Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2022 21:27
Static task
static1
Behavioral task
behavioral1
Sample
bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe
Resource
win10v2004-20220812-en
General
-
Target
bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe
-
Size
231KB
-
MD5
a5f5f37a1847dfb887afe130c5838633
-
SHA1
3ffdfe8a0a11303521f287888e0b8669d88433da
-
SHA256
bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26
-
SHA512
ffb2e678256ea987eb2c462df2bf4f4e04958bcd37d56a717290da6dc1c12061f84f8b6f303aa593191b15c463a4650962e1d0cadfca5f64b02c73af215cceb7
-
SSDEEP
3072:Rbud1LNTJc5Hm7Gs4V2GEl6pAT23tJ/NewSw7RkxmJZs:R4LVJom7DGndJ/EDGymI
Malware Config
Extracted
redline
11
79.137.202.18:45218
-
auth_value
107e09eee63158d2488feb03dac75204
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1800-133-0x00000000005E0000-0x00000000005E9000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
D44C.exeD8E1.exetwwrfffpid process 3724 D44C.exe 2388 D8E1.exe 4852 twwrfff -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
D8E1.exedescription pid process target process PID 2388 set thread context of 2316 2388 D8E1.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1760 2388 WerFault.exe D8E1.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exetwwrfffdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI twwrfff Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI twwrfff Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI twwrfff -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exepid process 1800 bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe 1800 bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2376 -
Suspicious behavior: MapViewOfSection 20 IoCs
Processes:
bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exetwwrfffpid process 1800 bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 4852 twwrfff -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
vbc.exedescription pid process Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeDebugPrivilege 2316 vbc.exe Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
D8E1.exeD44C.exedescription pid process target process PID 2376 wrote to memory of 3724 2376 D44C.exe PID 2376 wrote to memory of 3724 2376 D44C.exe PID 2376 wrote to memory of 3724 2376 D44C.exe PID 2376 wrote to memory of 2388 2376 D8E1.exe PID 2376 wrote to memory of 2388 2376 D8E1.exe PID 2376 wrote to memory of 2388 2376 D8E1.exe PID 2376 wrote to memory of 2092 2376 explorer.exe PID 2376 wrote to memory of 2092 2376 explorer.exe PID 2376 wrote to memory of 2092 2376 explorer.exe PID 2376 wrote to memory of 2092 2376 explorer.exe PID 2388 wrote to memory of 2316 2388 D8E1.exe vbc.exe PID 2388 wrote to memory of 2316 2388 D8E1.exe vbc.exe PID 2388 wrote to memory of 2316 2388 D8E1.exe vbc.exe PID 2388 wrote to memory of 2316 2388 D8E1.exe vbc.exe PID 2388 wrote to memory of 2316 2388 D8E1.exe vbc.exe PID 3724 wrote to memory of 2068 3724 D44C.exe vbc.exe PID 3724 wrote to memory of 2068 3724 D44C.exe vbc.exe PID 3724 wrote to memory of 2068 3724 D44C.exe vbc.exe PID 2376 wrote to memory of 4248 2376 explorer.exe PID 2376 wrote to memory of 4248 2376 explorer.exe PID 2376 wrote to memory of 4248 2376 explorer.exe PID 3724 wrote to memory of 5104 3724 D44C.exe vbc.exe PID 3724 wrote to memory of 5104 3724 D44C.exe vbc.exe PID 3724 wrote to memory of 5104 3724 D44C.exe vbc.exe PID 3724 wrote to memory of 900 3724 D44C.exe vbc.exe PID 3724 wrote to memory of 900 3724 D44C.exe vbc.exe PID 3724 wrote to memory of 900 3724 D44C.exe vbc.exe PID 3724 wrote to memory of 460 3724 D44C.exe vbc.exe PID 3724 wrote to memory of 460 3724 D44C.exe vbc.exe PID 3724 wrote to memory of 460 3724 D44C.exe vbc.exe PID 2376 wrote to memory of 4480 2376 explorer.exe PID 2376 wrote to memory of 4480 2376 explorer.exe PID 2376 wrote to memory of 4480 2376 explorer.exe PID 2376 wrote to memory of 4480 2376 explorer.exe PID 2376 wrote to memory of 1780 2376 explorer.exe PID 2376 wrote to memory of 1780 2376 explorer.exe PID 2376 wrote to memory of 1780 2376 explorer.exe PID 2376 wrote to memory of 3708 2376 explorer.exe PID 2376 wrote to memory of 3708 2376 explorer.exe PID 2376 wrote to memory of 3708 2376 explorer.exe PID 2376 wrote to memory of 3708 2376 explorer.exe PID 2376 wrote to memory of 444 2376 explorer.exe PID 2376 wrote to memory of 444 2376 explorer.exe PID 2376 wrote to memory of 444 2376 explorer.exe PID 2376 wrote to memory of 444 2376 explorer.exe PID 2376 wrote to memory of 1924 2376 explorer.exe PID 2376 wrote to memory of 1924 2376 explorer.exe PID 2376 wrote to memory of 1924 2376 explorer.exe PID 2376 wrote to memory of 1924 2376 explorer.exe PID 2376 wrote to memory of 2224 2376 explorer.exe PID 2376 wrote to memory of 2224 2376 explorer.exe PID 2376 wrote to memory of 2224 2376 explorer.exe PID 2376 wrote to memory of 4564 2376 explorer.exe PID 2376 wrote to memory of 4564 2376 explorer.exe PID 2376 wrote to memory of 4564 2376 explorer.exe PID 2376 wrote to memory of 4564 2376 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe"C:\Users\Admin\AppData\Local\Temp\bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1800
-
C:\Users\Admin\AppData\Local\Temp\D44C.exeC:\Users\Admin\AppData\Local\Temp\D44C.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:2068
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:5104
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:900
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵PID:460
-
C:\Users\Admin\AppData\Local\Temp\D8E1.exeC:\Users\Admin\AppData\Local\Temp\D8E1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 2402⤵
- Program crash
PID:1760
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2388 -ip 23881⤵PID:3460
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4248
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4480
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1780
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3708
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:444
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1924
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2224
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4564
-
C:\Users\Admin\AppData\Roaming\twwrfffC:\Users\Admin\AppData\Roaming\twwrfff1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4852
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5666d8f33d37064fd5d14e2166c9bfa69
SHA13b27df9335a9b2efe9da1057e9f8312a72d1ca9d
SHA2567fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157
SHA512ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df
-
Filesize
67KB
MD5666d8f33d37064fd5d14e2166c9bfa69
SHA13b27df9335a9b2efe9da1057e9f8312a72d1ca9d
SHA2567fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157
SHA512ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df
-
Filesize
399KB
MD589be4ac8a06eefdd3939ef7c949d2eaa
SHA13fe3f325bf7743fe859a67b426d94cd574333b2e
SHA25605046a5abb7522d5839de7fc774ca23486cb8cfc9d1ccdeb0357b44171353a5d
SHA512e56ecdfa4516b916116a4b167eb9b26f641afd6d4a6fbac4cdcb23d1d6fa3d707f425eef912e4fea91e10b4e8821ddb7c11b183fb83efb60dd87bdc84a0fbf6f
-
Filesize
399KB
MD589be4ac8a06eefdd3939ef7c949d2eaa
SHA13fe3f325bf7743fe859a67b426d94cd574333b2e
SHA25605046a5abb7522d5839de7fc774ca23486cb8cfc9d1ccdeb0357b44171353a5d
SHA512e56ecdfa4516b916116a4b167eb9b26f641afd6d4a6fbac4cdcb23d1d6fa3d707f425eef912e4fea91e10b4e8821ddb7c11b183fb83efb60dd87bdc84a0fbf6f
-
Filesize
231KB
MD5a5f5f37a1847dfb887afe130c5838633
SHA13ffdfe8a0a11303521f287888e0b8669d88433da
SHA256bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26
SHA512ffb2e678256ea987eb2c462df2bf4f4e04958bcd37d56a717290da6dc1c12061f84f8b6f303aa593191b15c463a4650962e1d0cadfca5f64b02c73af215cceb7
-
Filesize
231KB
MD5a5f5f37a1847dfb887afe130c5838633
SHA13ffdfe8a0a11303521f287888e0b8669d88433da
SHA256bd208b56f6151e54b8582e66e8304e5e72e6dfcd046e2a82d482b191ae884c26
SHA512ffb2e678256ea987eb2c462df2bf4f4e04958bcd37d56a717290da6dc1c12061f84f8b6f303aa593191b15c463a4650962e1d0cadfca5f64b02c73af215cceb7