Analysis
-
max time kernel
152s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2022 03:47
Behavioral task
behavioral1
Sample
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe
Resource
win10v2004-20220812-en
General
-
Target
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe
-
Size
29KB
-
MD5
1496b98fe0530da47982105a87a69bce
-
SHA1
00719a1b168c8baa3827a161326b157713f9a07a
-
SHA256
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
-
SHA512
286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6
-
SSDEEP
768:en3FjOzFQjRuGjXi2nZFwn3SGTfMve9L0hPOZ:eaQ3Xi2ni3SKfMkLw
Malware Config
Extracted
redline
GOLD
45.138.16.105:30305
-
auth_value
4f782696884d580a958a158781386d86
Extracted
amadey
3.50
1h3art.me/i4kvjd3xc/index.php
Signatures
-
Detects Smokeloader packer 8 IoCs
Processes:
resource yara_rule behavioral2/memory/1096-132-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/1096-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader C:\Users\Admin\AppData\Roaming\1000089000\stub.exe family_smokeloader C:\Users\Admin\AppData\Roaming\1000089000\stub.exe family_smokeloader behavioral2/memory/2604-152-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral2/memory/2604-153-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader C:\Users\Admin\AppData\Roaming\vvvsaer family_smokeloader C:\Users\Admin\AppData\Roaming\vvvsaer family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
350A.exe3578.exegntuud.exestub.exegntuud.exegntuud.exevvvsaerpid process 4608 350A.exe 4012 3578.exe 2260 gntuud.exe 2604 stub.exe 3076 gntuud.exe 2324 gntuud.exe 4832 vvvsaer -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3578.exegntuud.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 3578.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation gntuud.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
gntuud.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stub.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000089000\\stub.exe" gntuud.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exevvvsaerstub.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vvvsaer Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stub.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vvvsaer Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vvvsaer Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stub.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI stub.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exepid process 1096 c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe 1096 c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 3052 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3052 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exestub.exevvvsaerpid process 1096 c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe 2604 stub.exe 4832 vvvsaer -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
350A.exedescription pid process Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 Token: SeDebugPrivilege 4608 350A.exe Token: SeShutdownPrivilege 3052 Token: SeCreatePagefilePrivilege 3052 -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
3578.exegntuud.exedescription pid process target process PID 3052 wrote to memory of 4608 3052 350A.exe PID 3052 wrote to memory of 4608 3052 350A.exe PID 3052 wrote to memory of 4608 3052 350A.exe PID 3052 wrote to memory of 4012 3052 3578.exe PID 3052 wrote to memory of 4012 3052 3578.exe PID 3052 wrote to memory of 4012 3052 3578.exe PID 4012 wrote to memory of 2260 4012 3578.exe gntuud.exe PID 4012 wrote to memory of 2260 4012 3578.exe gntuud.exe PID 4012 wrote to memory of 2260 4012 3578.exe gntuud.exe PID 2260 wrote to memory of 2280 2260 gntuud.exe schtasks.exe PID 2260 wrote to memory of 2280 2260 gntuud.exe schtasks.exe PID 2260 wrote to memory of 2280 2260 gntuud.exe schtasks.exe PID 2260 wrote to memory of 2604 2260 gntuud.exe stub.exe PID 2260 wrote to memory of 2604 2260 gntuud.exe stub.exe PID 2260 wrote to memory of 2604 2260 gntuud.exe stub.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe"C:\Users\Admin\AppData\Local\Temp\c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\350A.exeC:\Users\Admin\AppData\Local\Temp\350A.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3578.exeC:\Users\Admin\AppData\Local\Temp\3578.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe"C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\1000089000\stub.exe"C:\Users\Admin\AppData\Roaming\1000089000\stub.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exeC:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exeC:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\vvvsaerC:\Users\Admin\AppData\Roaming\vvvsaer1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\350A.exeFilesize
175KB
MD541e675184373c3cd9774a54af1d1b05d
SHA1a32a1fe0674fa649d7983ad6638720dc791493cb
SHA2568790b9d76fda4062efadf905201eb5dab93a756d01c97e6c9a194a874f348af7
SHA51245cd993b184a32bab90bdcc435eef1f3ec5f91456c2b2c0b2e2a29eb69c66ab6cc4f829406078437459405f20f41cf396408f3e6c59d061c1ebe24486f486fea
-
C:\Users\Admin\AppData\Local\Temp\350A.exeFilesize
175KB
MD541e675184373c3cd9774a54af1d1b05d
SHA1a32a1fe0674fa649d7983ad6638720dc791493cb
SHA2568790b9d76fda4062efadf905201eb5dab93a756d01c97e6c9a194a874f348af7
SHA51245cd993b184a32bab90bdcc435eef1f3ec5f91456c2b2c0b2e2a29eb69c66ab6cc4f829406078437459405f20f41cf396408f3e6c59d061c1ebe24486f486fea
-
C:\Users\Admin\AppData\Local\Temp\3578.exeFilesize
241KB
MD53c0eaa80d5332030e07f85fbd5960044
SHA14f3495495a1eb31709949979dc78c23406eb9648
SHA256d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890
SHA5124380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa
-
C:\Users\Admin\AppData\Local\Temp\3578.exeFilesize
241KB
MD53c0eaa80d5332030e07f85fbd5960044
SHA14f3495495a1eb31709949979dc78c23406eb9648
SHA256d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890
SHA5124380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa
-
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exeFilesize
241KB
MD53c0eaa80d5332030e07f85fbd5960044
SHA14f3495495a1eb31709949979dc78c23406eb9648
SHA256d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890
SHA5124380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa
-
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exeFilesize
241KB
MD53c0eaa80d5332030e07f85fbd5960044
SHA14f3495495a1eb31709949979dc78c23406eb9648
SHA256d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890
SHA5124380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa
-
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exeFilesize
241KB
MD53c0eaa80d5332030e07f85fbd5960044
SHA14f3495495a1eb31709949979dc78c23406eb9648
SHA256d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890
SHA5124380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa
-
C:\Users\Admin\AppData\Local\Temp\613bae0a89\gntuud.exeFilesize
241KB
MD53c0eaa80d5332030e07f85fbd5960044
SHA14f3495495a1eb31709949979dc78c23406eb9648
SHA256d72ba95c67364911636a82f711732eb67e235bb31b17928e832228e847d25890
SHA5124380fc3af96039f15b5094fa05c70b7bfdb0c93443816d48017e2e31532ef224acf8b23f113ff570189e53faa126529cc9574b04869d68a20ede2df7a5d0a9aa
-
C:\Users\Admin\AppData\Roaming\1000089000\stub.exeFilesize
29KB
MD51496b98fe0530da47982105a87a69bce
SHA100719a1b168c8baa3827a161326b157713f9a07a
SHA256c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6
-
C:\Users\Admin\AppData\Roaming\1000089000\stub.exeFilesize
29KB
MD51496b98fe0530da47982105a87a69bce
SHA100719a1b168c8baa3827a161326b157713f9a07a
SHA256c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6
-
C:\Users\Admin\AppData\Roaming\vvvsaerFilesize
29KB
MD51496b98fe0530da47982105a87a69bce
SHA100719a1b168c8baa3827a161326b157713f9a07a
SHA256c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6
-
C:\Users\Admin\AppData\Roaming\vvvsaerFilesize
29KB
MD51496b98fe0530da47982105a87a69bce
SHA100719a1b168c8baa3827a161326b157713f9a07a
SHA256c7c03c2d6a78eb79409a53304bfaf8a69334d2f6a5928db641092bcc39dc8e8d
SHA512286c28a228dda2d589e7e5a75027c27fcc69244b8fec2ae1019d66a8fe6aa00ef245682a1e2dd3f37722c9c4220f2ddc52ab8750369842da028970c59513dcc6
-
memory/1096-132-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1096-133-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2260-141-0x0000000000000000-mapping.dmp
-
memory/2280-144-0x0000000000000000-mapping.dmp
-
memory/2604-153-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2604-149-0x0000000000000000-mapping.dmp
-
memory/2604-152-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4012-136-0x0000000000000000-mapping.dmp
-
memory/4608-145-0x0000000005910000-0x0000000005F28000-memory.dmpFilesize
6.1MB
-
memory/4608-146-0x0000000005450000-0x000000000555A000-memory.dmpFilesize
1.0MB
-
memory/4608-154-0x00000000056F0000-0x0000000005756000-memory.dmpFilesize
408KB
-
memory/4608-155-0x00000000062D0000-0x0000000006362000-memory.dmpFilesize
584KB
-
memory/4608-156-0x0000000006920000-0x0000000006EC4000-memory.dmpFilesize
5.6MB
-
memory/4608-148-0x00000000053E0000-0x000000000541C000-memory.dmpFilesize
240KB
-
memory/4608-158-0x00000000064F0000-0x0000000006566000-memory.dmpFilesize
472KB
-
memory/4608-159-0x0000000006570000-0x00000000065C0000-memory.dmpFilesize
320KB
-
memory/4608-160-0x0000000006ED0000-0x0000000007092000-memory.dmpFilesize
1.8MB
-
memory/4608-161-0x00000000075D0000-0x0000000007AFC000-memory.dmpFilesize
5.2MB
-
memory/4608-147-0x0000000005380000-0x0000000005392000-memory.dmpFilesize
72KB
-
memory/4608-140-0x00000000009C0000-0x00000000009F2000-memory.dmpFilesize
200KB
-
memory/4608-134-0x0000000000000000-mapping.dmp