Analysis
-
max time kernel
128s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
01-12-2022 10:47
General
-
Target
e27879b1cbd53ab565e049393da99ed5efa099a5eaf1e2595d44bdaea1d60ddf.exe
-
Size
577KB
-
MD5
ccd4fc36f74caf6fae7b806ce66a9859
-
SHA1
7b11c433593ffd98a87bd1ec399a1beb768f5b22
-
SHA256
e27879b1cbd53ab565e049393da99ed5efa099a5eaf1e2595d44bdaea1d60ddf
-
SHA512
7266dc50ad201106c99a9b4141a7fa12e28cdc59c1bd10005e76bb7335849f3b88bf58c37d784bfa14d77d2411a97f339fd0ec27e36d47e5ddd434ddfdba1536
-
SSDEEP
12288:uGQttWvM3zrbETClTkFguiSlqamdqVbnFSPnQxBIyXCD8Hk6:u8U376C1kFgullOo9nGn2BIyXtX
Malware Config
Extracted
C:\readme.txt
http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?ST2GHJLMOPR
https://yip.su/2QstD5
Extracted
C:\odt\ReadMe.txt
http://obzuqvr5424kkc4unbq2p2i67ny3zngce3tbdr37nicjqesgqcgomfqd.onion/?102YQHIABYP
https://yip.su/2QstD5
Extracted
redline
R102
94.130.179.90:21188
-
auth_value
cc794f9cf73d320cef662bb8cd5878d3
Signatures
-
Detects Smokeloader packer 3 IoCs
-
GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 19 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies registry class 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e27879b1cbd53ab565e049393da99ed5efa099a5eaf1e2595d44bdaea1d60ddf.exe"C:\Users\Admin\AppData\Local\Temp\e27879b1cbd53ab565e049393da99ed5efa099a5eaf1e2595d44bdaea1d60ddf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e27879b1cbd53ab565e049393da99ed5efa099a5eaf1e2595d44bdaea1d60ddf.exe"{path}"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CA84.exeC:\Users\Admin\AppData\Local\Temp\CA84.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CA84.exe"{path}"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\CF57.exeC:\Users\Admin\AppData\Local\Temp\CF57.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CF57.exe"{path}"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CF57.exe"{path}"2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
-
C:\Users\Admin\AppData\Local\Temp\D459.exeC:\Users\Admin\AppData\Local\Temp\D459.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D459.exe"{path}"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 8762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4852 -ip 48521⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Users\Admin\AppData\Local\CF57.exe"C:\Users\Admin\AppData\Local\CF57.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\rvdafcsC:\Users\Admin\AppData\Roaming\rvdafcs1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203KB
MD5fd0afd79aa903acb40ab540962a50d7c
SHA145e43581c9ceed4ca6e33af98269a4b981c39483
SHA2561cc62cfee5e09cd4be8bd930586a05e7de8bfec3dedb77470bf79652cc6de523
SHA5122523057721ec9868fbf01583b335a43db22b626575c92e2d05b5cf39225f535ccd73c2cd3c24f8f89b17af71806a460997fc7a014f82fd14dfd49337b4f21035
-
Filesize
203KB
MD55fc1a16c3567f77cc793bf9ee485af42
SHA122180c74d834500271d3bac9d142f06b61d30c29
SHA25647fd7f6593096c30c34000491d71f5c3488eb4026eabf22f59300fe2caf40d1b
SHA51245a8c26f03355eb359c3f9cf6716aa7836e779b924e6467eda05b47150bb03018352ad9b41d928852f2000daf4900f7fb238b7055568eb0af848329cfb1cc539
-
Filesize
320KB
MD59002257695bd1a66a87f0f49bb9ec355
SHA14b34e363f3833eb8aacc6b1cae7d53f13eb27307
SHA256ff975d4f6bef9a40512bad51e186cd0aa2743af92a511a8f33cfc2338c5d2a1a
SHA512988b7c82cbf44004688d151829e7d7f69beacc83b8d0e926a8e0ae9c06e1c79cfcfbeb0803df6e9e1ab3dd30f06e7215f21738dfdeb6a017f8492f78a82a89c9
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3KB
MD55a1b22412a0232528f491aa6f2db6828
SHA1588fc039ba58086af960549b7db2bf9bf8642c5f
SHA256135fb187661b5780c057392f7aa3ef5cc7d2c5fb0a25d54f1d218125522e1606
SHA512d29a202df92e8bf3f73adfa6b93d1ac178505fd888391f8233246083b544a0fca744780f1d7ed7c4dde54b49206732dfbc03262ffab36709471508e4ebc47660
-
Filesize
1KB
MD5f5edbf7b4bade85bd62f19e949d5f264
SHA12806f20bec9d1217c26aee168af7e4b26e3a8897
SHA256d80769eb4c682d000cde62b135f37765d82ed35c8c3144c44b6662169c03043b
SHA512621b612d5ec830d8846ef00ed40c3d2864c5d78d43aa26da1c879fdefd4c2b02a969129ee7b4f3bb9467164b3931ea73b5162621f7f9e1b8e3d155ac93ddf7f7
-
Filesize
3KB
MD5425ed0011c51cb060a76282cdc89765e
SHA14eef52378baa8b7c8d54fb9a6eab468b273d9010
SHA256617cffdba22e6ae48aa0054df67eeeb8c59d4570cbf21a1d3f78677781d6e942
SHA5129ebca7ee142b70de9d445ac1a888eb41d5e5903763ffe92ba922a5e4e7a2d91d4ed82ebc4a034264fae041e2a7fcd28c16f8ad23d0c8dbab197ea10fe0b3c548
-
Filesize
1KB
MD594fc8527d9a3df1c9895d87a22e04e4f
SHA18769e8f9a001ff50fd6feb9c7981165d618aa571
SHA256f668a4a4fdbeec35991887b41b9eae1996f9cfee217c954a61b0f2d0b1546ddb
SHA512d37c4394c6819817974eca57a9e4e98a1eb397a23d6b4d0c2d335b84aeefc202b0735c31fa606f94593912c72bcb2226399efd88f7a1f4c57bb530aee2582542
-
Filesize
1KB
MD5aea0dfd8c7caf24605a5712f1840649c
SHA1a62e062d3c90a4a4731c99f1a60bf4aa70430dda
SHA256bf7054500c89e1d57696a1f13b866fc7775c0a809cedde59a7f76a2d87f5b2ac
SHA5120440fde9d0a3ff536e7fdf27857c065c7c3827d43403556615a767b98004c353ff43ab721bba916aab561363b9290d64c938198319ccd6734f0d0f8ca44400b3
-
Filesize
847KB
MD5409e2d09f3675bd1d2cdac3bb003f78d
SHA1588b45567e8e4846c90b7a5d3c5b3d80cfc80426
SHA256bdbba6afa1fe6a41d85a712ddb48c6fb9057df42cc9e318ea582d5535008025c
SHA51274a9cfd8bfa55bb2d92bbbdbc7b3783a781682895a05035872b54421a5e135a9ce23dc046cb5d2b1810321043c8da43480fefcbad6583a1c2f0900c1d33f05d4
-
Filesize
847KB
MD5409e2d09f3675bd1d2cdac3bb003f78d
SHA1588b45567e8e4846c90b7a5d3c5b3d80cfc80426
SHA256bdbba6afa1fe6a41d85a712ddb48c6fb9057df42cc9e318ea582d5535008025c
SHA51274a9cfd8bfa55bb2d92bbbdbc7b3783a781682895a05035872b54421a5e135a9ce23dc046cb5d2b1810321043c8da43480fefcbad6583a1c2f0900c1d33f05d4
-
Filesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
Filesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
Filesize
446B
MD5c2e75bdc16b8248db2482a0a4b872cdc
SHA16e7f64689e027f1731e132a990ca463018b23685
SHA25659b69354114efc6a069949c0dcb4cba0407ece9a4fb5b384a1ac4cfac9b30fa5
SHA51204a79d77452f0cd522ea97e7b39c0d53549bec2db08846bad540a6d0f6b93e1f8776228cd82862568bc32ab866848567086138a0b70fa2bb3eb8e1b15a9b5c34
-
Filesize
8KB
MD5bbb7f739404475118f670bad2ea2682d
SHA1e8ee1687a577be82c5882e17d1923b1eb29fed0b
SHA2565d587ec1379ca0e7d3ba81f2301674e40fb6617da694858cea67134778bfde88
SHA5122d6f796ff1807566bb9a04ec34f096c63d2e535ae9435a48e7d2e51e46612e6af178799e4237b7728ea1638a60921374da01756d48539f5606fa7cd56817a344
-
Filesize
884KB
MD513d8c2f2cdf5f6208c3e999621019304
SHA1fc8930cd264393552727a457efbbea67e60e49e5
SHA256edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6
SHA512fd03cb71100f2638a0f8406b1b68e1b811cd6c8f66c67cd34ce4221372e569e8709906c4b2fb125cfe14ba6e8919e214440d7e15fa11122c4ee255b742b6b118
-
Filesize
884KB
MD513d8c2f2cdf5f6208c3e999621019304
SHA1fc8930cd264393552727a457efbbea67e60e49e5
SHA256edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6
SHA512fd03cb71100f2638a0f8406b1b68e1b811cd6c8f66c67cd34ce4221372e569e8709906c4b2fb125cfe14ba6e8919e214440d7e15fa11122c4ee255b742b6b118
-
Filesize
884KB
MD513d8c2f2cdf5f6208c3e999621019304
SHA1fc8930cd264393552727a457efbbea67e60e49e5
SHA256edb7c1252fc4d53a733afe5b74dfab6395bcd90ea2c3cf0664e3b610e84e24d6
SHA512fd03cb71100f2638a0f8406b1b68e1b811cd6c8f66c67cd34ce4221372e569e8709906c4b2fb125cfe14ba6e8919e214440d7e15fa11122c4ee255b742b6b118
-
Filesize
847KB
MD5409e2d09f3675bd1d2cdac3bb003f78d
SHA1588b45567e8e4846c90b7a5d3c5b3d80cfc80426
SHA256bdbba6afa1fe6a41d85a712ddb48c6fb9057df42cc9e318ea582d5535008025c
SHA51274a9cfd8bfa55bb2d92bbbdbc7b3783a781682895a05035872b54421a5e135a9ce23dc046cb5d2b1810321043c8da43480fefcbad6583a1c2f0900c1d33f05d4
-
Filesize
847KB
MD5409e2d09f3675bd1d2cdac3bb003f78d
SHA1588b45567e8e4846c90b7a5d3c5b3d80cfc80426
SHA256bdbba6afa1fe6a41d85a712ddb48c6fb9057df42cc9e318ea582d5535008025c
SHA51274a9cfd8bfa55bb2d92bbbdbc7b3783a781682895a05035872b54421a5e135a9ce23dc046cb5d2b1810321043c8da43480fefcbad6583a1c2f0900c1d33f05d4
-
Filesize
847KB
MD5409e2d09f3675bd1d2cdac3bb003f78d
SHA1588b45567e8e4846c90b7a5d3c5b3d80cfc80426
SHA256bdbba6afa1fe6a41d85a712ddb48c6fb9057df42cc9e318ea582d5535008025c
SHA51274a9cfd8bfa55bb2d92bbbdbc7b3783a781682895a05035872b54421a5e135a9ce23dc046cb5d2b1810321043c8da43480fefcbad6583a1c2f0900c1d33f05d4
-
Filesize
847KB
MD5409e2d09f3675bd1d2cdac3bb003f78d
SHA1588b45567e8e4846c90b7a5d3c5b3d80cfc80426
SHA256bdbba6afa1fe6a41d85a712ddb48c6fb9057df42cc9e318ea582d5535008025c
SHA51274a9cfd8bfa55bb2d92bbbdbc7b3783a781682895a05035872b54421a5e135a9ce23dc046cb5d2b1810321043c8da43480fefcbad6583a1c2f0900c1d33f05d4
-
Filesize
921KB
MD5a67dd1e291c6bcea7a09c0e27d622577
SHA1647f48a2306695cdfb2b2424f0dff4253e10bbca
SHA2569681559af9504e3f6c6674992a37b660262f98042f3b8f754ffa12b3153402d5
SHA512b26aa2ca5f2793e6c8cfd052d9e93a1d71ccfae1e3e67af4ba9363d9bcb08c67ce1f73cc26d2c08adc60045ae0220340f448c6bd7bc7838a795b70b3443564e2
-
Filesize
921KB
MD5a67dd1e291c6bcea7a09c0e27d622577
SHA1647f48a2306695cdfb2b2424f0dff4253e10bbca
SHA2569681559af9504e3f6c6674992a37b660262f98042f3b8f754ffa12b3153402d5
SHA512b26aa2ca5f2793e6c8cfd052d9e93a1d71ccfae1e3e67af4ba9363d9bcb08c67ce1f73cc26d2c08adc60045ae0220340f448c6bd7bc7838a795b70b3443564e2
-
Filesize
921KB
MD5a67dd1e291c6bcea7a09c0e27d622577
SHA1647f48a2306695cdfb2b2424f0dff4253e10bbca
SHA2569681559af9504e3f6c6674992a37b660262f98042f3b8f754ffa12b3153402d5
SHA512b26aa2ca5f2793e6c8cfd052d9e93a1d71ccfae1e3e67af4ba9363d9bcb08c67ce1f73cc26d2c08adc60045ae0220340f448c6bd7bc7838a795b70b3443564e2
-
Filesize
577KB
MD5ccd4fc36f74caf6fae7b806ce66a9859
SHA17b11c433593ffd98a87bd1ec399a1beb768f5b22
SHA256e27879b1cbd53ab565e049393da99ed5efa099a5eaf1e2595d44bdaea1d60ddf
SHA5127266dc50ad201106c99a9b4141a7fa12e28cdc59c1bd10005e76bb7335849f3b88bf58c37d784bfa14d77d2411a97f339fd0ec27e36d47e5ddd434ddfdba1536
-
Filesize
577KB
MD5ccd4fc36f74caf6fae7b806ce66a9859
SHA17b11c433593ffd98a87bd1ec399a1beb768f5b22
SHA256e27879b1cbd53ab565e049393da99ed5efa099a5eaf1e2595d44bdaea1d60ddf
SHA5127266dc50ad201106c99a9b4141a7fa12e28cdc59c1bd10005e76bb7335849f3b88bf58c37d784bfa14d77d2411a97f339fd0ec27e36d47e5ddd434ddfdba1536
-
Filesize
1KB
MD503f47accff0d10a1192c69056f54d325
SHA1a8c1d4e4ff73c18ce67e58fa7eb7a42a04795c19
SHA256ce38a4140f8f55411ed587c380377e236352c2927e4fa6259dddc9c2a8a8cf1d
SHA5124fbeb2618b3aaddee615426607f54c248828b3f4f58ef92dd7558b4336cf8a3200ea4f6688202ce7208a57fa99950e05f3e7c584aedbfb64fdbef4538aaab661
-
Filesize
1KB
MD5c1679f4cb87fef1c67da09ee9c13a526
SHA12ea444d366307b6f9fe888a8bdc63a19e56c5d2d
SHA256344d4d76f73ffc5328bb491c007401e97f627c0648120f7b7514b8ac4b72ceb3
SHA51211361fc16e267653328e31899764cdfc3d6256238a5288514ac2c292cd6ff8b97c5e4d9f227f95c99bcfa012aa5f1261e9baef4181b589b06934ae8c48017a0d
-
-
Filesize
912KB
-
Filesize
128KB
-
Filesize
128KB
-
-
-
Filesize
48KB
-
-
-
Filesize
944KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
120KB
-
-
Filesize
120KB
-
Filesize
36KB
-
Filesize
36KB
-
-
Filesize
36KB
-
Filesize
872KB
-
-
Filesize
40KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
600KB
-
Filesize
56KB
-
-
Filesize
56KB
-
Filesize
56KB
-
Filesize
428KB
-
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
5.2MB
-
Filesize
320KB
-
Filesize
472KB
-
Filesize
160KB
-
Filesize
1.8MB
-
Filesize
408KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-