Resubmissions
10/11/2021, 14:50
211110-r7nbvaeddr 1008/11/2021, 16:12
211108-tnmmbahgaj 1008/11/2021, 15:26
211108-svdsbaccf6 1008/11/2021, 14:48
211108-r6lfvshdfn 10Analysis
-
max time kernel
42s -
max time network
182s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
10/11/2021, 14:50
General
-
Target
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
-
Size
3.6MB
-
MD5
9725f7f222530388cb2743504a6e0667
-
SHA1
56d0eb91855e326b050c904147f4d9dafc596d70
-
SHA256
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782
-
SHA512
ea5aedb3c3ab725c9afc65481ef7b59cdfad80613aaf43a8e76ec94045824269b008007644cb7943e65e98a87650f7f980afcd66ae1dee7807d84be57c018663
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
fucker2
C2
135.181.129.119:4805
Extracted
Family
redline
Botnet
media20
C2
91.121.67.60:2151
Extracted
Family
redline
Botnet
Chris
C2
194.104.136.5:46013
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe"C:\Users\Admin\AppData\Local\Temp\9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed128c2773227671b3f.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed128c2773227671b3f.exeWed128c2773227671b3f.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed128c2773227671b3f.exeC:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed128c2773227671b3f.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed126ca6605dbec0399.exe /mixone4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed126ca6605dbec0399.exeWed126ca6605dbec0399.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 6566⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 6726⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 6326⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 8126⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 868 -s 8886⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12fb2a5c52f05816.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12fb2a5c52f05816.exeWed12fb2a5c52f05816.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCripT:cLOSe ( creaTeoBJeCT ( "wSCrIpT.shell" ).RuN ( "CMd.ExE /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12fb2a5c52f05816.exe"" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If """" =="""" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12fb2a5c52f05816.exe"" ) do taskkill -F -IM ""%~nxE"" " ,0 , TRUe ) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12fb2a5c52f05816.exe" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If "" =="" for %E in ( "C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12fb2a5c52f05816.exe" ) do taskkill -F -IM "%~nxE"7⤵
-
C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exeVAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCripT:cLOSe ( creaTeoBJeCT ( "wSCrIpT.shell" ).RuN ( "CMd.ExE /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe"" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If ""-PRwIZKFgSE6xyUR7ivEyVbD3Oolfm "" =="""" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe"" ) do taskkill -F -IM ""%~nxE"" " ,0 , TRUe ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe" VAKlCUnlQu.exe && STArt VAkLCUnlqU.EXe -PRwIZKFgSE6xyUR7ivEyVbD3Oolfm & If "-PRwIZKFgSE6xyUR7ivEyVbD3Oolfm " =="" for %E in ( "C:\Users\Admin\AppData\Local\Temp\VAKlCUnlQu.exe" ) do taskkill -F -IM "%~nxE"10⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -IM "Wed12fb2a5c52f05816.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1217e6a0ef74ed.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed1217e6a0ef74ed.exeWed1217e6a0ef74ed.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed120b6f5c6d562.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed120b6f5c6d562.exeWed120b6f5c6d562.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-3IMMQ.tmp\Wed120b6f5c6d562.tmp"C:\Users\Admin\AppData\Local\Temp\is-3IMMQ.tmp\Wed120b6f5c6d562.tmp" /SL5="$401D8,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed120b6f5c6d562.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed120b6f5c6d562.exe"C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed120b6f5c6d562.exe" /SILENT7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-J1BFJ.tmp\Wed120b6f5c6d562.tmp"C:\Users\Admin\AppData\Local\Temp\is-J1BFJ.tmp\Wed120b6f5c6d562.tmp" /SL5="$101E4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed120b6f5c6d562.exe" /SILENT8⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12bcd18bdbc441.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12bcd18bdbc441.exeWed12bcd18bdbc441.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1229427acd4bc167.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed1229427acd4bc167.exeWed1229427acd4bc167.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\TnmjnM1ZZm2MgyieVSmrSHYX.exe"C:\Users\Admin\Pictures\Adobe Films\TnmjnM1ZZm2MgyieVSmrSHYX.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\gRA2QPPL5bpPzRaIWhdhT0UI.exe"C:\Users\Admin\Pictures\Adobe Films\gRA2QPPL5bpPzRaIWhdhT0UI.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\qchZRw0j1VBg3_N1toSe8wYa.exe"C:\Users\Admin\Pictures\Adobe Films\qchZRw0j1VBg3_N1toSe8wYa.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\r5ZFkfvKX4GEpQqtXNQdnIRg.exe"C:\Users\Admin\Pictures\Adobe Films\r5ZFkfvKX4GEpQqtXNQdnIRg.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\U2O_VY0sbrEZFWDnhaJ1F_5Y.exe"C:\Users\Admin\Pictures\Adobe Films\U2O_VY0sbrEZFWDnhaJ1F_5Y.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\QyRl9UKsiiriUEG_XzugMD_s.exe"C:\Users\Admin\Pictures\Adobe Films\QyRl9UKsiiriUEG_XzugMD_s.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed129eb9b8859.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed129eb9b8859.exeWed129eb9b8859.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\ZtlV7tpecbKlN7ywkGtPrb5D.exe"C:\Users\Admin\Pictures\Adobe Films\ZtlV7tpecbKlN7ywkGtPrb5D.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\mbqInIlXOIaJazETd9HaW_W1.exe"C:\Users\Admin\Pictures\Adobe Films\mbqInIlXOIaJazETd9HaW_W1.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\l0ZP07NhIxfatLy06iC1uBjn.exe"C:\Users\Admin\Pictures\Adobe Films\l0ZP07NhIxfatLy06iC1uBjn.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\5JgyJlA5YFD9B6nqgwxKZFDH.exe"C:\Users\Admin\Pictures\Adobe Films\5JgyJlA5YFD9B6nqgwxKZFDH.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\u9DUA5bFqGwkYggbJa5W0rAn.exe"C:\Users\Admin\Pictures\Adobe Films\u9DUA5bFqGwkYggbJa5W0rAn.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\WXoVZfjE9GodwSBZtDveYi8G.exe"C:\Users\Admin\Pictures\Adobe Films\WXoVZfjE9GodwSBZtDveYi8G.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\G6y730N_6A6Z8t8B07Mig0yI.exe"C:\Users\Admin\Pictures\Adobe Films\G6y730N_6A6Z8t8B07Mig0yI.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\dQxhDLQ7XFdUlM0GQk5bMslv.exe"C:\Users\Admin\Pictures\Adobe Films\dQxhDLQ7XFdUlM0GQk5bMslv.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Ih3TYxGc9rvlILcahDsfEfYr.exe"C:\Users\Admin\Pictures\Adobe Films\Ih3TYxGc9rvlILcahDsfEfYr.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\hH6HTasH_I3qIDoHbPqhzjjg.exe"C:\Users\Admin\Pictures\Adobe Films\hH6HTasH_I3qIDoHbPqhzjjg.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\9HXYm1apQxcDXoaS7Qh_WVHu.exe"C:\Users\Admin\Pictures\Adobe Films\9HXYm1apQxcDXoaS7Qh_WVHu.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed121f7e9e92793cf.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed121f7e9e92793cf.exeWed121f7e9e92793cf.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed121f7e9e92793cf.exeC:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed121f7e9e92793cf.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1241cc206cfb.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed1241cc206cfb.exeWed1241cc206cfb.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12ebaf7883e1890d.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12ebaf7883e1890d.exeWed12ebaf7883e1890d.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12fbb08f1dfc28.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12fbb08f1dfc28.exeWed12fbb08f1dfc28.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed12859e3c1cf63b6a0.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12859e3c1cf63b6a0.exeWed12859e3c1cf63b6a0.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12859e3c1cf63b6a0.exeC:\Users\Admin\AppData\Local\Temp\7zS06EB9096\Wed12859e3c1cf63b6a0.exe6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 247⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 5004⤵
- Program crash
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
456KB
-
Filesize
308KB
-
Filesize
8KB
-
Filesize
696KB
-
Filesize
41.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
456KB
-
Filesize
80KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
41.7MB
-
Filesize
36KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
456KB
-
Filesize
88KB
-
Filesize
136KB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
6.0MB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
456KB