd650cc18fbaa26337e84f0
SHA1fdd3183b0031b78fc6e3281f984da185ddc07430
SHA256fd6edc411a9392fe0b965408b4bb6f2bc83907aed60806fdb011ecbfc7feaa49
SHA51293907e7329bd86d1ea910d7bd2fef46cce4158bee1e420f4484a6b126f103393211b58364914f9760df6c5b27e85828129f38d95c3359f92ff73a7c719719115
-
memory/396-68-0x0000000007011000-0x0000000007012000-memory.dmpFilesize
4KB
-
memory/396-63-0x0000000000000000-mapping.dmp
-
memory/396-65-0x0000000004680000-0x000000000469B000-memory.dmpFilesize
108KB
-
memory/396-67-0x0000000000400000-0x0000000002C85000-memory.dmpFilesize
40.5MB
-
memory/396-66-0x00000000002E0000-0x000000000030F000-memory.dmpFilesize
188KB
-
memory/396-70-0x0000000007013000-0x0000000007014000-memory.dmpFilesize
4KB
-
memory/396-69-0x0000000007012000-0x0000000007013000-memory.dmpFilesize
4KB
-
memory/396-71-0x00000000049A0000-0x00000000049B9000-memory.dmpFilesize
100KB
-
memory/396-72-0x0000000007014000-0x0000000007016000-memory.dmpFilesize
8KB
-
memory/1052-61-0x0000000000400000-0x0000000000902000-memory.dmpFilesize
5.0MB
-
memory/1052-60-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1052-59-0x0000000074F31000-0x0000000074F33000-memory.dmpFilesize
8KB
-
memory/1208-62-0x0000000003B30000-0x0000000003B46000-memory.dmpFilesize
88KB