Analysis
-
max time kernel
150s -
max time network
196s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-08-2021 13:56
Static task
static1
Behavioral task
behavioral1
Sample
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe
Resource
win10v20210408
General
-
Target
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe
-
Size
281KB
-
MD5
1456183e34298fd19d33d75df3bfa1f9
-
SHA1
f3988800cc013e843fa4e4673dc40678453cb18c
-
SHA256
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed
-
SHA512
d55fc8176ddddac84ad5f529016991679c1ce1e345294c0b5b610a1a4b95891aa499d32cb48b618770b992f5bf2028fcf0e7b5db90b6cb1357262ecb8b816441
Malware Config
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
redline
185.215.113.29:8678
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/544-67-0x00000000024B0000-0x00000000024CD000-memory.dmp family_redline behavioral1/memory/544-68-0x0000000003E00000-0x0000000003E1C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
2C6D.exepid process 544 2C6D.exe -
Deletes itself 1 IoCs
Processes:
pid process 1204 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exepid process 520 0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe 520 0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1204 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exepid process 520 0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2C6D.exedescription pid process Token: SeShutdownPrivilege 1204 Token: SeShutdownPrivilege 1204 Token: SeDebugPrivilege 544 2C6D.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1204 1204 1204 1204 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1204 1204 1204 1204 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
description pid process target process PID 1204 wrote to memory of 544 1204 2C6D.exe PID 1204 wrote to memory of 544 1204 2C6D.exe PID 1204 wrote to memory of 544 1204 2C6D.exe PID 1204 wrote to memory of 544 1204 2C6D.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe"C:\Users\Admin\AppData\Local\Temp\0e439b622658ab71228c7388ec456c7baf041046d7eff1a37bc9c02177c324ed.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2C6D.exeC:\Users\Admin\AppData\Local\Temp\2C6D.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2C6D.exeMD5
193232121f2548d05f4915cc583fbed6
SHA1b19662c7d6c8618fbc88cb9d67aa9241a64264dc
SHA256ca2714547361d26fbd3908a0a323d4bd34a2901249d1cb2aeb801104f0f88eac
SHA5122a801e59bbe03e73d76bb4560b8eb7780833cdf5970e227ae09cc8c3dbccdd2fc76559fcf63521dbd9baea659040756cd04ce2770536d583e6185c8d92ba8d95
-
memory/520-60-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/520-61-0x0000000000400000-0x00000000023B1000-memory.dmpFilesize
31.7MB
-
memory/520-59-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/544-68-0x0000000003E00000-0x0000000003E1C000-memory.dmpFilesize
112KB
-
memory/544-63-0x0000000000000000-mapping.dmp
-
memory/544-65-0x0000000000230000-0x0000000000260000-memory.dmpFilesize
192KB
-
memory/544-66-0x0000000000400000-0x00000000023C1000-memory.dmpFilesize
31.8MB
-
memory/544-67-0x00000000024B0000-0x00000000024CD000-memory.dmpFilesize
116KB
-
memory/544-69-0x0000000004041000-0x0000000004042000-memory.dmpFilesize
4KB
-
memory/544-70-0x0000000004042000-0x0000000004043000-memory.dmpFilesize
4KB
-
memory/544-72-0x0000000004044000-0x0000000004046000-memory.dmpFilesize
8KB
-
memory/544-71-0x0000000004043000-0x0000000004044000-memory.dmpFilesize
4KB
-
memory/1204-62-0x0000000002970000-0x0000000002986000-memory.dmpFilesize
88KB