Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
26-06-2023 13:44
General
-
Target
b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
-
Size
335KB
-
MD5
b5237a3f0b1db945c1fe3f9ba71e3ff2
-
SHA1
ba302c3c2490a3b1b04cfbdd76097f2444a54700
-
SHA256
239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2
-
SHA512
9879c4cd6e995916cbd8cb16f6cb3982b48b0ffc5d01479e2c2f3f73ae46a5129893571f94ded70a0ad61a1340c67ef8214018bbc7e1e17fd5395a4f55fb78a1
-
SSDEEP
6144:d/sM+uEe4oleWZxrigxyZdXlgdqUh+LoXl4m34fX6Rs+j2exWLsxAFFDwkGklYkv:5sM+uEe30D67j2exWPFxwkiVi
Malware Config
Extracted
redline
1
dexstat255.xyz:46578
-
auth_value
c4805fc19583231a4c5bb64b0e833716
Extracted
systembc
adstat277xm.xyz:4044
demstat377xm.xyz:4044
Extracted
smokeloader
2022
http://serverlogs37.xyz/statweb255/
http://servblog757.xyz/statweb255/
http://dexblog45.xyz/statweb255/
http://admlogs.online/statweb255/
http://blogstat355.xyz/statweb255/
http://blogstatserv25.xyz/statweb255/
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Renames multiple (371) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 1 IoCs
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 26 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\s777mx.exe"C:\Users\Admin\AppData\Local\Temp\s777mx.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\809A.exeC:\Users\Admin\AppData\Local\Temp\809A.exe1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\809A.exe"C:\Users\Admin\AppData\Local\Temp\809A.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 4683⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Temp\8231.exeC:\Users\Admin\AppData\Local\Temp\8231.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 7242⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4412 -ip 44121⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1364 -ip 13641⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD502f3ba42ef35ccaacb201eb0eac399d5
SHA189123a0480d270c558dcafdf8bcb237b91f4cff5
SHA256b7817f4af379fa1dc543da21f96c069bd17008e045e193ceedab157d29e586b5
SHA512e1a2935b6aaf00cf4bd640f9ee470bf42624c1c6c6f678ba2bb38be64040f6b2c5bd85a84e2aff06db4d6d1a350ab88f141ab4ee9c95f21d46366ccab53d050e
-
Filesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
Filesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
Filesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
Filesize
235KB
MD50f281d2506515a64082d6e774573afb7
SHA18949f27465913bf475fceb5796b205429083df58
SHA2562288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622
-
Filesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
Filesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
205KB
MD59d8a3dd432e255ebb2e890d2a0653ddb
SHA10e5741c323e7c35671333863492743ae0c64f64b
SHA2566fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
-
Filesize
205KB
MD59d8a3dd432e255ebb2e890d2a0653ddb
SHA10e5741c323e7c35671333863492743ae0c64f64b
SHA2566fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
-
Filesize
205KB
MD59d8a3dd432e255ebb2e890d2a0653ddb
SHA10e5741c323e7c35671333863492743ae0c64f64b
SHA2566fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
-
Filesize
205KB
MD59d8a3dd432e255ebb2e890d2a0653ddb
SHA10e5741c323e7c35671333863492743ae0c64f64b
SHA2566fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
-
Filesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
Filesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
Filesize
220KB
MD58d7ebe871589d79f195f240dcef43a57
SHA1f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA25619397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd
-
Filesize
36KB
-
Filesize
6.1MB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
192KB
-
Filesize
64KB
-
Filesize
1.0MB
-
Filesize
23.2MB
-
Filesize
23.2MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
132KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
468KB
-
Filesize
60KB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
20KB
-
Filesize
23.2MB
-
Filesize
88KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
352KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
272KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
2.6MB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
44KB