Analysis
-
max time kernel
150s -
max time network
196s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-08-2021 13:56
General
-
Target
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe
-
Size
281KB
-
MD5
1456183e34298fd19d33d75df3bfa1f9
-
SHA1
f3988800cc013e843fa4e4673dc40678453cb18c
-
SHA256
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed
-
SHA512
d55fc8176ddddac84ad5f529016991679c1ce1e345294c0b5b610a1a4b95891aa499d32cb48b618770b992f5bf2028fcf0e7b5db90b6cb1357262ecb8b816441
Malware Config
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
redline
185.215.113.29:8678
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe"C:\Users\Admin\AppData\Local\Temp\0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2C6D.exeC:\Users\Admin\AppData\Local\Temp\2C6D.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2C6D.exeMD5
193232121f2548d05f4915cc583fbed6
SHA1b19662c7d6c8618fbc88cb9d67aa9241a64264dc
SHA256ca2714547361d26fbd3908a0a323d4bd34a2901249d1cb2aeb801104f0f88eac
SHA5122a801e59bbe03e73d76bb4560b8eb7780833cdf5970e227ae09cc8c3dbccdd2fc76559fcf63521dbd9baea659040756cd04ce2770536d583e6185c8d92ba8d95
-
memory/520-60-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/520-61-0x0000000000400000-0x00000000023B1000-memory.dmpFilesize
31.7MB
-
memory/520-59-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/544-68-0x0000000003E00000-0x0000000003E1C000-memory.dmpFilesize
112KB
-
memory/544-63-0x0000000000000000-mapping.dmp
-
memory/544-65-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/544-66-0x0000000000400000-0x00000000023C1000-memory.dmpFilesize
31.8MB
-
memory/544-67-0x00000000024B0000-0x00000000024CD000-memory.dmpFilesize
116KB
-
memory/544-69-0x0000000004041000-0x0000000004042000-memory.dmpFilesize
4KB
-
memory/544-70-0x0000000004042000-0x0000000004043000-memory.dmpFilesize
4KB
-
memory/544-72-0x0000000004044000-0x0000000004046000-memory.dmpFilesize
8KB
-
memory/544-71-0x0000000004043000-0x0000000004044000-memory.dmpFilesize
4KB
-
memory/1204-62-0x0000000002970000-0x0000000002986000-memory.dmpFilesize
88KB