Overview

overview

10

Static

static

d5039ace0b...14.exe

windows7_x64

10

d5039ace0b...14.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    27-11-2021 09:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5039ace0bf17c9f55a90224a4eb0f14.exe

  • Size

    284KB

  • MD5

    d5039ace0bf17c9f55a90224a4eb0f14

  • SHA1

    ed15c1c1eced5f7fe76ec849fec49f00749f8ce2

  • SHA256

    0e162233b79a835f69c38cc9a5c6e19e83b48ecefce9f1e22d41b44e5150cbfc

  • SHA512

    5d677206c1cc2241451b79a1ecb7f382681853b3fa0567e6ad827e65d43298fcb298689a09cd8b6c713f1e00ef991a3aabe859d42416f1434103c1b331152829

Score
10/10
redlinesmokeloadertofseebackdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://nalirou70.top/

http://xacokuo80.top/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

185.159.80.90:38655

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5039ace0bf17c9f55a90224a4eb0f14.exe
    "C:\Users\Admin\AppData\Local\Temp\d5039ace0bf17c9f55a90224a4eb0f14.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Local\Temp\d5039ace0bf17c9f55a90224a4eb0f14.exe
      "C:\Users\Admin\AppData\Local\Temp\d5039ace0bf17c9f55a90224a4eb0f14.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:772
  • C:\Users\Admin\AppData\Local\Temp\C64B.exe
    C:\Users\Admin\AppData\Local\Temp\C64B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zgvyvptq\
      2⤵
        PID:684
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cpyvwbna.exe" C:\Windows\SysWOW64\zgvyvptq\
        2⤵
          PID:1260
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create zgvyvptq binPath= "C:\Windows\SysWOW64\zgvyvptq\cpyvwbna.exe /d\"C:\Users\Admin\AppData\Local\Temp\C64B.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:2020
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description zgvyvptq "wifi internet conection"
            2⤵
              PID:2028
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start zgvyvptq
              2⤵
                PID:1904
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:956
              • C:\Users\Admin\AppData\Local\Temp\C9F4.exe
                C:\Users\Admin\AppData\Local\Temp\C9F4.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1608
                • C:\Users\Admin\AppData\Local\Temp\C9F4.exe
                  C:\Users\Admin\AppData\Local\Temp\C9F4.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1612
              • C:\Users\Admin\AppData\Local\Temp\D1A3.exe
                C:\Users\Admin\AppData\Local\Temp\D1A3.exe
                1⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:1528
              • C:\Windows\SysWOW64\zgvyvptq\cpyvwbna.exe
                C:\Windows\SysWOW64\zgvyvptq\cpyvwbna.exe /d"C:\Users\Admin\AppData\Local\Temp\C64B.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:932
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  PID:1996
              • C:\Users\Admin\AppData\Local\Temp\29A3.exe
                C:\Users\Admin\AppData\Local\Temp\29A3.exe
                1⤵
                • Executes dropped EXE
                PID:1016

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\29A3.exe
                MD5

                31d77dcb4829ac33c2089715a8c3b5b6

                SHA1

                72c051dcc8dc6a0a6aa0a90edf59b54ec35b1f7d

                SHA256

                45670332cd565c8a0c773c8c60e0c8cbd95d9484e0eb979aac9cc3f23734ceba

                SHA512

                fccbdb83c6d01cdb16ebc899ab5250d10ecc83687755373ac6ffc6ac9e362f8e0bceaf51280c251f6ce1041b4f6bf32431b035799072d294fb12b417c8399e3f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C64B.exe
                MD5

                ac7988f4e59d807f41a4a2163538fd46

                SHA1

                ab29b1ea7a76e8c9dfb61a8827e3c617416df95f

                SHA256

                0428125808208688f048820edba8be134d27861b5af8e8af6a178a88846cdde2

                SHA512

                cd9441be653eac1eb54647abbca76162abdf2618b44ded7b710e9a5fb5af5a1f4bb221f1e85e4ede43c66ea60e0a82d2ce627414b93f731478f9c5fff2cf5130

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C64B.exe
                MD5

                ac7988f4e59d807f41a4a2163538fd46

                SHA1

                ab29b1ea7a76e8c9dfb61a8827e3c617416df95f

                SHA256

                0428125808208688f048820edba8be134d27861b5af8e8af6a178a88846cdde2

                SHA512

                cd9441be653eac1eb54647abbca76162abdf2618b44ded7b710e9a5fb5af5a1f4bb221f1e85e4ede43c66ea60e0a82d2ce627414b93f731478f9c5fff2cf5130

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C9F4.exe
                MD5

                3c4c5a6892f8a80d51f8569f2890e22d

                SHA1

                96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                SHA256

                5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                SHA512

                56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C9F4.exe
                MD5

                3c4c5a6892f8a80d51f8569f2890e22d

                SHA1

                96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                SHA256

                5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                SHA512

                56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C9F4.exe
                MD5

                3c4c5a6892f8a80d51f8569f2890e22d

                SHA1

                96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                SHA256

                5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                SHA512

                56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\D1A3.exe
                MD5

                646cc8edbe849bf17c1694d936f7ae6b

                SHA1

                68b8e56cd63da79a8ace5c70f22cd0a6b3672497

                SHA256

                836e9de6ff5057a4964402ed5a9695e270a7db9e0d8b756a99203befa70fc4b7

                SHA512

                92df2e2fcfc8c0c2789222966f09b1c295e2b4d2f5d86a10d513dd05749507792d3df78b5f1d605517bba86cbc48c7ba6c9b54d8aba246a1b2cc0a75f626d9d1

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\cpyvwbna.exe
                MD5

                eb57d4bf0561296d096b4c0bb232d0dc

                SHA1

                67508f77708af53bece267ce7db2c9b1b9cb7682

                SHA256

                ea23c75c21e94d24a5b6c816b86de47dc6d988ecff3c88ba28f7f0bcd58e0901

                SHA512

                cb65873c18a8446187294f62d826aefc51081b93c6d7bae2d77874dcb67eea6a6d0b7ac135aedefc45b810dfc96a4ed8c68dbe32b323c4a2460b013f503cbdc2

                Download Submit
              • C:\Windows\SysWOW64\zgvyvptq\cpyvwbna.exe
                MD5

                eb57d4bf0561296d096b4c0bb232d0dc

                SHA1

                67508f77708af53bece267ce7db2c9b1b9cb7682

                SHA256

                ea23c75c21e94d24a5b6c816b86de47dc6d988ecff3c88ba28f7f0bcd58e0901

                SHA512

                cb65873c18a8446187294f62d826aefc51081b93c6d7bae2d77874dcb67eea6a6d0b7ac135aedefc45b810dfc96a4ed8c68dbe32b323c4a2460b013f503cbdc2

                Download Submit
              • \Users\Admin\AppData\Local\Temp\C9F4.exe
                MD5

                3c4c5a6892f8a80d51f8569f2890e22d

                SHA1

                96b9f631ea21ad54d1028c0d8957582d8c28eb6f

                SHA256

                5fddbbc0ae0862882e1232713df378fb43658b7bf71361d91a9474e95dd02040

                SHA512

                56cdf3512136485776c0fb7850497f0b6e735fe666b8df97dbabc55cc68f52ca1618c5ec0fceafe565881da699efc614c05365310cbec9122e5349a28296095f

                Download Submit
              • memory/684-81-0x0000000000000000-mapping.dmp
                Download
              • memory/772-58-0x0000000075C21000-0x0000000075C23000-memory.dmp
                Filesize

                8KB

                Download
              • memory/772-57-0x0000000000402DC6-mapping.dmp
                Download
              • memory/772-56-0x0000000000400000-0x0000000000408000-memory.dmp
                Filesize

                32KB

                Download
              • memory/932-107-0x0000000000400000-0x000000000322A000-memory.dmp
                Filesize

                46.2MB

                Download
              • memory/932-101-0x00000000002AB000-0x00000000002BC000-memory.dmp
                Filesize

                68KB

                Download
              • memory/956-97-0x0000000000000000-mapping.dmp
                Download
              • memory/1016-108-0x0000000000000000-mapping.dmp
                Download
              • memory/1260-82-0x0000000000000000-mapping.dmp
                Download
              • memory/1272-60-0x0000000002B40000-0x0000000002B56000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1272-96-0x0000000004210000-0x0000000004226000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1528-68-0x0000000000000000-mapping.dmp
                Download
              • memory/1528-73-0x0000000000230000-0x0000000000239000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1528-75-0x0000000000400000-0x000000000042C000-memory.dmp
                Filesize

                176KB

                Download
              • memory/1528-72-0x0000000000220000-0x0000000000229000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1556-74-0x000000000331B000-0x000000000332C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1556-79-0x0000000000220000-0x0000000000233000-memory.dmp
                Filesize

                76KB

                Download
              • memory/1556-61-0x0000000000000000-mapping.dmp
                Download
              • memory/1556-80-0x0000000000400000-0x000000000322A000-memory.dmp
                Filesize

                46.2MB

                Download
              • memory/1608-63-0x0000000000000000-mapping.dmp
                Download
              • memory/1608-66-0x0000000000F60000-0x0000000000F61000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1608-71-0x0000000000F20000-0x0000000000F21000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1612-100-0x0000000004960000-0x0000000004961000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1612-85-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1612-93-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1612-91-0x0000000000418EEE-mapping.dmp
                Download
              • memory/1612-89-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1612-88-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1612-87-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1612-86-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1620-59-0x0000000000220000-0x0000000000229000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1620-55-0x0000000001D1B000-0x0000000001D2C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1904-95-0x0000000000000000-mapping.dmp
                Download
              • memory/1996-103-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1996-105-0x0000000000089A6B-mapping.dmp
                Download
              • memory/1996-104-0x0000000000080000-0x0000000000095000-memory.dmp
                Filesize

                84KB

                Download
              • memory/2020-84-0x0000000000000000-mapping.dmp
                Download
              • memory/2028-90-0x0000000000000000-mapping.dmp
                Download