Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25/09/2022, 06:38
General
-
Target
09d9bb25f1d1bd6f7c3e3aa64df49eaa398e9f26b198e.exe
-
Size
201KB
-
MD5
9a76263bdedf77a8ad97faa1b2a9c854
-
SHA1
45c5ae31e5251ba15842c7a3495babbcc0f990b8
-
SHA256
09d9bb25f1d1bd6f7c3e3aa64df49eaa398e9f26b198ef9b92b6c18c804f0bc1
-
SHA512
0a63808b0f25ae8f3764973bb3abc21c52f4cc740561679fbb68460e5e02db5d25748dbd0539923a622d650afbfb5334d15a240545a7e1afc2f7ed172dd924fe
-
SSDEEP
3072:B3oxmILLxgcZKN5ztq2dPqETOYOJcTO8synzAoRjnBd4/PkIXx:6jLtZ6qIqETOHV8swzAoRH
Malware Config
Extracted
tofsee
svartalfheim.top
jotunheim.name
Extracted
redline
LogsDiller Cloud (TG: @me_golds)
77.73.134.27:7161
-
auth_value
e136da06c7c0400f4091dab1787720ea
Signatures
-
Detects Smokeloader packer 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of WriteProcessMemory 54 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\09d9bb25f1d1bd6f7c3e3aa64df49eaa398e9f26b198e.exe"C:\Users\Admin\AppData\Local\Temp\09d9bb25f1d1bd6f7c3e3aa64df49eaa398e9f26b198e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\rhtjsrfC:\Users\Admin\AppData\Roaming\rhtjsrf1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\943C.exeC:\Users\Admin\AppData\Local\Temp\943C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\9789.exeC:\Users\Admin\AppData\Local\Temp\9789.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nkgbczrf\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fpvbuers.exe" C:\Windows\SysWOW64\nkgbczrf\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create nkgbczrf binPath= "C:\Windows\SysWOW64\nkgbczrf\fpvbuers.exe /d\"C:\Users\Admin\AppData\Local\Temp\9789.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description nkgbczrf "wifi internet conection"2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start nkgbczrf2⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 26316 -s 10362⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\9FC7.exeC:\Users\Admin\AppData\Local\Temp\9FC7.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\A22A.exeC:\Users\Admin\AppData\Local\Temp\A22A.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\nkgbczrf\fpvbuers.exeC:\Windows\SysWOW64\nkgbczrf\fpvbuers.exe /d"C:\Users\Admin\AppData\Local\Temp\9789.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Sets service image path in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 100580 -s 1922⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 26316 -ip 263161⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 100580 -ip 1005801⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5ea6fee4ce432602e3dd2b849f8396027
SHA15151b46012f637fe7fdbda551be1651009eb453a
SHA256b44181d7365ab6868e1cf0d7127a56862075944099f6f1f965b11f41c78fd75d
SHA512b567449c006248a4311a1a3325279e2d4edfacacb272ae3152b085d3164e722370aa748cbaa3299425ede1e4910218988e88f24de744944903b2001b70e263be
-
Filesize
2.6MB
MD5ea6fee4ce432602e3dd2b849f8396027
SHA15151b46012f637fe7fdbda551be1651009eb453a
SHA256b44181d7365ab6868e1cf0d7127a56862075944099f6f1f965b11f41c78fd75d
SHA512b567449c006248a4311a1a3325279e2d4edfacacb272ae3152b085d3164e722370aa748cbaa3299425ede1e4910218988e88f24de744944903b2001b70e263be
-
Filesize
201KB
MD52e636c990dc2d04cc549d783da6f462e
SHA19095209d363a69b5f4696d2c1de6435dc9745db5
SHA256857e938e8bef854c67fec66d7fbfc7f19e29b81fe4cd8c1e387a9b34918e2f1d
SHA51222d1b71371f99da9e6211da17feca7e254cf7295b3cc2ab072c6316881ce736c4f5704013b9c03dec72ef098337bb7d5592d5d5cbfed404f76a9aaf945ce9e49
-
Filesize
201KB
MD52e636c990dc2d04cc549d783da6f462e
SHA19095209d363a69b5f4696d2c1de6435dc9745db5
SHA256857e938e8bef854c67fec66d7fbfc7f19e29b81fe4cd8c1e387a9b34918e2f1d
SHA51222d1b71371f99da9e6211da17feca7e254cf7295b3cc2ab072c6316881ce736c4f5704013b9c03dec72ef098337bb7d5592d5d5cbfed404f76a9aaf945ce9e49
-
Filesize
318KB
MD56917d28aae7b190af4cc9e8c82597b99
SHA100ac38f05b4d99691ef09883f7f141a6cd3d4d3a
SHA2565d72a91ee3aeab2a634e8023b2c0530c8429f1151f1e29421ff7a16cec75617d
SHA512e5a2d6d37555a7f06bfd27aa52eb2075b142ffadd155c4e27e76c371ebd01710b4072576d4ae0fabd221a47f6386a44e37bb2097d9db5e88889ea76ed8170fb4
-
Filesize
318KB
MD56917d28aae7b190af4cc9e8c82597b99
SHA100ac38f05b4d99691ef09883f7f141a6cd3d4d3a
SHA2565d72a91ee3aeab2a634e8023b2c0530c8429f1151f1e29421ff7a16cec75617d
SHA512e5a2d6d37555a7f06bfd27aa52eb2075b142ffadd155c4e27e76c371ebd01710b4072576d4ae0fabd221a47f6386a44e37bb2097d9db5e88889ea76ed8170fb4
-
Filesize
365KB
MD51c92b308eeb3ee01d7622de9f8fea0b5
SHA15e5c89f5c6f15bad6b62ca0ea22f6dcfac1a6dda
SHA256775f7f9041236757b05676318037000e221a582bdfd161b89a11a19fc4fde73c
SHA5125a9836b2af8b7088bfca79e84b3d5ef51a620fe1d59f2a0f1f02605907bcedcbb3f95fd16f9812d405045056d688061cb4c5ef47f09ba0e7779de77b45f013eb
-
Filesize
365KB
MD51c92b308eeb3ee01d7622de9f8fea0b5
SHA15e5c89f5c6f15bad6b62ca0ea22f6dcfac1a6dda
SHA256775f7f9041236757b05676318037000e221a582bdfd161b89a11a19fc4fde73c
SHA5125a9836b2af8b7088bfca79e84b3d5ef51a620fe1d59f2a0f1f02605907bcedcbb3f95fd16f9812d405045056d688061cb4c5ef47f09ba0e7779de77b45f013eb
-
Filesize
14.4MB
MD5bf32265654cb54374dbf6047cd42a6e6
SHA17224ca9df6d412d4ce80cc6fc4b1128ee30d580d
SHA2562adaa532d28ef54737ec964b491fc90d55b16757eeff4d7032715523d7cf8aaf
SHA51274fabeaa65e7d59bcce22df38f9be2ecad8aca49c4554464d2f670ca384948c78cabefc75ae37cfd87f750f3cc188a9e3c9a7ccf632e01011e29acf6e410ae99
-
Filesize
201KB
MD59a76263bdedf77a8ad97faa1b2a9c854
SHA145c5ae31e5251ba15842c7a3495babbcc0f990b8
SHA25609d9bb25f1d1bd6f7c3e3aa64df49eaa398e9f26b198ef9b92b6c18c804f0bc1
SHA5120a63808b0f25ae8f3764973bb3abc21c52f4cc740561679fbb68460e5e02db5d25748dbd0539923a622d650afbfb5334d15a240545a7e1afc2f7ed172dd924fe
-
Filesize
201KB
MD59a76263bdedf77a8ad97faa1b2a9c854
SHA145c5ae31e5251ba15842c7a3495babbcc0f990b8
SHA25609d9bb25f1d1bd6f7c3e3aa64df49eaa398e9f26b198ef9b92b6c18c804f0bc1
SHA5120a63808b0f25ae8f3764973bb3abc21c52f4cc740561679fbb68460e5e02db5d25748dbd0539923a622d650afbfb5334d15a240545a7e1afc2f7ed172dd924fe
-
Filesize
14.4MB
MD5bf32265654cb54374dbf6047cd42a6e6
SHA17224ca9df6d412d4ce80cc6fc4b1128ee30d580d
SHA2562adaa532d28ef54737ec964b491fc90d55b16757eeff4d7032715523d7cf8aaf
SHA51274fabeaa65e7d59bcce22df38f9be2ecad8aca49c4554464d2f670ca384948c78cabefc75ae37cfd87f750f3cc188a9e3c9a7ccf632e01011e29acf6e410ae99
-
Filesize
68KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
36KB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
1.5MB
-
Filesize
76KB
-
Filesize
68KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.0MB
-
Filesize
160KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
64KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
24KB
-
Filesize
48KB