Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
16-07-2023 07:45
Static task
static1
Behavioral task
behavioral1
Sample
7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe
Resource
win10v2004-20230703-en
General
-
Target
7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe
-
Size
163KB
-
MD5
7ff07ccc087a7d29c89cfd7fd5eb9f5d
-
SHA1
2150a746f78c9648d61a5e6861817408d80296cb
-
SHA256
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
-
SHA512
5710315d3921799b192fd3c683aff6282ff55a28c1689441f91277bfa5720212546d14a040963f12810aecd76be6e98b63e8de360ec1e7997848c3eac69e9165
-
SSDEEP
3072:rri0LnjzU9CSXlwRglQttweek/bOn3fekTBO95wYW:60LnjAxX8WQfY2OvesnYW
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
Extracted
redline
cc
94.228.169.160:43800
-
auth_value
ec4d19a9dd758ace38b4f5b4a447b048
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 24 IoCs
resource yara_rule behavioral1/memory/2676-195-0x0000000001E90000-0x0000000001EDA000-memory.dmp family_redline behavioral1/memory/2676-196-0x00000000027C0000-0x0000000002800000-memory.dmp family_redline behavioral1/memory/2676-201-0x0000000002570000-0x00000000025B6000-memory.dmp family_redline behavioral1/memory/2676-209-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-210-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-212-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-214-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-216-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-219-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-223-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-226-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-228-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-230-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-232-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-234-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-236-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-238-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-240-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-244-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-246-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-248-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-250-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-252-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline behavioral1/memory/2676-242-0x0000000002570000-0x00000000025B2000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
pid Process 1296 Process not Found -
Executes dropped EXE 4 IoCs
pid Process 2924 8E6.exe 2676 119F.exe 1264 1F75.exe 392 ntlhost.exe -
Loads dropped DLL 5 IoCs
pid Process 2176 WerFault.exe 2176 WerFault.exe 2176 WerFault.exe 2924 8E6.exe 2924 8E6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 8E6.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1264 set thread context of 2000 1264 1F75.exe 34 -
Program crash 1 IoCs
pid pid_target Process procid_target 2176 1264 WerFault.exe 32 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2180 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe 2180 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1296 Process not Found -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 2180 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeDebugPrivilege 2676 119F.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1296 wrote to memory of 2924 1296 Process not Found 30 PID 1296 wrote to memory of 2924 1296 Process not Found 30 PID 1296 wrote to memory of 2924 1296 Process not Found 30 PID 1296 wrote to memory of 2924 1296 Process not Found 30 PID 1296 wrote to memory of 2676 1296 Process not Found 31 PID 1296 wrote to memory of 2676 1296 Process not Found 31 PID 1296 wrote to memory of 2676 1296 Process not Found 31 PID 1296 wrote to memory of 2676 1296 Process not Found 31 PID 1296 wrote to memory of 1264 1296 Process not Found 32 PID 1296 wrote to memory of 1264 1296 Process not Found 32 PID 1296 wrote to memory of 1264 1296 Process not Found 32 PID 1296 wrote to memory of 1264 1296 Process not Found 32 PID 1264 wrote to memory of 2000 1264 1F75.exe 34 PID 1264 wrote to memory of 2000 1264 1F75.exe 34 PID 1264 wrote to memory of 2000 1264 1F75.exe 34 PID 1264 wrote to memory of 2000 1264 1F75.exe 34 PID 1264 wrote to memory of 2000 1264 1F75.exe 34 PID 1264 wrote to memory of 2000 1264 1F75.exe 34 PID 1264 wrote to memory of 2000 1264 1F75.exe 34 PID 1264 wrote to memory of 2000 1264 1F75.exe 34 PID 1264 wrote to memory of 2000 1264 1F75.exe 34 PID 1264 wrote to memory of 2176 1264 1F75.exe 35 PID 1264 wrote to memory of 2176 1264 1F75.exe 35 PID 1264 wrote to memory of 2176 1264 1F75.exe 35 PID 1264 wrote to memory of 2176 1264 1F75.exe 35 PID 1296 wrote to memory of 3044 1296 Process not Found 36 PID 1296 wrote to memory of 3044 1296 Process not Found 36 PID 1296 wrote to memory of 3044 1296 Process not Found 36 PID 1296 wrote to memory of 3044 1296 Process not Found 36 PID 1296 wrote to memory of 3044 1296 Process not Found 36 PID 1296 wrote to memory of 2956 1296 Process not Found 37 PID 1296 wrote to memory of 2956 1296 Process not Found 37 PID 1296 wrote to memory of 2956 1296 Process not Found 37 PID 1296 wrote to memory of 2956 1296 Process not Found 37 PID 1296 wrote to memory of 3020 1296 Process not Found 38 PID 1296 wrote to memory of 3020 1296 Process not Found 38 PID 1296 wrote to memory of 3020 1296 Process not Found 38 PID 1296 wrote to memory of 3020 1296 Process not Found 38 PID 1296 wrote to memory of 3020 1296 Process not Found 38 PID 1296 wrote to memory of 2080 1296 Process not Found 39 PID 1296 wrote to memory of 2080 1296 Process not Found 39 PID 1296 wrote to memory of 2080 1296 Process not Found 39 PID 1296 wrote to memory of 2080 1296 Process not Found 39 PID 1296 wrote to memory of 3068 1296 Process not Found 40 PID 1296 wrote to memory of 3068 1296 Process not Found 40 PID 1296 wrote to memory of 3068 1296 Process not Found 40 PID 1296 wrote to memory of 3068 1296 Process not Found 40 PID 1296 wrote to memory of 3068 1296 Process not Found 40 PID 1296 wrote to memory of 2360 1296 Process not Found 41 PID 1296 wrote to memory of 2360 1296 Process not Found 41 PID 1296 wrote to memory of 2360 1296 Process not Found 41 PID 1296 wrote to memory of 2360 1296 Process not Found 41 PID 1296 wrote to memory of 2360 1296 Process not Found 41 PID 1296 wrote to memory of 2336 1296 Process not Found 42 PID 1296 wrote to memory of 2336 1296 Process not Found 42 PID 1296 wrote to memory of 2336 1296 Process not Found 42 PID 1296 wrote to memory of 2336 1296 Process not Found 42 PID 1296 wrote to memory of 2336 1296 Process not Found 42 PID 1296 wrote to memory of 2348 1296 Process not Found 43 PID 1296 wrote to memory of 2348 1296 Process not Found 43 PID 1296 wrote to memory of 2348 1296 Process not Found 43 PID 1296 wrote to memory of 2348 1296 Process not Found 43 PID 1296 wrote to memory of 1856 1296 Process not Found 44 PID 1296 wrote to memory of 1856 1296 Process not Found 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe"C:\Users\Admin\AppData\Local\Temp\7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2180
-
C:\Users\Admin\AppData\Local\Temp\8E6.exeC:\Users\Admin\AppData\Local\Temp\8E6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2924 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:392
-
-
C:\Users\Admin\AppData\Local\Temp\119F.exeC:\Users\Admin\AppData\Local\Temp\119F.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
C:\Users\Admin\AppData\Local\Temp\1F75.exeC:\Users\Admin\AppData\Local\Temp\1F75.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2000
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 362⤵
- Loads dropped DLL
- Program crash
PID:2176
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3044
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2956
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3020
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2080
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3068
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2360
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2336
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2348
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ce0e2bb4f22b028bc0a3514356e5777c
SHA1a5f30d9988b7f9045b95b24a7ca34b7fb3c7546c
SHA2562b09097f45ff527522444b4cc6b0f1a05be3f31455e83e328e87ff93800dcadb
SHA5122909f26484e076c3255f4c3006be7b1818637cc02842c916b4724faac42b9d30efc243627a500114d5d501ce7f72faac677ec9597cb3096ac4f406d16a29a0d8
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
400.5MB
MD587c090f40d40ef12fde9b32bec4dcad6
SHA1429160d85eab381f65c63a23af8d3d02438a2feb
SHA256f819d595f2fd195cd625d623d8591dde155c9b19013cb1ebf003fa8e7209cd49
SHA5128540fb591b965250e0936b46a1ac8123ec1f73c95108d4da038587dcc35bc6d82475f9c65448504fe1bf913ecdaef7a6bd7076d8db0901e76164c707d247bc17
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
382.3MB
MD5fc21ebd1145503fc521e443e026e0305
SHA1a62032b3a36b429f8dcc6d2d37763febdc7e968f
SHA2568256fbe1c0c13982d2fe0eae4bf9bb3b61dc0df482553c53ac29118bd6675ae3
SHA51281c6138612cd2ea6c4a5c10eb42a4de27219914f41475466acb3acfe7cb79d0759a9affc09b2c958f2156feb4ed196f94be2b04f057fccf883d68e722fd981e4
-
Filesize
382.3MB
MD5e19382e0eded41c442e1e38de98037ce
SHA13af5ea7120293aabc29f7e7a52237394cfab26dc
SHA2560af75686b97a4e13c4c73957cc756938b6fb13fc2f822fd92b9f1c0e21369c7f
SHA5123e2cd3bb6e9608270dc5fa58f476b71faf5b8edbe6a9af5e72bba45e8e69f0228af089eb92ca2fa5078e5ede5bd4f11faed0abbb78a9cf3b5d3aece680aaeadb