Overview

overview

10

Static

static

333942acbd...2a.exe

windows7_x64

10

333942acbd...2a.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    21-11-2021 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    333942acbd4a57d7f0e5410ecf076d2a.exe

  • Size

    335KB

  • MD5

    333942acbd4a57d7f0e5410ecf076d2a

  • SHA1

    ecfc7328cf9181b1ddec51149895d13f6109e7f4

  • SHA256

    ee33a3b6f160ac159547272bf6aa0726b3c89ef256961fad3cc45c9220aacff7

  • SHA512

    e566bb448736b32461b7ec5066ba4197bc9d468718709a753e677c40f0e65c41f5e669293224f049d318dee4e0177e4e6652aed15a746b409788feea11609b0b

Score
10/10
redlinesmokeloadertofseexmrigbackdoordiscoveryevasioninfostealerminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

185.159.80.90:38637

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\333942acbd4a57d7f0e5410ecf076d2a.exe
    "C:\Users\Admin\AppData\Local\Temp\333942acbd4a57d7f0e5410ecf076d2a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Local\Temp\333942acbd4a57d7f0e5410ecf076d2a.exe
      "C:\Users\Admin\AppData\Local\Temp\333942acbd4a57d7f0e5410ecf076d2a.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:568
  • C:\Users\Admin\AppData\Local\Temp\976F.exe
    C:\Users\Admin\AppData\Local\Temp\976F.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Users\Admin\AppData\Local\Temp\976F.exe
      C:\Users\Admin\AppData\Local\Temp\976F.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1512
  • C:\Users\Admin\AppData\Local\Temp\A6CB.exe
    C:\Users\Admin\AppData\Local\Temp\A6CB.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nmkjpglb\
      2⤵
        PID:1692
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uzywmsbq.exe" C:\Windows\SysWOW64\nmkjpglb\
        2⤵
          PID:736
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nmkjpglb binPath= "C:\Windows\SysWOW64\nmkjpglb\uzywmsbq.exe /d\"C:\Users\Admin\AppData\Local\Temp\A6CB.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1064
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description nmkjpglb "wifi internet conection"
            2⤵
              PID:1788
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start nmkjpglb
              2⤵
                PID:1672
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1844
              • C:\Users\Admin\AppData\Local\Temp\B5AB.exe
                C:\Users\Admin\AppData\Local\Temp\B5AB.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1728
                • C:\Users\Admin\AppData\Local\Temp\B5AB.exe
                  C:\Users\Admin\AppData\Local\Temp\B5AB.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:936
              • C:\Windows\SysWOW64\nmkjpglb\uzywmsbq.exe
                C:\Windows\SysWOW64\nmkjpglb\uzywmsbq.exe /d"C:\Users\Admin\AppData\Local\Temp\A6CB.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:572
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  PID:956
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:904

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\976F.exe
                MD5

                9b46568f08700e57048272f5cf0ddeb2

                SHA1

                547534f976f42206cb2870a0e1e29b7ae5710232

                SHA256

                65350ee5de866f54845c13472cc7e0257b55715560ff9696ba2d4dc0494991e6

                SHA512

                3b3c0ad90443de710768c830e657a88bf30ed9f01237344e6d2d1316e6c492c5c93430d88cf933ddc0e88cd61900a952ab0d7204231b9faa77251e87c8fa7125

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\976F.exe
                MD5

                9b46568f08700e57048272f5cf0ddeb2

                SHA1

                547534f976f42206cb2870a0e1e29b7ae5710232

                SHA256

                65350ee5de866f54845c13472cc7e0257b55715560ff9696ba2d4dc0494991e6

                SHA512

                3b3c0ad90443de710768c830e657a88bf30ed9f01237344e6d2d1316e6c492c5c93430d88cf933ddc0e88cd61900a952ab0d7204231b9faa77251e87c8fa7125

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\976F.exe
                MD5

                9b46568f08700e57048272f5cf0ddeb2

                SHA1

                547534f976f42206cb2870a0e1e29b7ae5710232

                SHA256

                65350ee5de866f54845c13472cc7e0257b55715560ff9696ba2d4dc0494991e6

                SHA512

                3b3c0ad90443de710768c830e657a88bf30ed9f01237344e6d2d1316e6c492c5c93430d88cf933ddc0e88cd61900a952ab0d7204231b9faa77251e87c8fa7125

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\A6CB.exe
                MD5

                d9df10e47d902600f92377ef8c6c4e7d

                SHA1

                adde3b92b169157eea7fbd9bcf1b79b74c531da4

                SHA256

                fa78363d3a169b3fae91a745836160e6aa3685d7f24d2e398edb0656c4cd7edd

                SHA512

                68e8bfaca6f385f6a1a3465e5f6b0da99fcd94e0e20170a102b2e94882b7d7e1b048baa567ef02176ea344b631836bca87a7503b07a2182922382032ff905abe

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\A6CB.exe
                MD5

                d9df10e47d902600f92377ef8c6c4e7d

                SHA1

                adde3b92b169157eea7fbd9bcf1b79b74c531da4

                SHA256

                fa78363d3a169b3fae91a745836160e6aa3685d7f24d2e398edb0656c4cd7edd

                SHA512

                68e8bfaca6f385f6a1a3465e5f6b0da99fcd94e0e20170a102b2e94882b7d7e1b048baa567ef02176ea344b631836bca87a7503b07a2182922382032ff905abe

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B5AB.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B5AB.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B5AB.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\uzywmsbq.exe
                MD5

                09fd254f576211bdb828d8092c1780c9

                SHA1

                da9d4040c5d05aab1faa898a4c9365a730d4e15a

                SHA256

                eb6de256cabbe72738fa1362ad5bf03b95efc8deb909e685d278381f3e4a01a0

                SHA512

                ac3d94dbb774c0383181035e668aa7c4dbfdd761110ecdf30baed2e4a42146545d916608520128de9f078b585c3fae746327934347a9f09cc5d8d1c90725ba64

                Download Submit
              • C:\Windows\SysWOW64\nmkjpglb\uzywmsbq.exe
                MD5

                09fd254f576211bdb828d8092c1780c9

                SHA1

                da9d4040c5d05aab1faa898a4c9365a730d4e15a

                SHA256

                eb6de256cabbe72738fa1362ad5bf03b95efc8deb909e685d278381f3e4a01a0

                SHA512

                ac3d94dbb774c0383181035e668aa7c4dbfdd761110ecdf30baed2e4a42146545d916608520128de9f078b585c3fae746327934347a9f09cc5d8d1c90725ba64

                Download Submit
              • \Users\Admin\AppData\Local\Temp\976F.exe
                MD5

                9b46568f08700e57048272f5cf0ddeb2

                SHA1

                547534f976f42206cb2870a0e1e29b7ae5710232

                SHA256

                65350ee5de866f54845c13472cc7e0257b55715560ff9696ba2d4dc0494991e6

                SHA512

                3b3c0ad90443de710768c830e657a88bf30ed9f01237344e6d2d1316e6c492c5c93430d88cf933ddc0e88cd61900a952ab0d7204231b9faa77251e87c8fa7125

                Download Submit
              • \Users\Admin\AppData\Local\Temp\B5AB.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

                Download Submit
              • memory/568-58-0x0000000075A61000-0x0000000075A63000-memory.dmp
                Filesize

                8KB

                Download
              • memory/568-56-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB

                Download
              • memory/568-57-0x0000000000402DD8-mapping.dmp
                Download
              • memory/572-104-0x0000000002BF8000-0x0000000002C09000-memory.dmp
                Filesize

                68KB

                Download
              • memory/572-110-0x0000000000400000-0x0000000002B4D000-memory.dmp
                Filesize

                39.3MB

                Download
              • memory/736-84-0x0000000000000000-mapping.dmp
                Download
              • memory/904-111-0x0000000000080000-0x0000000000171000-memory.dmp
                Filesize

                964KB

                Download
              • memory/904-116-0x000000000011259C-mapping.dmp
                Download
              • memory/904-112-0x0000000000080000-0x0000000000171000-memory.dmp
                Filesize

                964KB

                Download
              • memory/936-102-0x00000000049A0000-0x00000000049A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/936-92-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/936-95-0x0000000000418EEA-mapping.dmp
                Download
              • memory/936-94-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/936-97-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/936-93-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/936-90-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/936-91-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/956-108-0x00000000000C9A6B-mapping.dmp
                Download
              • memory/956-107-0x00000000000C0000-0x00000000000D5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/956-106-0x00000000000C0000-0x00000000000D5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1064-88-0x0000000000000000-mapping.dmp
                Download
              • memory/1260-60-0x0000000002A60000-0x0000000002A76000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1260-87-0x00000000038A0000-0x00000000038B6000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1512-69-0x0000000000402DD8-mapping.dmp
                Download
              • memory/1540-61-0x0000000000000000-mapping.dmp
                Download
              • memory/1540-65-0x0000000002C98000-0x0000000002CA9000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1672-98-0x0000000000000000-mapping.dmp
                Download
              • memory/1692-83-0x0000000000000000-mapping.dmp
                Download
              • memory/1728-75-0x0000000000990000-0x0000000000991000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1728-80-0x0000000004A80000-0x0000000004A81000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1728-72-0x0000000000000000-mapping.dmp
                Download
              • memory/1752-55-0x0000000002CBB000-0x0000000002CCC000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1752-59-0x0000000000220000-0x0000000000229000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1788-89-0x0000000000000000-mapping.dmp
                Download
              • memory/1844-101-0x0000000000000000-mapping.dmp
                Download
              • memory/1976-81-0x0000000000020000-0x0000000000033000-memory.dmp
                Filesize

                76KB

                Download
              • memory/1976-86-0x0000000000400000-0x0000000002B4D000-memory.dmp
                Filesize

                39.3MB

                Download
              • memory/1976-63-0x0000000000000000-mapping.dmp
                Download
              • memory/1976-77-0x0000000002CD8000-0x0000000002CE9000-memory.dmp
                Filesize

                68KB

                Download