Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
16-07-2023 07:41
General
-
Target
7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe
-
Size
163KB
-
MD5
7ff07ccc087a7d29c89cfd7fd5eb9f5d
-
SHA1
2150a746f78c9648d61a5e6861817408d80296cb
-
SHA256
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
-
SHA512
5710315d3921799b192fd3c683aff6282ff55a28c1689441f91277bfa5720212546d14a040963f12810aecd76be6e98b63e8de360ec1e7997848c3eac69e9165
-
SSDEEP
3072:rri0LnjzU9CSXlwRglQttweek/bOn3fekTBO95wYW:60LnjAxX8WQfY2OvesnYW
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
Extracted
redline
cc
94.228.169.160:43800
-
auth_value
ec4d19a9dd758ace38b4f5b4a447b048
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 15 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 53 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe"C:\Users\Admin\AppData\Local\Temp\7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3AF.exeC:\Users\Admin\AppData\Local\Temp\3AF.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\6BE.exeC:\Users\Admin\AppData\Local\Temp\6BE.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 13002⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\C0E.exeC:\Users\Admin\AppData\Local\Temp\C0E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 4162⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\1120.exeC:\Users\Admin\AppData\Local\Temp\1120.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 37002⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2548 -ip 25481⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2404 -ip 24041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4024 -ip 40241⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5ab9327fce682d578e28456820e0d9baa
SHA148696ea54a5960a3f9bbbf96819a150ad93c33c1
SHA2561915d244bae2707f6531ea7ffc0fb7708f7cafcf2aa354223ea8112064b18eaf
SHA512dcfd05aeb32c42dd9b25c11e214fa7b9aac96c1bdb747ee71487bdce9f58cb6c691bb3266cd3f752b2abd83f9b17d297a767751bf14123dfc14820fb2cb6eaab
-
Filesize
381KB
MD5ab9327fce682d578e28456820e0d9baa
SHA148696ea54a5960a3f9bbbf96819a150ad93c33c1
SHA2561915d244bae2707f6531ea7ffc0fb7708f7cafcf2aa354223ea8112064b18eaf
SHA512dcfd05aeb32c42dd9b25c11e214fa7b9aac96c1bdb747ee71487bdce9f58cb6c691bb3266cd3f752b2abd83f9b17d297a767751bf14123dfc14820fb2cb6eaab
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
229.9MB
MD5c591fab8919ad59805b405d428873108
SHA14feded8996ed49f1d855bb5ab3dc32660e77b747
SHA25604ee95519467bbd5c26976d9c0e51e644f7d6c8969264eef5b95a2ca69cd7bac
SHA51278ed528f48f964f0ea1182b335e8ee05fd75d494932722978cc9e3beb7a2531d40a11d6927a9bf1527ea1493bfe7ff1fed7c62a2a62ab84669138cbc2adf0fee
-
Filesize
226.8MB
MD5f41d966903fef7ff2c2585877705e810
SHA13cfc82f7bf9324847b517dd9782fbe05f35b4af3
SHA2566f63769ac0db736367c0b984bc31ee04874e6255f994cc98d131b92201dcd25a
SHA5126076a63118e3846fa377c353cc40269e7fce0ee518f233c79d795a57e74ec5ffb78a2b1cd493724cff11c84bb3fca32bbe83b529292dea8134f33811aca7d93e
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
7.7MB
-
Filesize
192KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
2.0MB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
908KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
264KB
-
Filesize
296KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
1024KB
-
Filesize
264KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
3.8MB
-
Filesize
1.7MB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
36KB