redline | 8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769

Analysis

max time kernel
152s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
07-09-2021 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
Size

247KB
MD5

743bcc99b15c971e0269cb3376c9ff69
SHA1

5ea7dcffcda6cdf903fe4de53b753f7db2049e4f
SHA256

8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769
SHA512

0211a908c078ee0a7cb57d938c80602191a558069d37ae01397a0cc5637025d3a96e418b2b8f4d83943a5b9999c9338e5489e292117accb00dd4685f5eb684e9

Score

10^/10

redline smokeloader zzzzz backdoor discovery evasion infostealer persistence spyware stealer suricata themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://fazanaharahe1.xyz/

http://xandelissane2.xyz/

http://ustiassosale3.xyz/

http://cytheriata4.xyz/

http://ggiergionard5.xyz/

http://rrelleynaniy6.store/

http://danniemusoa7.store/

http://nastanizab8.store/

http://onyokandis9.store/

http://dmunaavank10.store/

http://gilmandros11.site/

http://cusanthana12.site/

http://willietjeana13.site/

http://ximusokall14.site/

http://blodinetisha15.site/

http://urydiahadyss16.club/

http://glasamaddama17.club/

http://marlingarly18.club/

http://alluvianna19.club/

http://xandirkaniel20.club/

rc4.i32

Extracted

Family

redline

Botnet

Zzzzz

185.167.97.37:30904

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4508-176-0x00000000001A0000-0x00000000001C2000-memory.dmp	family_redline
behavioral1/memory/4508-186-0x00000000048F0000-0x0000000004EF6000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
suricata

Core1 .NET packer 1 IoCs

Detects packer/loader used by .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/3956-124-0x000000001D030000-0x000000001D257000-memory.dmp	Core1

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

F33F.exeF6CA.exeFDB1.exe1B9.exeVersato.exe.comVersato.exe.comRegAsm.exe

pid process

3956 F33F.exe
4172 F6CA.exe
856 FDB1.exe
1084 1B9.exe
2472 Versato.exe.com
2872 Versato.exe.com
4508 RegAsm.exe

pid	process
3956	F33F.exe
4172	F6CA.exe
856	FDB1.exe
1084	1B9.exe
2472	Versato.exe.com
2872	Versato.exe.com
4508	RegAsm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FDB1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FDB1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FDB1.exe

Deletes itself 1 IoCs

Processes:

pid process

3048
Drops startup file 1 IoCs

Processes:

Versato.exe.com

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TmpVRlruOk.url Versato.exe.com
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3048

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TmpVRlruOk.url	Versato.exe.com

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FDB1.exe	themida
C:\Users\Admin\AppData\Local\Temp\FDB1.exe	themida
behavioral1/memory/856-141-0x0000000000D60000-0x0000000000D61000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

F33F.exe1B9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\mnau3y13masd132.exe = "C:\\Users\\Admin\\AppData\\Roaming\\mnau3y13masd132.exe"	F33F.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1B9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1B9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

FDB1.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FDB1.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

FDB1.exe

pid process

856 FDB1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FDB1.exe

pid	process
856	FDB1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exeVersato.exe.com

description	pid	process	target process
PID 4648 set thread context of 2036	4648	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
PID 2872 set thread context of 4508	2872	Versato.exe.com	RegAsm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3416 4172 WerFault.exe F6CA.exe

pid	pid_target	process	target process
3416	4172	WerFault.exe	F6CA.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2624 PING.EXE

pid	process
2624	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe

pid	process
2036	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
2036	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe

pid process

2036 8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe

pid	process
3048

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

F33F.exeF6CA.exeFDB1.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3956	F33F.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeDebugPrivilege	4172	F6CA.exe
Token: SeDebugPrivilege	856	FDB1.exe
Token: SeRestorePrivilege	3416	WerFault.exe
Token: SeBackupPrivilege	3416	WerFault.exe
Token: SeDebugPrivilege	3416	WerFault.exe
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

Versato.exe.comVersato.exe.com

pid	process
2472	Versato.exe.com
3048
3048
2472	Versato.exe.com
2472	Versato.exe.com
3048
3048
2872	Versato.exe.com
3048
3048
2872	Versato.exe.com
2872	Versato.exe.com
3048
3048

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Versato.exe.comVersato.exe.com

pid process

2472 Versato.exe.com
2472 Versato.exe.com
2472 Versato.exe.com
2872 Versato.exe.com
2872 Versato.exe.com
2872 Versato.exe.com
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3048

pid	process
3048

Suspicious use of WriteProcessMemory 58 IoCs

Processes:

8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exeF33F.exe1B9.execmd.execmd.exeVersato.exe.comVersato.exe.com

description	pid	process	target process
PID 4648 wrote to memory of 2036	4648	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
PID 4648 wrote to memory of 2036	4648	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
PID 4648 wrote to memory of 2036	4648	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
PID 4648 wrote to memory of 2036	4648	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
PID 4648 wrote to memory of 2036	4648	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
PID 4648 wrote to memory of 2036	4648	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe	8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
PID 3048 wrote to memory of 3956	3048		F33F.exe
PID 3048 wrote to memory of 3956	3048		F33F.exe
PID 3048 wrote to memory of 4172	3048		F6CA.exe
PID 3048 wrote to memory of 4172	3048		F6CA.exe
PID 3048 wrote to memory of 4172	3048		F6CA.exe
PID 3956 wrote to memory of 4124	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 4124	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 4124	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 3216	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 3216	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 3216	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 3344	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 3344	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 3344	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 492	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 492	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 492	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 508	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 508	3956	F33F.exe	explorer.exe
PID 3956 wrote to memory of 508	3956	F33F.exe	explorer.exe
PID 3048 wrote to memory of 856	3048		FDB1.exe
PID 3048 wrote to memory of 856	3048		FDB1.exe
PID 3048 wrote to memory of 856	3048		FDB1.exe
PID 3048 wrote to memory of 1084	3048		1B9.exe
PID 3048 wrote to memory of 1084	3048		1B9.exe
PID 3048 wrote to memory of 1084	3048		1B9.exe
PID 1084 wrote to memory of 1580	1084	1B9.exe	dllhost.exe
PID 1084 wrote to memory of 1580	1084	1B9.exe	dllhost.exe
PID 1084 wrote to memory of 1580	1084	1B9.exe	dllhost.exe
PID 1084 wrote to memory of 1768	1084	1B9.exe	cmd.exe
PID 1084 wrote to memory of 1768	1084	1B9.exe	cmd.exe
PID 1084 wrote to memory of 1768	1084	1B9.exe	cmd.exe
PID 1768 wrote to memory of 1528	1768	cmd.exe	cmd.exe
PID 1768 wrote to memory of 1528	1768	cmd.exe	cmd.exe
PID 1768 wrote to memory of 1528	1768	cmd.exe	cmd.exe
PID 1528 wrote to memory of 2200	1528	cmd.exe	findstr.exe
PID 1528 wrote to memory of 2200	1528	cmd.exe	findstr.exe
PID 1528 wrote to memory of 2200	1528	cmd.exe	findstr.exe
PID 1528 wrote to memory of 2472	1528	cmd.exe	Versato.exe.com
PID 1528 wrote to memory of 2472	1528	cmd.exe	Versato.exe.com
PID 1528 wrote to memory of 2472	1528	cmd.exe	Versato.exe.com
PID 1528 wrote to memory of 2624	1528	cmd.exe	PING.EXE
PID 1528 wrote to memory of 2624	1528	cmd.exe	PING.EXE
PID 1528 wrote to memory of 2624	1528	cmd.exe	PING.EXE
PID 2472 wrote to memory of 2872	2472	Versato.exe.com	Versato.exe.com
PID 2472 wrote to memory of 2872	2472	Versato.exe.com	Versato.exe.com
PID 2472 wrote to memory of 2872	2472	Versato.exe.com	Versato.exe.com
PID 2872 wrote to memory of 4508	2872	Versato.exe.com	RegAsm.exe
PID 2872 wrote to memory of 4508	2872	Versato.exe.com	RegAsm.exe
PID 2872 wrote to memory of 4508	2872	Versato.exe.com	RegAsm.exe
PID 2872 wrote to memory of 4508	2872	Versato.exe.com	RegAsm.exe
PID 2872 wrote to memory of 4508	2872	Versato.exe.com	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
"C:\Users\Admin\AppData\Local\Temp\8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe
"C:\Users\Admin\AppData\Local\Temp\8e3807c621963a9608f0013814df628e2ceb76e5bebb025704e9042994bf5769.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2036

C:\Users\Admin\AppData\Local\Temp\F33F.exe
C:\Users\Admin\AppData\Local\Temp\F33F.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:4124

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:3216

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:3344

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:492

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\F6CA.exe
C:\Users\Admin\AppData\Local\Temp\F6CA.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 1668
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Users\Admin\AppData\Local\Temp\FDB1.exe
C:\Users\Admin\AppData\Local\Temp\FDB1.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Users\Admin\AppData\Local\Temp\1B9.exe
C:\Users\Admin\AppData\Local\Temp\1B9.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
2⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Gia.mp3
2⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^CSBfBxeJtRnGYDtOYiuftASpEnuDCCqwzUhWlIXdUdKFIPPXatwfwfBwZaKegniBRvhrdiEfpQxNQhAPJokbAKZrzkXRXVwcpoNkBLGkALukUNkMRVzyhJquvp$" Essere.mp3
4⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com
Versato.exe.com g
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com g
5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2872

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
6⤵
- Executes dropped EXE
PID:4508

C:\Windows\SysWOW64\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:2624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B9.exe
MD5
9d34489b28093f8041a0f396f88507ca

SHA1
d150a771aa0a0da4d698dd3b21c1fffaf064cd1c

SHA256
1bc8c25c47dc2b93edd0b858afe89b1da4f4a8e9caeae862f2ce709031cfaa71

SHA512
d29d619e6727362beda2a520e5742b44dd0f1660817be8549d3511b9e755f697433e0da917d2c5e2a9626262ef55fa6c9b240002195e6046c498e1b032f2fa0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F33F.exe
MD5
482ab6ea0fe0ad6bfb42522c807a7fab

SHA1
cf6f9774adbda6c7c6af322482a79b5969983437

SHA256
1a01188d279bb62f8a821309d348e1e95713aaa446075bd796e113ce143e3246

SHA512
c3f5e7f19a0bf9b2e6368323ecb99f14da0726c7d5a8222333bf2e6dd97f112089c15172f6aaed89b8a3203ddc58ecba3ea1148ec415fb397a40c0ca8657350a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F33F.exe
MD5
482ab6ea0fe0ad6bfb42522c807a7fab

SHA1
cf6f9774adbda6c7c6af322482a79b5969983437

SHA256
1a01188d279bb62f8a821309d348e1e95713aaa446075bd796e113ce143e3246

SHA512
c3f5e7f19a0bf9b2e6368323ecb99f14da0726c7d5a8222333bf2e6dd97f112089c15172f6aaed89b8a3203ddc58ecba3ea1148ec415fb397a40c0ca8657350a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6CA.exe
MD5
54e4176aa7edcbc7ed79e0080422998e

SHA1
8ef9a69f2c910e8ff240969800d8972689fa4d7d

SHA256
9607df8f5c805b50ebd812273fe7a4018a7b344b6ac7a01996e3f7f9edd82221

SHA512
7d7af452453146078c49c68fd53ee1003d6809331dfe61d41d39f4d37359d830c28cb2e39c9014d45660d7ff6a79dd0427bc043485b1400cbe8a71bf717b2a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\F6CA.exe
MD5
54e4176aa7edcbc7ed79e0080422998e

SHA1
8ef9a69f2c910e8ff240969800d8972689fa4d7d

SHA256
9607df8f5c805b50ebd812273fe7a4018a7b344b6ac7a01996e3f7f9edd82221

SHA512
7d7af452453146078c49c68fd53ee1003d6809331dfe61d41d39f4d37359d830c28cb2e39c9014d45660d7ff6a79dd0427bc043485b1400cbe8a71bf717b2a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDB1.exe
MD5
b9e19795828ab13d5aea6d4b90902c5f

SHA1
3d1fa613d002792deff337a0ef269de793772258

SHA256
1ea15e130e84fbf7f47973b4b593264a7b293bb5590328210c82e1f12a71c13a

SHA512
85d84c0d84e49df0cd92f905d217cc7ae5814c57de9ddd4969f2fc41f61018d8c7130b2a4f046883f3d6929a8465efa2a917b2538141c5a2b60345efc9f74412

Download Submit
C:\Users\Admin\AppData\Local\Temp\FDB1.exe
MD5
b9e19795828ab13d5aea6d4b90902c5f

SHA1
3d1fa613d002792deff337a0ef269de793772258

SHA256
1ea15e130e84fbf7f47973b4b593264a7b293bb5590328210c82e1f12a71c13a

SHA512
85d84c0d84e49df0cd92f905d217cc7ae5814c57de9ddd4969f2fc41f61018d8c7130b2a4f046883f3d6929a8465efa2a917b2538141c5a2b60345efc9f74412

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Alta.mp3
MD5
0862078bc943d82b2a19e2c42f7c0b15

SHA1
7767feb2e3bbe9e2025302964be82e709347f27d

SHA256
462023517b8204ac9a796d4132cde2d550dd153c3b9fd1838ae545f26ea70638

SHA512
ba2041b6c6dae398ce0c3fc6389810db3135ae8188e40dfb4f3e53fd016c57d4f75ee12f874ffffa872e57f873c9864b7d573cbc48186873f037ef9646dcf89c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Essere.mp3
MD5
7fc4287df04cf93bfdb965ed0957f76e

SHA1
a1b1a6dce462d604a779b698d68c3794176202a8

SHA256
53b46b1c3ab80b003fff8ee3c6e6391b5e44e78145aacf0569cc79c1786af482

SHA512
4aecdf3cecf3d5901b44c3ae6f170f806931dc6a334598b15a6ae91f2ab842b9e733c25a18e5c00e1b7f956ce820970e2dbad11b797dc669c0939b348a6ca770

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gia.mp3
MD5
1a585f778eeced5cf7b28ad82c7e5ae1

SHA1
f9d14529790064528ca53865ac61542a3071d3f1

SHA256
213968e88d7a52b444f7681ac58050ab13a6f8f2044b7ca2b15d93af88904bca

SHA512
77db1aa38bbfe146799c4234dc4012a6098f67c9950572c7db0cadfdd945953b9a38ddd837b06efbadd8cbf3e167cd7f1c0d18a33d28c81020b0e8b9ca11c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Nell.mp3
MD5
69a61edc4f1ce200d69583b41f2201a1

SHA1
4e9ab549e0d73eb73faecbafc5261e59eb0ed73f

SHA256
952fd758fa7ffbea320756ad28b6353776de799f0bbffe159e06fd951ba6348d

SHA512
4306290f059c70939c36fb3d69268c3d29fa4d0bf92c2cc4145ca608b4ce11a543506df84af4772f9bbd386921973cd77c47a34caa29c072594153f9ae27ecf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RegAsm.exe
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Versato.exe.com
MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g
MD5
0862078bc943d82b2a19e2c42f7c0b15

SHA1
7767feb2e3bbe9e2025302964be82e709347f27d

SHA256
462023517b8204ac9a796d4132cde2d550dd153c3b9fd1838ae545f26ea70638

SHA512
ba2041b6c6dae398ce0c3fc6389810db3135ae8188e40dfb4f3e53fd016c57d4f75ee12f874ffffa872e57f873c9864b7d573cbc48186873f037ef9646dcf89c

Download Submit
memory/856-171-0x0000000008910000-0x0000000008911000-memory.dmp

Filesize
4KB

Download
memory/856-149-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/856-135-0x0000000000000000-mapping.dmp

Download
memory/856-169-0x00000000089A0000-0x00000000089A1000-memory.dmp

Filesize
4KB

Download
memory/856-170-0x00000000090A0000-0x00000000090A1000-memory.dmp

Filesize
4KB

Download
memory/856-153-0x0000000005350000-0x000000000584E000-memory.dmp

Filesize
5.0MB

Download
memory/856-172-0x0000000008C90000-0x0000000008C91000-memory.dmp

Filesize
4KB

Download
memory/856-141-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/856-143-0x0000000077580000-0x000000007770E000-memory.dmp

Filesize
1.6MB

Download
memory/856-145-0x0000000006360000-0x0000000006361000-memory.dmp

Filesize
4KB

Download
memory/856-146-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/856-147-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/856-157-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/856-165-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/856-173-0x0000000008D70000-0x0000000008D71000-memory.dmp

Filesize
4KB

Download
memory/856-174-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/1084-138-0x0000000000000000-mapping.dmp

Download
memory/1528-152-0x0000000000000000-mapping.dmp

Download
memory/1580-148-0x0000000000000000-mapping.dmp

Download
memory/1768-150-0x0000000000000000-mapping.dmp

Download
memory/2036-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2036-116-0x0000000000402E68-mapping.dmp

Download
memory/2200-154-0x0000000000000000-mapping.dmp

Download
memory/2472-158-0x0000000000000000-mapping.dmp

Download
memory/2624-160-0x0000000000000000-mapping.dmp

Download
memory/2872-175-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2872-163-0x0000000000000000-mapping.dmp

Download
memory/3048-117-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/3956-131-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/3956-130-0x000000001C140000-0x000000001C142000-memory.dmp

Filesize
8KB

Download
memory/3956-129-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3956-128-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/3956-121-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/3956-118-0x0000000000000000-mapping.dmp

Download
memory/3956-124-0x000000001D030000-0x000000001D257000-memory.dmp

Filesize
2.2MB

Download
memory/3956-123-0x000000001C550000-0x000000001C82E000-memory.dmp

Filesize
2.9MB

Download
memory/4172-132-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/4172-125-0x0000000000000000-mapping.dmp

Download
memory/4172-168-0x0000000005750000-0x000000000577F000-memory.dmp

Filesize
188KB

Download
memory/4172-167-0x0000000005280000-0x000000000577E000-memory.dmp

Filesize
5.0MB

Download
memory/4172-134-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/4508-176-0x00000000001A0000-0x00000000001C2000-memory.dmp

Filesize
136KB

Download
memory/4508-185-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/4508-186-0x00000000048F0000-0x0000000004EF6000-memory.dmp

Filesize
6.0MB

Download
memory/4648-114-0x0000000002B50000-0x0000000002C9A000-memory.dmp

Filesize
1.3MB

Download