Overview

overview

10

Static

static

438215ec55...04.exe

windows7_x64

10

438215ec55...04.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    29-09-2021 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    438215ec552fef4a43a10c331d658c04.exe

  • Size

    128KB

  • MD5

    438215ec552fef4a43a10c331d658c04

  • SHA1

    a4941168e1269993b195b84fa272870c58bd6c10

  • SHA256

    e01749cfd587ae7029247ef900df2eb0e89e2fc594ca665d460a73bfa9564647

  • SHA512

    a3da5a1969e2166e3c0091c749f171c7c8ac915fe12873fce81af7d4f3fc5fab609f3b5cefbafde4b617fa4c64745b7a7e50d6194acfb1850c13b8e13accf302

Score
10/10
redlinesmokeloader5k superstar@dcm4gentoobackdoordiscoveryinfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

5k superstar

C2

narlelalik.xyz:12509

Extracted

Family

redline

Botnet

@Dcm4Gentoo

C2

5.61.61.168:14462

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\438215ec552fef4a43a10c331d658c04.exe
    "C:\Users\Admin\AppData\Local\Temp\438215ec552fef4a43a10c331d658c04.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\438215ec552fef4a43a10c331d658c04.exe
      "C:\Users\Admin\AppData\Local\Temp\438215ec552fef4a43a10c331d658c04.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2636
  • C:\Users\Admin\AppData\Local\Temp\E9D9.exe
    C:\Users\Admin\AppData\Local\Temp\E9D9.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3040
  • C:\Users\Admin\AppData\Local\Temp\F38E.exe
    C:\Users\Admin\AppData\Local\Temp\F38E.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c cmd < Disegnato.accdt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\cmd.exe
        cmd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^jdBXEbiICLfWHIEKiKDpCGJMhheipdUFFbTuIYbnunkESZAKxLCvDshGHOJdxqnjRKspPbwohtetxtThNsMbNbwgpjnTfutuZYMoIdVXJxpmgpkCUcCehqnzJrZDZoTuqWycaLEb$" Sottrarre.accdt
          4⤵
            PID:1288
          • C:\Users\Admin\AppData\Roaming\Mio.exe.com
            Mio.exe.com W
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:884
            • C:\Users\Admin\AppData\Roaming\Mio.exe.com
              C:\Users\Admin\AppData\Roaming\Mio.exe.com W
              5⤵
              • Executes dropped EXE
              • Drops startup file
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1460
              • C:\Users\Admin\AppData\Roaming\RegAsm.exe
                C:\Users\Admin\AppData\Roaming\RegAsm.exe
                6⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3140
                • C:\Users\Admin\AppData\Local\Temp\file.exe
                  "C:\Users\Admin\AppData\Local\Temp\file.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:2704
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd" /c cmd < Fai.docm
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2408
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1908
                      • C:\Windows\SysWOW64\findstr.exe
                        findstr /V /R "^GOSDsHyjVXPbHfUPrvXbfGmmRjqhEkBpmOaXJUKhlpsdBcqWKjtUUPkqgaMyGSIJcGXTWWupMKjygoYcktDaiHgKCaJdiEHaBIUVbiZOuUolCyMyxsU$" Per.docm
                        10⤵
                          PID:2976
                        • C:\Users\Admin\AppData\Roaming\Prime.exe.com
                          Prime.exe.com P
                          10⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:1616
                          • C:\Users\Admin\AppData\Roaming\Prime.exe.com
                            C:\Users\Admin\AppData\Roaming\Prime.exe.com P
                            11⤵
                            • Executes dropped EXE
                            • Drops startup file
                            • Suspicious use of SetThreadContext
                            • Suspicious use of WriteProcessMemory
                            PID:1488
                            • C:\Users\Admin\AppData\Roaming\Prime.exe.com
                              C:\Users\Admin\AppData\Roaming\Prime.exe.com
                              12⤵
                                PID:936
                              • C:\Windows\system32\WerFault.exe
                                C:\Windows\system32\WerFault.exe -u -p 1488 -s 800
                                12⤵
                                • Program crash
                                PID:3696
                          • C:\Windows\SysWOW64\PING.EXE
                            ping localhost
                            10⤵
                            • Runs ping.exe
                            PID:1916
              • C:\Windows\SysWOW64\PING.EXE
                ping localhost
                4⤵
                • Runs ping.exe
                PID:1292
        • C:\Users\Admin\AppData\Local\Temp\FC98.exe
          C:\Users\Admin\AppData\Local\Temp\FC98.exe
          1⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
            2⤵
              PID:1252
            • C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
              C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
              2⤵
              • Executes dropped EXE
              PID:432

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/432-762-0x00000178F4730000-0x00000178F4732000-memory.dmp

            Filesize

            8KB

            Download

          • memory/432-756-0x0000000000400000-0x000000000041C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/856-173-0x0000000001690000-0x0000000001692000-memory.dmp

            Filesize

            8KB

            Download

          • memory/856-751-0x0000000001940000-0x0000000001979000-memory.dmp

            Filesize

            228KB

            Download

          • memory/856-154-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/856-755-0x0000000001980000-0x000000000199B000-memory.dmp

            Filesize

            108KB

            Download

          • memory/936-754-0x000001C09A6C0000-0x000001C09A734000-memory.dmp

            Filesize

            464KB

            Download

          • memory/1252-742-0x000001B35A530000-0x000001B35A532000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1252-743-0x000001B35A533000-0x000001B35A535000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1252-752-0x000001B35A536000-0x000001B35A538000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1460-344-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1488-753-0x0000016780D60000-0x0000016780D61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2428-117-0x0000000000430000-0x00000000004DE000-memory.dmp

            Filesize

            696KB

            Download

          • memory/2636-115-0x0000000000400000-0x0000000000409000-memory.dmp

            Filesize

            36KB

            Download

          • memory/3028-118-0x0000000000EB0000-0x0000000000EC5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/3040-140-0x0000000002190000-0x00000000021AF000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3040-152-0x00000000055E0000-0x00000000055E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-141-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-142-0x0000000004980000-0x000000000499E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3040-144-0x0000000000400000-0x0000000000454000-memory.dmp

            Filesize

            336KB

            Download

          • memory/3040-143-0x0000000000590000-0x00000000006DA000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/3040-146-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-147-0x0000000004AC2000-0x0000000004AC3000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-343-0x0000000008640000-0x0000000008641000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-342-0x0000000007430000-0x0000000007431000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-341-0x0000000007410000-0x0000000007411000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-340-0x0000000007200000-0x0000000007201000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-339-0x0000000007110000-0x0000000007111000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-338-0x0000000006B00000-0x0000000006B01000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-337-0x0000000006930000-0x0000000006931000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-148-0x0000000004AC3000-0x0000000004AC4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-145-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-149-0x0000000004A30000-0x0000000004A31000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-170-0x0000000004AC4000-0x0000000004AC6000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3040-156-0x0000000004A60000-0x0000000004A61000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3040-164-0x0000000005710000-0x0000000005711000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3140-345-0x0000000000540000-0x0000000000562000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3140-355-0x0000000004AF0000-0x00000000050F6000-memory.dmp

            Filesize

            6.0MB

            Download

          • memory/3140-354-0x0000000004C50000-0x0000000004C51000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3756-604-0x000001E29F240000-0x000001E29F241000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3756-171-0x000001E29E896000-0x000001E29E898000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3756-174-0x000001E29E890000-0x000001E29E892000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3756-175-0x000001E29E893000-0x000001E29E895000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3756-163-0x000001E29E810000-0x000001E29E811000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3756-167-0x000001E29F2B0000-0x000001E29F2B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3756-375-0x000001E29E880000-0x000001E29E881000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3756-560-0x000001E29F260000-0x000001E29F261000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3756-580-0x000001E29F260000-0x000001E29F261000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3756-679-0x000001E29E898000-0x000001E29E89A000-memory.dmp

            Filesize

            8KB

            Download