Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-09-2021 01:16
General
-
Target
A75FFC6AB58574119E960EC0B1F72BFD.exe
-
Size
3.0MB
-
MD5
a75ffc6ab58574119e960ec0b1f72bfd
-
SHA1
f7addaaf851436721919294927253726b67ce17b
-
SHA256
8303c9a626d7edb090bdd8f0d128fc887b7fa36b0dfc43a7f71dcb5b34b1bbab
-
SHA512
09520fdf40a16790b93b4ef14a0b177bd65956712d874d782c3b902f9a42869d3691aaf6d038468350b0bdc159c6cf376da94af580c4aa6f48250a7e60b99c5d
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
rc4.i32
rc4.i32
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 21 IoCs
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\A75FFC6AB58574119E960EC0B1F72BFD.exe"C:\Users\Admin\AppData\Local\Temp\A75FFC6AB58574119E960EC0B1F72BFD.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8D586684\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8D586684\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed069ea7b9fa22d66d.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8D586684\Wed069ea7b9fa22d66d.exeWed069ea7b9fa22d66d.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed062611295f.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8D586684\Wed062611295f.exeWed062611295f.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed068238a49b99.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8D586684\Wed068238a49b99.exeWed068238a49b99.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed065721111fbde.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8D586684\Wed065721111fbde.exeWed065721111fbde.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0660009604.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed06bee4c0f9.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8D586684\Wed06bee4c0f9.exeWed06bee4c0f9.exe4⤵
-
C:\Users\Admin\Documents\2Y8dlhUmcz4Ci6otPwucNEQE.exe"C:\Users\Admin\Documents\2Y8dlhUmcz4Ci6otPwucNEQE.exe"5⤵
-
-
C:\Users\Admin\Documents\CKclPLKElHYqpwNQQTHEhxsQ.exe"C:\Users\Admin\Documents\CKclPLKElHYqpwNQQTHEhxsQ.exe"5⤵
-
-
C:\Users\Admin\Documents\_EErSEyxd37NrVWRavTKjgn2.exe"C:\Users\Admin\Documents\_EErSEyxd37NrVWRavTKjgn2.exe"5⤵
-
-
C:\Users\Admin\Documents\RolfU0vHMwt7PXg7QRXELdTA.exe"C:\Users\Admin\Documents\RolfU0vHMwt7PXg7QRXELdTA.exe"5⤵
-
-
C:\Users\Admin\Documents\zKYJlpNSxeCZb9U4v0A8yooB.exe"C:\Users\Admin\Documents\zKYJlpNSxeCZb9U4v0A8yooB.exe"5⤵
-
-
C:\Users\Admin\Documents\o0k5R3_aHzydIRGkxi2O6p50.exe"C:\Users\Admin\Documents\o0k5R3_aHzydIRGkxi2O6p50.exe"5⤵
-
-
C:\Users\Admin\Documents\D_yOBMbDZIN6YNrqHkA21smK.exe"C:\Users\Admin\Documents\D_yOBMbDZIN6YNrqHkA21smK.exe"5⤵
-
-
C:\Users\Admin\Documents\SUfQ_paCyWuOfCDdQY_KPaL4.exe"C:\Users\Admin\Documents\SUfQ_paCyWuOfCDdQY_KPaL4.exe"5⤵
-
-
C:\Users\Admin\Documents\IUgxpXLJpfiFnW6rpH5JQ5vZ.exe"C:\Users\Admin\Documents\IUgxpXLJpfiFnW6rpH5JQ5vZ.exe"5⤵
-
-
C:\Users\Admin\Documents\glHpOmGwKG9ZKzLwJRk0S70N.exe"C:\Users\Admin\Documents\glHpOmGwKG9ZKzLwJRk0S70N.exe"5⤵
-
-
C:\Users\Admin\Documents\7NKOHRvjNuCy3F1oOa6mss1F.exe"C:\Users\Admin\Documents\7NKOHRvjNuCy3F1oOa6mss1F.exe"5⤵
-
-
C:\Users\Admin\Documents\Sz3D9TL1aV1e1NPyJOaJ0uTN.exe"C:\Users\Admin\Documents\Sz3D9TL1aV1e1NPyJOaJ0uTN.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPRwKy.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\DPRwKy.exe"6⤵
-
-
-
C:\Users\Admin\Documents\UM0G8xY_bYI5mWrQgnjMIME4.exe"C:\Users\Admin\Documents\UM0G8xY_bYI5mWrQgnjMIME4.exe"5⤵
-
-
C:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exe"C:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exe"5⤵
-
C:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exeC:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exe6⤵
-
-
C:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exeC:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exe6⤵
-
-
C:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exeC:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exe6⤵
-
-
C:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exeC:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exe6⤵
-
-
C:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exeC:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exe6⤵
-
-
C:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exeC:\Users\Admin\Documents\HE78dkHCQFD9PdfR7z33xcjB.exe6⤵
-
-
-
C:\Users\Admin\Documents\DP_t0Shez2IzvsMi7E8tIQUY.exe"C:\Users\Admin\Documents\DP_t0Shez2IzvsMi7E8tIQUY.exe"5⤵
-
-
C:\Users\Admin\Documents\xZwYg0i0Q_VAzpscH1BLScpv.exe"C:\Users\Admin\Documents\xZwYg0i0Q_VAzpscH1BLScpv.exe"5⤵
-
-
C:\Users\Admin\Documents\V1hf6_9fRkdNV36zbHvXeQkp.exe"C:\Users\Admin\Documents\V1hf6_9fRkdNV36zbHvXeQkp.exe"5⤵
-
-
C:\Users\Admin\Documents\LVbcbPf2HmORAX5n5FVjgSFS.exe"C:\Users\Admin\Documents\LVbcbPf2HmORAX5n5FVjgSFS.exe"5⤵
-
-
C:\Users\Admin\Documents\2p_foztJuNmgtW6aO5K5DJBi.exe"C:\Users\Admin\Documents\2p_foztJuNmgtW6aO5K5DJBi.exe"5⤵
-
-
C:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exe"C:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exe"5⤵
-
C:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exeC:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exe6⤵
-
-
C:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exeC:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exe6⤵
-
-
C:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exeC:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exe6⤵
-
-
C:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exeC:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exe6⤵
-
-
C:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exeC:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exe6⤵
-
-
C:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exeC:\Users\Admin\Documents\eSbb0EdnNa5l_aYRASJI2UcH.exe6⤵
-
-
-
C:\Users\Admin\Documents\fcPZvhqbyI_i4idXapBeg0HA.exe"C:\Users\Admin\Documents\fcPZvhqbyI_i4idXapBeg0HA.exe"5⤵
-
-
C:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exe"C:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exe"5⤵
-
C:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exeC:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exe6⤵
-
-
C:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exeC:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exe6⤵
-
-
C:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exeC:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exe6⤵
-
-
C:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exeC:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exe6⤵
-
-
C:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exeC:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exe6⤵
-
-
C:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exeC:\Users\Admin\Documents\yNswBngdJVWEYa7rN3UA_nwW.exe6⤵
-
-
-
C:\Users\Admin\Documents\dkMg_KhTNK1yb4faF_I3PMdU.exe"C:\Users\Admin\Documents\dkMg_KhTNK1yb4faF_I3PMdU.exe"5⤵
-
-
C:\Users\Admin\Documents\bFbd2d4XtdqMEXNK1Nd31x6l.exe"C:\Users\Admin\Documents\bFbd2d4XtdqMEXNK1Nd31x6l.exe"5⤵
-
C:\Users\Admin\Documents\bFbd2d4XtdqMEXNK1Nd31x6l.exe"C:\Users\Admin\Documents\bFbd2d4XtdqMEXNK1Nd31x6l.exe"6⤵
-
-
-
C:\Users\Admin\Documents\o1SwTAA6i78DONhgxQGENwPo.exe"C:\Users\Admin\Documents\o1SwTAA6i78DONhgxQGENwPo.exe"5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed06c0310f7c9.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8D586684\Wed06c0310f7c9.exeWed06c0310f7c9.exe4⤵
-
C:\Users\Admin\AppData\Roaming\3876105.exe"C:\Users\Admin\AppData\Roaming\3876105.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\3981768.exe"C:\Users\Admin\AppData\Roaming\3981768.exe"5⤵
-
-
C:\Users\Admin\AppData\Roaming\1548569.exe"C:\Users\Admin\AppData\Roaming\1548569.exe"5⤵
-
-
C:\Users\Admin\AppData\Roaming\8326554.exe"C:\Users\Admin\AppData\Roaming\8326554.exe"5⤵
-
-
C:\Users\Admin\AppData\Roaming\5433641.exe"C:\Users\Admin\AppData\Roaming\5433641.exe"5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0677c055f84f3.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8D586684\Wed0677c055f84f3.exeWed0677c055f84f3.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"6⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1980 -s 13927⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\2929850.exe"C:\Users\Admin\AppData\Roaming\2929850.exe"7⤵
-
-
C:\Users\Admin\AppData\Roaming\3389749.exe"C:\Users\Admin\AppData\Roaming\3389749.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"6⤵
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS8D586684\Wed069ea7b9fa22d66d.exe"C:\Users\Admin\AppData\Local\Temp\7zS8D586684\Wed069ea7b9fa22d66d.exe" -u1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
-
Filesize
29.4MB
-
Filesize
1.2MB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
96KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB