Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
26-09-2022 19:17
Static task
static1
General
-
Target
32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exe
-
Size
129KB
-
MD5
28d8118cf4cf2ec566b49a370bda43c1
-
SHA1
6a1603a6567e59687b3ca1e2fd3102e9abf02fe7
-
SHA256
32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917
-
SHA512
dcd04fc96dc8fe89576413952ab79a1f0adfff72b8e4c14dcfcdcc66cc054c472124d54bfc06320a99f38d4d1047c3bb902ac9bea9d5bcadf3e94767e80077a0
-
SSDEEP
3072:SIj/lT55IuPGW9BgA4vAkQ1MaTk0Qm8d9m35B:tauPGWgLAkQ1BoRRd9m
Malware Config
Extracted
danabot
198.15.112.179:443
185.62.56.245:443
153.92.223.225:443
192.119.70.159:443
-
embedded_hash
6618C163D57D6441FCCA65D86C4D380D
-
type
loader
Extracted
redline
insmix
jamesmillion2.xyz:9420
-
auth_value
f388a05524f756108c9e4b0f4c4bafb6
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2252-150-0x00000000006E0000-0x00000000006E9000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
436.exe51AB.exepid process 3672 436.exe 4832 51AB.exe -
Deletes itself 1 IoCs
Processes:
pid process 2592 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1940 3672 WerFault.exe 436.exe 1308 3672 WerFault.exe 436.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exepid process 2252 32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exe 2252 32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exe 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 2592 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2592 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exepid process 2252 32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
51AB.exedescription pid process Token: SeShutdownPrivilege 2592 Token: SeCreatePagefilePrivilege 2592 Token: SeDebugPrivilege 4832 51AB.exe Token: SeShutdownPrivilege 2592 Token: SeCreatePagefilePrivilege 2592 Token: SeShutdownPrivilege 2592 Token: SeCreatePagefilePrivilege 2592 Token: SeShutdownPrivilege 2592 Token: SeCreatePagefilePrivilege 2592 Token: SeShutdownPrivilege 2592 Token: SeCreatePagefilePrivilege 2592 -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
436.exedescription pid process target process PID 2592 wrote to memory of 3672 2592 436.exe PID 2592 wrote to memory of 3672 2592 436.exe PID 2592 wrote to memory of 3672 2592 436.exe PID 3672 wrote to memory of 3392 3672 436.exe appidtel.exe PID 3672 wrote to memory of 3392 3672 436.exe appidtel.exe PID 3672 wrote to memory of 3392 3672 436.exe appidtel.exe PID 2592 wrote to memory of 4832 2592 51AB.exe PID 2592 wrote to memory of 4832 2592 51AB.exe PID 2592 wrote to memory of 4832 2592 51AB.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe PID 3672 wrote to memory of 1900 3672 436.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exe"C:\Users\Admin\AppData\Local\Temp\32962c7fc6405676aa4d7b2e1eda93019c5161ebbb932145f7af73928b341917.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2252
-
C:\Users\Admin\AppData\Local\Temp\436.exeC:\Users\Admin\AppData\Local\Temp\436.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\appidtel.exeC:\Windows\system32\appidtel.exe2⤵PID:3392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 6002⤵
- Program crash
PID:1940 -
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵PID:1900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 6242⤵
- Program crash
PID:1308
-
C:\Users\Admin\AppData\Local\Temp\51AB.exeC:\Users\Admin\AppData\Local\Temp\51AB.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5010171af0924c9db076634361a6a9b36
SHA1e632fbb738bb45a8db0e68f066be67be46fdb987
SHA25683c629d9ef2f79fbc1b9582014f685f468744b2318a9f10231a5ead4bf77e4e2
SHA512b578a527c2cf201df283f6db0059be93926af5c518b63f4e7f1daf82a5d7466461aad6d070da6ee30ebb545854da9754a6a6cc0ad45b7fa1571f739f7c8ae55f
-
Filesize
1.2MB
MD5010171af0924c9db076634361a6a9b36
SHA1e632fbb738bb45a8db0e68f066be67be46fdb987
SHA25683c629d9ef2f79fbc1b9582014f685f468744b2318a9f10231a5ead4bf77e4e2
SHA512b578a527c2cf201df283f6db0059be93926af5c518b63f4e7f1daf82a5d7466461aad6d070da6ee30ebb545854da9754a6a6cc0ad45b7fa1571f739f7c8ae55f
-
Filesize
304KB
MD515f1517f0ceaaf9b6c78cf7625510c07
SHA18aabce20aff43476586a1b69b0b761a7f39d1e7e
SHA256d0d47dec11c63b6fa1a2dcac89e5a7352220e371b728781de041bf42fa8965fb
SHA512931a79a6e0d38c9b59b03a68d31e3c8fdb2b51e5eeed1df45790eba38f516f767ed67d9edd10bef16d169dc253c81ba6afb5d52738761cc2fa84f601f86b3516
-
Filesize
304KB
MD515f1517f0ceaaf9b6c78cf7625510c07
SHA18aabce20aff43476586a1b69b0b761a7f39d1e7e
SHA256d0d47dec11c63b6fa1a2dcac89e5a7352220e371b728781de041bf42fa8965fb
SHA512931a79a6e0d38c9b59b03a68d31e3c8fdb2b51e5eeed1df45790eba38f516f767ed67d9edd10bef16d169dc253c81ba6afb5d52738761cc2fa84f601f86b3516