Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2022 09:24
Static task
static1
Behavioral task
behavioral1
Sample
fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exe
Resource
win10v2004-20221111-en
General
-
Target
fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exe
-
Size
230KB
-
MD5
db2733de17c0f4415fb9d0cd788c61f8
-
SHA1
4652463e2b22e0a1d9d18ede3b3a4145cdccfac9
-
SHA256
fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb
-
SHA512
023233c85bb326452a5b1824eb22b81ffc792f26acb14d0ed434aa8ddedbd9ff0aa54bbdbcbb179ab98ea3b8f01820a66d73b19d9631dd727ac300805ba1a234
-
SSDEEP
3072:N7tnLQGk5jcHEDcUvjCc+s1dRcyFxqKlS1g/tK8XlaLLrcSb54VIcVTuh:fL72dgkGc+sviax7tK81QbIr
Malware Config
Extracted
redline
11
79.137.202.18:45218
-
auth_value
107e09eee63158d2488feb03dac75204
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4592-133-0x00000000005A0000-0x00000000005A9000-memory.dmp family_smokeloader -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
CB05.exeCE81.exepid process 4324 CB05.exe 672 CE81.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
CE81.exedescription pid process target process PID 672 set thread context of 1936 672 CE81.exe vbc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 768 672 WerFault.exe CE81.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exepid process 4592 fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exe 4592 fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exe 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2696 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exepid process 4592 fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exe 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 2696 -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
vbc.exedescription pid process Token: SeShutdownPrivilege 2696 Token: SeCreatePagefilePrivilege 2696 Token: SeShutdownPrivilege 2696 Token: SeCreatePagefilePrivilege 2696 Token: SeShutdownPrivilege 2696 Token: SeCreatePagefilePrivilege 2696 Token: SeShutdownPrivilege 2696 Token: SeCreatePagefilePrivilege 2696 Token: SeShutdownPrivilege 2696 Token: SeCreatePagefilePrivilege 2696 Token: SeDebugPrivilege 1936 vbc.exe Token: SeShutdownPrivilege 2696 Token: SeCreatePagefilePrivilege 2696 -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
CE81.exeCB05.exedescription pid process target process PID 2696 wrote to memory of 4324 2696 CB05.exe PID 2696 wrote to memory of 4324 2696 CB05.exe PID 2696 wrote to memory of 4324 2696 CB05.exe PID 2696 wrote to memory of 672 2696 CE81.exe PID 2696 wrote to memory of 672 2696 CE81.exe PID 2696 wrote to memory of 672 2696 CE81.exe PID 672 wrote to memory of 1936 672 CE81.exe vbc.exe PID 672 wrote to memory of 1936 672 CE81.exe vbc.exe PID 672 wrote to memory of 1936 672 CE81.exe vbc.exe PID 672 wrote to memory of 1936 672 CE81.exe vbc.exe PID 2696 wrote to memory of 984 2696 explorer.exe PID 2696 wrote to memory of 984 2696 explorer.exe PID 2696 wrote to memory of 984 2696 explorer.exe PID 2696 wrote to memory of 984 2696 explorer.exe PID 672 wrote to memory of 1936 672 CE81.exe vbc.exe PID 4324 wrote to memory of 3140 4324 CB05.exe vbc.exe PID 4324 wrote to memory of 3140 4324 CB05.exe vbc.exe PID 4324 wrote to memory of 3140 4324 CB05.exe vbc.exe PID 2696 wrote to memory of 2732 2696 explorer.exe PID 2696 wrote to memory of 2732 2696 explorer.exe PID 2696 wrote to memory of 2732 2696 explorer.exe PID 4324 wrote to memory of 3956 4324 CB05.exe vbc.exe PID 4324 wrote to memory of 3956 4324 CB05.exe vbc.exe PID 4324 wrote to memory of 3956 4324 CB05.exe vbc.exe PID 4324 wrote to memory of 4188 4324 CB05.exe vbc.exe PID 4324 wrote to memory of 4188 4324 CB05.exe vbc.exe PID 4324 wrote to memory of 4188 4324 CB05.exe vbc.exe PID 4324 wrote to memory of 2404 4324 CB05.exe vbc.exe PID 4324 wrote to memory of 2404 4324 CB05.exe vbc.exe PID 4324 wrote to memory of 2404 4324 CB05.exe vbc.exe PID 2696 wrote to memory of 4228 2696 explorer.exe PID 2696 wrote to memory of 4228 2696 explorer.exe PID 2696 wrote to memory of 4228 2696 explorer.exe PID 2696 wrote to memory of 4228 2696 explorer.exe PID 2696 wrote to memory of 2928 2696 explorer.exe PID 2696 wrote to memory of 2928 2696 explorer.exe PID 2696 wrote to memory of 2928 2696 explorer.exe PID 2696 wrote to memory of 1368 2696 explorer.exe PID 2696 wrote to memory of 1368 2696 explorer.exe PID 2696 wrote to memory of 1368 2696 explorer.exe PID 2696 wrote to memory of 1368 2696 explorer.exe PID 2696 wrote to memory of 2628 2696 explorer.exe PID 2696 wrote to memory of 2628 2696 explorer.exe PID 2696 wrote to memory of 2628 2696 explorer.exe PID 2696 wrote to memory of 2628 2696 explorer.exe PID 2696 wrote to memory of 1180 2696 explorer.exe PID 2696 wrote to memory of 1180 2696 explorer.exe PID 2696 wrote to memory of 1180 2696 explorer.exe PID 2696 wrote to memory of 1180 2696 explorer.exe PID 2696 wrote to memory of 3848 2696 explorer.exe PID 2696 wrote to memory of 3848 2696 explorer.exe PID 2696 wrote to memory of 3848 2696 explorer.exe PID 2696 wrote to memory of 3544 2696 explorer.exe PID 2696 wrote to memory of 3544 2696 explorer.exe PID 2696 wrote to memory of 3544 2696 explorer.exe PID 2696 wrote to memory of 3544 2696 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exe"C:\Users\Admin\AppData\Local\Temp\fb64b7e890088c50c4d1209a0024177842684cec5c88051cf8d4a8f4ad737eeb.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CB05.exeC:\Users\Admin\AppData\Local\Temp\CB05.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\CE81.exeC:\Users\Admin\AppData\Local\Temp\CE81.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 1562⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 672 -ip 6721⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CB05.exeFilesize
67KB
MD5666d8f33d37064fd5d14e2166c9bfa69
SHA13b27df9335a9b2efe9da1057e9f8312a72d1ca9d
SHA2567fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157
SHA512ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df
-
C:\Users\Admin\AppData\Local\Temp\CB05.exeFilesize
67KB
MD5666d8f33d37064fd5d14e2166c9bfa69
SHA13b27df9335a9b2efe9da1057e9f8312a72d1ca9d
SHA2567fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157
SHA512ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df
-
C:\Users\Admin\AppData\Local\Temp\CE81.exeFilesize
403KB
MD59997129d3e41ae79381957203470b051
SHA196dedfa4c05585d8d957a80a6dc816424fc60308
SHA256d5ee046c945c2742f492c96a01eed8a4d92c3cc3f7d1d3c45c12e9162ec08255
SHA5122e1664c8bab30869775ef59a53cc29ae418866a4974ce9a8014b0918694eb10bdd7d76646156d6b731057e897846d8f70c86f0fe4581d72117a4d08a4e61788b
-
C:\Users\Admin\AppData\Local\Temp\CE81.exeFilesize
403KB
MD59997129d3e41ae79381957203470b051
SHA196dedfa4c05585d8d957a80a6dc816424fc60308
SHA256d5ee046c945c2742f492c96a01eed8a4d92c3cc3f7d1d3c45c12e9162ec08255
SHA5122e1664c8bab30869775ef59a53cc29ae418866a4974ce9a8014b0918694eb10bdd7d76646156d6b731057e897846d8f70c86f0fe4581d72117a4d08a4e61788b
-
memory/672-141-0x0000000000000000-mapping.dmp
-
memory/984-157-0x00000000006C0000-0x00000000006CB000-memory.dmpFilesize
44KB
-
memory/984-148-0x0000000000000000-mapping.dmp
-
memory/984-189-0x00000000006D0000-0x00000000006D7000-memory.dmpFilesize
28KB
-
memory/984-155-0x00000000006D0000-0x00000000006D7000-memory.dmpFilesize
28KB
-
memory/1180-176-0x0000000000000000-mapping.dmp
-
memory/1180-177-0x0000000000510000-0x0000000000516000-memory.dmpFilesize
24KB
-
memory/1180-178-0x0000000000500000-0x000000000050B000-memory.dmpFilesize
44KB
-
memory/1180-196-0x0000000000510000-0x0000000000516000-memory.dmpFilesize
24KB
-
memory/1368-172-0x00000000004A0000-0x00000000004C7000-memory.dmpFilesize
156KB
-
memory/1368-171-0x00000000004D0000-0x00000000004F2000-memory.dmpFilesize
136KB
-
memory/1368-194-0x00000000004D0000-0x00000000004F2000-memory.dmpFilesize
136KB
-
memory/1368-170-0x0000000000000000-mapping.dmp
-
memory/1936-181-0x0000000005A50000-0x0000000005AE2000-memory.dmpFilesize
584KB
-
memory/1936-193-0x0000000008330000-0x0000000008380000-memory.dmpFilesize
320KB
-
memory/1936-153-0x0000000005590000-0x00000000055A2000-memory.dmpFilesize
72KB
-
memory/1936-152-0x0000000005680000-0x000000000578A000-memory.dmpFilesize
1.0MB
-
memory/1936-186-0x00000000075E0000-0x0000000007B0C000-memory.dmpFilesize
5.2MB
-
memory/1936-185-0x0000000006EE0000-0x00000000070A2000-memory.dmpFilesize
1.8MB
-
memory/1936-180-0x0000000006760000-0x0000000006D04000-memory.dmpFilesize
5.6MB
-
memory/1936-192-0x00000000083B0000-0x0000000008426000-memory.dmpFilesize
472KB
-
memory/1936-145-0x0000000000DC0000-0x0000000000DF2000-memory.dmpFilesize
200KB
-
memory/1936-151-0x0000000005B90000-0x00000000061A8000-memory.dmpFilesize
6.1MB
-
memory/1936-144-0x0000000000000000-mapping.dmp
-
memory/1936-154-0x00000000055F0000-0x000000000562C000-memory.dmpFilesize
240KB
-
memory/2404-161-0x0000000000000000-mapping.dmp
-
memory/2628-175-0x0000000000630000-0x0000000000639000-memory.dmpFilesize
36KB
-
memory/2628-174-0x0000000000640000-0x0000000000645000-memory.dmpFilesize
20KB
-
memory/2628-173-0x0000000000000000-mapping.dmp
-
memory/2628-195-0x0000000000640000-0x0000000000645000-memory.dmpFilesize
20KB
-
memory/2732-162-0x00000000006B0000-0x00000000006B9000-memory.dmpFilesize
36KB
-
memory/2732-163-0x00000000006A0000-0x00000000006AF000-memory.dmpFilesize
60KB
-
memory/2732-158-0x0000000000000000-mapping.dmp
-
memory/2732-190-0x00000000006B0000-0x00000000006B9000-memory.dmpFilesize
36KB
-
memory/2928-169-0x0000000000CC0000-0x0000000000CCC000-memory.dmpFilesize
48KB
-
memory/2928-168-0x0000000000CD0000-0x0000000000CD6000-memory.dmpFilesize
24KB
-
memory/2928-167-0x0000000000000000-mapping.dmp
-
memory/3140-156-0x0000000000000000-mapping.dmp
-
memory/3544-187-0x00000000008F0000-0x00000000008F8000-memory.dmpFilesize
32KB
-
memory/3544-198-0x00000000008F0000-0x00000000008F8000-memory.dmpFilesize
32KB
-
memory/3544-188-0x00000000008E0000-0x00000000008EB000-memory.dmpFilesize
44KB
-
memory/3544-184-0x0000000000000000-mapping.dmp
-
memory/3848-183-0x0000000000590000-0x000000000059D000-memory.dmpFilesize
52KB
-
memory/3848-182-0x00000000005A0000-0x00000000005A7000-memory.dmpFilesize
28KB
-
memory/3848-179-0x0000000000000000-mapping.dmp
-
memory/3848-197-0x00000000005A0000-0x00000000005A7000-memory.dmpFilesize
28KB
-
memory/3956-159-0x0000000000000000-mapping.dmp
-
memory/4188-160-0x0000000000000000-mapping.dmp
-
memory/4228-165-0x0000000000520000-0x0000000000525000-memory.dmpFilesize
20KB
-
memory/4228-191-0x0000000000520000-0x0000000000525000-memory.dmpFilesize
20KB
-
memory/4228-166-0x0000000000510000-0x0000000000519000-memory.dmpFilesize
36KB
-
memory/4228-164-0x0000000000000000-mapping.dmp
-
memory/4324-136-0x0000000000000000-mapping.dmp
-
memory/4324-139-0x0000000000F20000-0x0000000000F36000-memory.dmpFilesize
88KB
-
memory/4324-140-0x0000000005770000-0x00000000057D6000-memory.dmpFilesize
408KB
-
memory/4592-135-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4592-132-0x000000000081D000-0x000000000082D000-memory.dmpFilesize
64KB
-
memory/4592-134-0x0000000000400000-0x000000000045E000-memory.dmpFilesize
376KB
-
memory/4592-133-0x00000000005A0000-0x00000000005A9000-memory.dmpFilesize
36KB