Overview

overview

10

Static

static

e2b9b0a78f...74.exe

windows7_x64

10

e2b9b0a78f...74.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    09-11-2021 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2b9b0a78f4b10eb7a8e0852b252d874.exe

  • Size

    222KB

  • MD5

    e2b9b0a78f4b10eb7a8e0852b252d874

  • SHA1

    09162a9552f5fac6a540f09ba23e6f534b9efe72

  • SHA256

    44466730828a6c6496bcf753e1be4e07b35811cc939ac1416cc0809ca547cce2

  • SHA512

    01d2a74325aac0810f052725c498b7b1f60a26d0ea9db9dd6bea6d53af4c6961d3b431462c820917499e41c8a2fb8f86b75112671c04dc201d91dc8d2e7fac41

Score
10/10
redlinesmokeloadertofseexmrignew3backdoorevasioninfostealerminerpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nalirou70.top/

http://xacokuo80.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

Botnet

new3

C2

93.115.20.139:28978

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2b9b0a78f4b10eb7a8e0852b252d874.exe
    "C:\Users\Admin\AppData\Local\Temp\e2b9b0a78f4b10eb7a8e0852b252d874.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Local\Temp\e2b9b0a78f4b10eb7a8e0852b252d874.exe
      "C:\Users\Admin\AppData\Local\Temp\e2b9b0a78f4b10eb7a8e0852b252d874.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1192
  • C:\Users\Admin\AppData\Local\Temp\CD7C.exe
    C:\Users\Admin\AppData\Local\Temp\CD7C.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:928
    • C:\Users\Admin\AppData\Local\Temp\CD7C.exe
      C:\Users\Admin\AppData\Local\Temp\CD7C.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1924
  • C:\Users\Admin\AppData\Local\Temp\E80F.exe
    C:\Users\Admin\AppData\Local\Temp\E80F.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ehdjjlzd\
      2⤵
        PID:1596
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tvpeawsj.exe" C:\Windows\SysWOW64\ehdjjlzd\
        2⤵
          PID:1396
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ehdjjlzd binPath= "C:\Windows\SysWOW64\ehdjjlzd\tvpeawsj.exe /d\"C:\Users\Admin\AppData\Local\Temp\E80F.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1264
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description ehdjjlzd "wifi internet conection"
            2⤵
              PID:2000
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start ehdjjlzd
              2⤵
                PID:816
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1432
              • C:\Windows\SysWOW64\ehdjjlzd\tvpeawsj.exe
                C:\Windows\SysWOW64\ehdjjlzd\tvpeawsj.exe /d"C:\Users\Admin\AppData\Local\Temp\E80F.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1712
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  PID:1944
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1548
              • C:\Users\Admin\AppData\Local\Temp\A4F.exe
                C:\Users\Admin\AppData\Local\Temp\A4F.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1700
                • C:\Users\Admin\AppData\Local\Temp\A4F.exe
                  "C:\Users\Admin\AppData\Local\Temp\A4F.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:1100
              • C:\Users\Admin\AppData\Local\Temp\1F18.exe
                C:\Users\Admin\AppData\Local\Temp\1F18.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:672

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              System Information Discovery

              2
              T1082

              Query Registry

              1
              T1012

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\1F18.exe
                MD5

                08cb82859479b33dc1d0738b985db28c

                SHA1

                2162cec3e4a16e4b9c610004011473965cf300f8

                SHA256

                8db223a1ffa1b3b3788ee9f0e050cc64f7b5cbefa8745e95e00391f7babcce58

                SHA512

                a69a4eacb8ced14dc55fca39d43d6182fe8d600d4da9fb938298fc151866a26777b45a527bcb2cc099d734111dbeb70224ed16e9b590c8b76b057b905eb7c912

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\A4F.exe
                MD5

                ef9cfb2ddc4af2089df63a761ecc7833

                SHA1

                2e44dad28f2131822dcd9b7868c11fb1767c3d4b

                SHA256

                9fd007de870e23deb778b08af3a01e3dfaf9dfc3483496c438ec734b26d26340

                SHA512

                e95ba94e92470be2b4fcc8fe9e4c128e1e529b3c29c9439fbcfafd972e37bf3ff011b09f7d9fb0ce6e58b39c91f46c5087f433cb9ddda8fa7c319da41427faa2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\A4F.exe
                MD5

                ef9cfb2ddc4af2089df63a761ecc7833

                SHA1

                2e44dad28f2131822dcd9b7868c11fb1767c3d4b

                SHA256

                9fd007de870e23deb778b08af3a01e3dfaf9dfc3483496c438ec734b26d26340

                SHA512

                e95ba94e92470be2b4fcc8fe9e4c128e1e529b3c29c9439fbcfafd972e37bf3ff011b09f7d9fb0ce6e58b39c91f46c5087f433cb9ddda8fa7c319da41427faa2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\A4F.exe
                MD5

                ef9cfb2ddc4af2089df63a761ecc7833

                SHA1

                2e44dad28f2131822dcd9b7868c11fb1767c3d4b

                SHA256

                9fd007de870e23deb778b08af3a01e3dfaf9dfc3483496c438ec734b26d26340

                SHA512

                e95ba94e92470be2b4fcc8fe9e4c128e1e529b3c29c9439fbcfafd972e37bf3ff011b09f7d9fb0ce6e58b39c91f46c5087f433cb9ddda8fa7c319da41427faa2

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\CD7C.exe
                MD5

                9d3a62b79868ae39ca09226fe7b6c173

                SHA1

                4bd4c3effa1a603183ad60fd018cca1ff4b7725a

                SHA256

                b159a129a74cf6de3f0327dce8b003985894f60ff91c2a8aa9a9cf1ddec166f1

                SHA512

                7cc34a63f4e71f4bdc7996a6755ac50ad5de0e505ec33061c87ada7141c0b3830cf811784cc0f2f6330419615888c73533b1b96b44b958ce7f6ad16e3d2decb3

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\CD7C.exe
                MD5

                9d3a62b79868ae39ca09226fe7b6c173

                SHA1

                4bd4c3effa1a603183ad60fd018cca1ff4b7725a

                SHA256

                b159a129a74cf6de3f0327dce8b003985894f60ff91c2a8aa9a9cf1ddec166f1

                SHA512

                7cc34a63f4e71f4bdc7996a6755ac50ad5de0e505ec33061c87ada7141c0b3830cf811784cc0f2f6330419615888c73533b1b96b44b958ce7f6ad16e3d2decb3

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\CD7C.exe
                MD5

                9d3a62b79868ae39ca09226fe7b6c173

                SHA1

                4bd4c3effa1a603183ad60fd018cca1ff4b7725a

                SHA256

                b159a129a74cf6de3f0327dce8b003985894f60ff91c2a8aa9a9cf1ddec166f1

                SHA512

                7cc34a63f4e71f4bdc7996a6755ac50ad5de0e505ec33061c87ada7141c0b3830cf811784cc0f2f6330419615888c73533b1b96b44b958ce7f6ad16e3d2decb3

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\E80F.exe
                MD5

                21fb662c0f159cc3c563dc95f37a8634

                SHA1

                1988167685dff2a81c7a38b3ce868e9537f7ac76

                SHA256

                0fec2ec740ce4ad6416c0db55067a302ed742a25e4fcd9bd8da8bf2097424375

                SHA512

                2fc23b51eaf2af1855d021ebad9b00418c05cf938ee0dd40ec39eb83992752c9bf768d93443bbf4f8565dbc4fe82bc2fbc87a1b50cf7a8acf5df8879c40ec380

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\E80F.exe
                MD5

                21fb662c0f159cc3c563dc95f37a8634

                SHA1

                1988167685dff2a81c7a38b3ce868e9537f7ac76

                SHA256

                0fec2ec740ce4ad6416c0db55067a302ed742a25e4fcd9bd8da8bf2097424375

                SHA512

                2fc23b51eaf2af1855d021ebad9b00418c05cf938ee0dd40ec39eb83992752c9bf768d93443bbf4f8565dbc4fe82bc2fbc87a1b50cf7a8acf5df8879c40ec380

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\tvpeawsj.exe
                MD5

                327783eac023dc49e568c2fcc78d91cc

                SHA1

                a1e0b5c2894503fa61fd115a47c66b482eda0222

                SHA256

                a74f851336d837055661f0e50ffaecb7f9b1144ebab6a3b39ed170a342f3462f

                SHA512

                f1647ce041d2ccdbdfb23711ecf579deba19109cdabbd21b38f828ac06b559a33262ae11b94de45430a5ceca3262a094b87bd5a448e1852dc7cea3211d71bef0

                Download Submit
              • C:\Windows\SysWOW64\ehdjjlzd\tvpeawsj.exe
                MD5

                327783eac023dc49e568c2fcc78d91cc

                SHA1

                a1e0b5c2894503fa61fd115a47c66b482eda0222

                SHA256

                a74f851336d837055661f0e50ffaecb7f9b1144ebab6a3b39ed170a342f3462f

                SHA512

                f1647ce041d2ccdbdfb23711ecf579deba19109cdabbd21b38f828ac06b559a33262ae11b94de45430a5ceca3262a094b87bd5a448e1852dc7cea3211d71bef0

                Download Submit
              • \Users\Admin\AppData\Local\Temp\1105.tmp
                MD5

                d124f55b9393c976963407dff51ffa79

                SHA1

                2c7bbedd79791bfb866898c85b504186db610b5d

                SHA256

                ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

                SHA512

                278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

                Download Submit
              • \Users\Admin\AppData\Local\Temp\A4F.exe
                MD5

                ef9cfb2ddc4af2089df63a761ecc7833

                SHA1

                2e44dad28f2131822dcd9b7868c11fb1767c3d4b

                SHA256

                9fd007de870e23deb778b08af3a01e3dfaf9dfc3483496c438ec734b26d26340

                SHA512

                e95ba94e92470be2b4fcc8fe9e4c128e1e529b3c29c9439fbcfafd972e37bf3ff011b09f7d9fb0ce6e58b39c91f46c5087f433cb9ddda8fa7c319da41427faa2

                Download Submit
              • \Users\Admin\AppData\Local\Temp\CD7C.exe
                MD5

                9d3a62b79868ae39ca09226fe7b6c173

                SHA1

                4bd4c3effa1a603183ad60fd018cca1ff4b7725a

                SHA256

                b159a129a74cf6de3f0327dce8b003985894f60ff91c2a8aa9a9cf1ddec166f1

                SHA512

                7cc34a63f4e71f4bdc7996a6755ac50ad5de0e505ec33061c87ada7141c0b3830cf811784cc0f2f6330419615888c73533b1b96b44b958ce7f6ad16e3d2decb3

                Download Submit
              • memory/672-118-0x0000000000230000-0x0000000000239000-memory.dmp
                Filesize

                36KB

                Download
              • memory/672-117-0x0000000000220000-0x0000000000228000-memory.dmp
                Filesize

                32KB

                Download
              • memory/672-119-0x0000000000400000-0x0000000000442000-memory.dmp
                Filesize

                264KB

                Download
              • memory/672-113-0x0000000000000000-mapping.dmp
                Download
              • memory/748-58-0x0000000000220000-0x0000000000228000-memory.dmp
                Filesize

                32KB

                Download
              • memory/748-59-0x0000000000230000-0x0000000000239000-memory.dmp
                Filesize

                36KB

                Download
              • memory/816-83-0x0000000000000000-mapping.dmp
                Download
              • memory/928-63-0x0000000002C1D000-0x0000000002C2E000-memory.dmp
                Filesize

                68KB

                Download
              • memory/928-61-0x0000000000000000-mapping.dmp
                Download
              • memory/1100-106-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1100-107-0x0000000000418D26-mapping.dmp
                Download
              • memory/1100-112-0x0000000004C10000-0x0000000004C11000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1100-110-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1100-103-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1100-104-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1100-105-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1100-102-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1192-56-0x0000000000402DC6-mapping.dmp
                Download
              • memory/1192-57-0x00000000754F1000-0x00000000754F3000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1192-55-0x0000000000400000-0x0000000000408000-memory.dmp
                Filesize

                32KB

                Download
              • memory/1264-81-0x0000000000000000-mapping.dmp
                Download
              • memory/1272-72-0x0000000002BF0000-0x0000000002C06000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1272-60-0x0000000002A50000-0x0000000002A66000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1272-127-0x0000000003A40000-0x0000000003A56000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1396-79-0x0000000000000000-mapping.dmp
                Download
              • memory/1432-85-0x0000000000000000-mapping.dmp
                Download
              • memory/1548-120-0x0000000000240000-0x0000000000331000-memory.dmp
                Filesize

                964KB

                Download
              • memory/1548-125-0x00000000002D259C-mapping.dmp
                Download
              • memory/1548-121-0x0000000000240000-0x0000000000331000-memory.dmp
                Filesize

                964KB

                Download
              • memory/1596-78-0x0000000000000000-mapping.dmp
                Download
              • memory/1700-92-0x0000000000000000-mapping.dmp
                Download
              • memory/1700-108-0x0000000004830000-0x0000000004831000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1700-100-0x00000000003E0000-0x00000000003F6000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1700-99-0x0000000000340000-0x0000000000341000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1700-97-0x0000000000A30000-0x0000000000A31000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1712-86-0x0000000002C0D000-0x0000000002C1E000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1712-96-0x0000000000400000-0x0000000002B40000-memory.dmp
                Filesize

                39.2MB

                Download
              • memory/1792-77-0x0000000000400000-0x0000000002B40000-memory.dmp
                Filesize

                39.2MB

                Download
              • memory/1792-76-0x0000000000220000-0x0000000000233000-memory.dmp
                Filesize

                76KB

                Download
              • memory/1792-73-0x0000000002C1D000-0x0000000002C2E000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1792-70-0x0000000000000000-mapping.dmp
                Download
              • memory/1924-67-0x0000000000402DC6-mapping.dmp
                Download
              • memory/1944-88-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1944-90-0x0000000000089A6B-mapping.dmp
                Download
              • memory/1944-89-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

                Download
              • memory/2000-82-0x0000000000000000-mapping.dmp
                Download