Analysis
-
max time kernel
151s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2022 05:38
Static task
static1
Behavioral task
behavioral1
Sample
279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exe
Resource
win10v2004-20220812-en
General
-
Target
279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exe
-
Size
232KB
-
MD5
1771c07026a2874ec2b2364ea82c460a
-
SHA1
d5fa05499777f0206a0a1180f3c2e481e6c2ea4d
-
SHA256
279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80
-
SHA512
78c594f2c4d8de0f5dace04e0be184040b585243092e71ebd705c056502fc008b9b45eff735fb6283f4e08379041d4719b3424fdf6cb536ea13f7a76e4484e11
-
SSDEEP
3072:gkGUbxLk7u5RTewCiVvMwwF/VuiHoglS1g/tK8NwxgcPLrcSb54VIcVTuh:gWLk7pwuw4umtK8N1c7bIr
Malware Config
Extracted
redline
11
79.137.202.18:45218
-
auth_value
107e09eee63158d2488feb03dac75204
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2564-133-0x00000000005F0000-0x00000000005F9000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
D372.exeD7E7.exegfdwsifpid process 1608 D372.exe 1960 D7E7.exe 3948 gfdwsif -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
D7E7.exedescription pid process target process PID 1960 set thread context of 4244 1960 D7E7.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4560 1960 WerFault.exe D7E7.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exegfdwsifdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gfdwsif Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gfdwsif Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gfdwsif -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exepid process 2564 279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exe 2564 279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exe 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2376 -
Suspicious behavior: MapViewOfSection 20 IoCs
Processes:
279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exegfdwsifpid process 2564 279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exe 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 2376 3948 gfdwsif -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
vbc.exedescription pid process Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 Token: SeDebugPrivilege 4244 vbc.exe Token: SeShutdownPrivilege 2376 Token: SeCreatePagefilePrivilege 2376 -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
D7E7.exeD372.exedescription pid process target process PID 2376 wrote to memory of 1608 2376 D372.exe PID 2376 wrote to memory of 1608 2376 D372.exe PID 2376 wrote to memory of 1608 2376 D372.exe PID 2376 wrote to memory of 1960 2376 D7E7.exe PID 2376 wrote to memory of 1960 2376 D7E7.exe PID 2376 wrote to memory of 1960 2376 D7E7.exe PID 1960 wrote to memory of 4244 1960 D7E7.exe vbc.exe PID 1960 wrote to memory of 4244 1960 D7E7.exe vbc.exe PID 1960 wrote to memory of 4244 1960 D7E7.exe vbc.exe PID 1960 wrote to memory of 4244 1960 D7E7.exe vbc.exe PID 1960 wrote to memory of 4244 1960 D7E7.exe vbc.exe PID 2376 wrote to memory of 2656 2376 explorer.exe PID 2376 wrote to memory of 2656 2376 explorer.exe PID 2376 wrote to memory of 2656 2376 explorer.exe PID 2376 wrote to memory of 2656 2376 explorer.exe PID 1608 wrote to memory of 800 1608 D372.exe vbc.exe PID 1608 wrote to memory of 800 1608 D372.exe vbc.exe PID 1608 wrote to memory of 800 1608 D372.exe vbc.exe PID 2376 wrote to memory of 1112 2376 explorer.exe PID 2376 wrote to memory of 1112 2376 explorer.exe PID 2376 wrote to memory of 1112 2376 explorer.exe PID 1608 wrote to memory of 1552 1608 D372.exe vbc.exe PID 1608 wrote to memory of 1552 1608 D372.exe vbc.exe PID 1608 wrote to memory of 1552 1608 D372.exe vbc.exe PID 1608 wrote to memory of 1956 1608 D372.exe vbc.exe PID 1608 wrote to memory of 1956 1608 D372.exe vbc.exe PID 1608 wrote to memory of 1956 1608 D372.exe vbc.exe PID 1608 wrote to memory of 4724 1608 D372.exe vbc.exe PID 1608 wrote to memory of 4724 1608 D372.exe vbc.exe PID 1608 wrote to memory of 4724 1608 D372.exe vbc.exe PID 2376 wrote to memory of 1372 2376 explorer.exe PID 2376 wrote to memory of 1372 2376 explorer.exe PID 2376 wrote to memory of 1372 2376 explorer.exe PID 2376 wrote to memory of 1372 2376 explorer.exe PID 2376 wrote to memory of 4804 2376 explorer.exe PID 2376 wrote to memory of 4804 2376 explorer.exe PID 2376 wrote to memory of 4804 2376 explorer.exe PID 2376 wrote to memory of 4448 2376 explorer.exe PID 2376 wrote to memory of 4448 2376 explorer.exe PID 2376 wrote to memory of 4448 2376 explorer.exe PID 2376 wrote to memory of 4448 2376 explorer.exe PID 2376 wrote to memory of 1336 2376 explorer.exe PID 2376 wrote to memory of 1336 2376 explorer.exe PID 2376 wrote to memory of 1336 2376 explorer.exe PID 2376 wrote to memory of 1336 2376 explorer.exe PID 2376 wrote to memory of 4200 2376 explorer.exe PID 2376 wrote to memory of 4200 2376 explorer.exe PID 2376 wrote to memory of 4200 2376 explorer.exe PID 2376 wrote to memory of 4200 2376 explorer.exe PID 2376 wrote to memory of 4056 2376 explorer.exe PID 2376 wrote to memory of 4056 2376 explorer.exe PID 2376 wrote to memory of 4056 2376 explorer.exe PID 2376 wrote to memory of 5088 2376 explorer.exe PID 2376 wrote to memory of 5088 2376 explorer.exe PID 2376 wrote to memory of 5088 2376 explorer.exe PID 2376 wrote to memory of 5088 2376 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exe"C:\Users\Admin\AppData\Local\Temp\279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D372.exeC:\Users\Admin\AppData\Local\Temp\D372.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\D7E7.exeC:\Users\Admin\AppData\Local\Temp\D7E7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 1562⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1960 -ip 19601⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\gfdwsifC:\Users\Admin\AppData\Roaming\gfdwsif1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D372.exeFilesize
67KB
MD5666d8f33d37064fd5d14e2166c9bfa69
SHA13b27df9335a9b2efe9da1057e9f8312a72d1ca9d
SHA2567fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157
SHA512ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df
-
C:\Users\Admin\AppData\Local\Temp\D372.exeFilesize
67KB
MD5666d8f33d37064fd5d14e2166c9bfa69
SHA13b27df9335a9b2efe9da1057e9f8312a72d1ca9d
SHA2567fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157
SHA512ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df
-
C:\Users\Admin\AppData\Local\Temp\D7E7.exeFilesize
403KB
MD585096ded58b9163ddc21460fbc98632e
SHA1aa24d8a0180423a9ee9a5c79f3f6d245cc8b3298
SHA25669a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc
SHA512c4f2977f4787e8f7c38e81fda6808c8b7983d8d5c6e803a21414a90488bb8ced00ce9dbeae57a922afac01720448da0733aef956809b831b059b097cfd49e3a8
-
C:\Users\Admin\AppData\Local\Temp\D7E7.exeFilesize
403KB
MD585096ded58b9163ddc21460fbc98632e
SHA1aa24d8a0180423a9ee9a5c79f3f6d245cc8b3298
SHA25669a994e5ffc5ee8331cfb46f9afb6304dcc57bbe905e361c673f9a4f26f838fc
SHA512c4f2977f4787e8f7c38e81fda6808c8b7983d8d5c6e803a21414a90488bb8ced00ce9dbeae57a922afac01720448da0733aef956809b831b059b097cfd49e3a8
-
C:\Users\Admin\AppData\Roaming\gfdwsifFilesize
232KB
MD51771c07026a2874ec2b2364ea82c460a
SHA1d5fa05499777f0206a0a1180f3c2e481e6c2ea4d
SHA256279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80
SHA51278c594f2c4d8de0f5dace04e0be184040b585243092e71ebd705c056502fc008b9b45eff735fb6283f4e08379041d4719b3424fdf6cb536ea13f7a76e4484e11
-
C:\Users\Admin\AppData\Roaming\gfdwsifFilesize
232KB
MD51771c07026a2874ec2b2364ea82c460a
SHA1d5fa05499777f0206a0a1180f3c2e481e6c2ea4d
SHA256279ecacaf6084caf1182f157dae2ed79b2d3090cb74c89c990c912aecfe12c80
SHA51278c594f2c4d8de0f5dace04e0be184040b585243092e71ebd705c056502fc008b9b45eff735fb6283f4e08379041d4719b3424fdf6cb536ea13f7a76e4484e11
-
memory/800-157-0x0000000000000000-mapping.dmp
-
memory/1112-187-0x0000000000420000-0x0000000000429000-memory.dmpFilesize
36KB
-
memory/1112-158-0x0000000000000000-mapping.dmp
-
memory/1112-163-0x0000000000410000-0x000000000041F000-memory.dmpFilesize
60KB
-
memory/1112-162-0x0000000000420000-0x0000000000429000-memory.dmpFilesize
36KB
-
memory/1336-173-0x0000000000000000-mapping.dmp
-
memory/1336-174-0x0000000000160000-0x0000000000169000-memory.dmpFilesize
36KB
-
memory/1372-166-0x0000000000690000-0x0000000000699000-memory.dmpFilesize
36KB
-
memory/1372-164-0x0000000000000000-mapping.dmp
-
memory/1372-191-0x00000000006A0000-0x00000000006A5000-memory.dmpFilesize
20KB
-
memory/1372-165-0x00000000006A0000-0x00000000006A5000-memory.dmpFilesize
20KB
-
memory/1552-159-0x0000000000000000-mapping.dmp
-
memory/1608-140-0x00000000051B0000-0x0000000005216000-memory.dmpFilesize
408KB
-
memory/1608-139-0x0000000000990000-0x00000000009A6000-memory.dmpFilesize
88KB
-
memory/1608-136-0x0000000000000000-mapping.dmp
-
memory/1956-160-0x0000000000000000-mapping.dmp
-
memory/1960-141-0x0000000000000000-mapping.dmp
-
memory/2564-132-0x000000000062E000-0x000000000063F000-memory.dmpFilesize
68KB
-
memory/2564-135-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2564-133-0x00000000005F0000-0x00000000005F9000-memory.dmpFilesize
36KB
-
memory/2564-134-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/2656-153-0x0000000000790000-0x0000000000797000-memory.dmpFilesize
28KB
-
memory/2656-186-0x0000000000790000-0x0000000000797000-memory.dmpFilesize
28KB
-
memory/2656-150-0x0000000000000000-mapping.dmp
-
memory/2656-154-0x0000000000780000-0x000000000078B000-memory.dmpFilesize
44KB
-
memory/3948-202-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/3948-200-0x00000000006CE000-0x00000000006DE000-memory.dmpFilesize
64KB
-
memory/3948-201-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4056-182-0x0000000000920000-0x000000000092D000-memory.dmpFilesize
52KB
-
memory/4056-181-0x0000000000930000-0x0000000000937000-memory.dmpFilesize
28KB
-
memory/4056-179-0x0000000000000000-mapping.dmp
-
memory/4056-196-0x0000000000930000-0x0000000000937000-memory.dmpFilesize
28KB
-
memory/4200-177-0x0000000000410000-0x000000000041B000-memory.dmpFilesize
44KB
-
memory/4200-175-0x0000000000000000-mapping.dmp
-
memory/4200-176-0x0000000000420000-0x0000000000426000-memory.dmpFilesize
24KB
-
memory/4200-195-0x0000000000420000-0x0000000000426000-memory.dmpFilesize
24KB
-
memory/4244-155-0x0000000004ED0000-0x0000000004EE2000-memory.dmpFilesize
72KB
-
memory/4244-145-0x0000000000A10000-0x0000000000A42000-memory.dmpFilesize
200KB
-
memory/4244-180-0x0000000006060000-0x0000000006604000-memory.dmpFilesize
5MB
-
memory/4244-144-0x0000000000000000-mapping.dmp
-
memory/4244-192-0x0000000007E10000-0x000000000833C000-memory.dmpFilesize
5MB
-
memory/4244-190-0x0000000007710000-0x00000000078D2000-memory.dmpFilesize
1MB
-
memory/4244-156-0x00000000050B0000-0x00000000050EC000-memory.dmpFilesize
240KB
-
memory/4244-178-0x0000000005270000-0x0000000005302000-memory.dmpFilesize
584KB
-
memory/4244-152-0x0000000004FA0000-0x00000000050AA000-memory.dmpFilesize
1MB
-
memory/4244-151-0x0000000005490000-0x0000000005AA8000-memory.dmpFilesize
6MB
-
memory/4244-188-0x0000000006710000-0x0000000006786000-memory.dmpFilesize
472KB
-
memory/4244-189-0x0000000006790000-0x00000000067E0000-memory.dmpFilesize
320KB
-
memory/4448-172-0x00000000010C0000-0x00000000010E7000-memory.dmpFilesize
156KB
-
memory/4448-170-0x0000000000000000-mapping.dmp
-
memory/4448-171-0x00000000010F0000-0x0000000001112000-memory.dmpFilesize
136KB
-
memory/4448-194-0x00000000010F0000-0x0000000001112000-memory.dmpFilesize
136KB
-
memory/4724-161-0x0000000000000000-mapping.dmp
-
memory/4804-168-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/4804-193-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/4804-169-0x00000000001C0000-0x00000000001CC000-memory.dmpFilesize
48KB
-
memory/4804-167-0x0000000000000000-mapping.dmp
-
memory/5088-197-0x00000000010D0000-0x00000000010D8000-memory.dmpFilesize
32KB
-
memory/5088-185-0x00000000010C0000-0x00000000010CB000-memory.dmpFilesize
44KB
-
memory/5088-184-0x00000000010D0000-0x00000000010D8000-memory.dmpFilesize
32KB
-
memory/5088-183-0x0000000000000000-mapping.dmp