Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2023 07:45
Static task
static1
Behavioral task
behavioral1
Sample
7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe
Resource
win10v2004-20230703-en
General
-
Target
7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe
-
Size
163KB
-
MD5
7ff07ccc087a7d29c89cfd7fd5eb9f5d
-
SHA1
2150a746f78c9648d61a5e6861817408d80296cb
-
SHA256
26ee5ecb55714d302e8adcc345fc373abf5eb3189c854922cfca7c3c5c7018fe
-
SHA512
5710315d3921799b192fd3c683aff6282ff55a28c1689441f91277bfa5720212546d14a040963f12810aecd76be6e98b63e8de360ec1e7997848c3eac69e9165
-
SSDEEP
3072:rri0LnjzU9CSXlwRglQttweek/bOn3fekTBO95wYW:60LnjAxX8WQfY2OvesnYW
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
Extracted
redline
cc
94.228.169.160:43800
-
auth_value
ec4d19a9dd758ace38b4f5b4a447b048
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
lumma
gstatic-node.io
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 14 IoCs
resource yara_rule behavioral2/memory/404-254-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-256-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-258-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-260-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-262-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-264-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-266-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-268-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-270-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-272-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-274-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-276-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-278-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline behavioral2/memory/404-280-0x0000000002880000-0x00000000028C2000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
pid Process 3668 F0A9.exe 404 F492.exe 4136 F9C3.exe 4308 FEA6.exe 1456 ntlhost.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" F0A9.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4136 set thread context of 4752 4136 F9C3.exe 101 -
Program crash 3 IoCs
pid pid_target Process procid_target 4516 4136 WerFault.exe 99 4712 4308 WerFault.exe 103 4312 404 WerFault.exe 98 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3876 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe 3876 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3180 Process not Found -
Suspicious behavior: MapViewOfSection 19 IoCs
pid Process 3876 7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found 3180 Process not Found -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeDebugPrivilege 404 F492.exe Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found Token: SeShutdownPrivilege 3180 Process not Found Token: SeCreatePagefilePrivilege 3180 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3180 Process not Found -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 3180 wrote to memory of 3668 3180 Process not Found 97 PID 3180 wrote to memory of 3668 3180 Process not Found 97 PID 3180 wrote to memory of 3668 3180 Process not Found 97 PID 3180 wrote to memory of 404 3180 Process not Found 98 PID 3180 wrote to memory of 404 3180 Process not Found 98 PID 3180 wrote to memory of 404 3180 Process not Found 98 PID 3180 wrote to memory of 4136 3180 Process not Found 99 PID 3180 wrote to memory of 4136 3180 Process not Found 99 PID 3180 wrote to memory of 4136 3180 Process not Found 99 PID 4136 wrote to memory of 4752 4136 F9C3.exe 101 PID 4136 wrote to memory of 4752 4136 F9C3.exe 101 PID 4136 wrote to memory of 4752 4136 F9C3.exe 101 PID 4136 wrote to memory of 4752 4136 F9C3.exe 101 PID 4136 wrote to memory of 4752 4136 F9C3.exe 101 PID 3180 wrote to memory of 4308 3180 Process not Found 103 PID 3180 wrote to memory of 4308 3180 Process not Found 103 PID 3180 wrote to memory of 4308 3180 Process not Found 103 PID 3180 wrote to memory of 1188 3180 Process not Found 105 PID 3180 wrote to memory of 1188 3180 Process not Found 105 PID 3180 wrote to memory of 1188 3180 Process not Found 105 PID 3180 wrote to memory of 1188 3180 Process not Found 105 PID 3180 wrote to memory of 2896 3180 Process not Found 106 PID 3180 wrote to memory of 2896 3180 Process not Found 106 PID 3180 wrote to memory of 2896 3180 Process not Found 106 PID 3180 wrote to memory of 4120 3180 Process not Found 107 PID 3180 wrote to memory of 4120 3180 Process not Found 107 PID 3180 wrote to memory of 4120 3180 Process not Found 107 PID 3180 wrote to memory of 4120 3180 Process not Found 107 PID 3180 wrote to memory of 1704 3180 Process not Found 108 PID 3180 wrote to memory of 1704 3180 Process not Found 108 PID 3180 wrote to memory of 1704 3180 Process not Found 108 PID 3180 wrote to memory of 2616 3180 Process not Found 109 PID 3180 wrote to memory of 2616 3180 Process not Found 109 PID 3180 wrote to memory of 2616 3180 Process not Found 109 PID 3180 wrote to memory of 2616 3180 Process not Found 109 PID 3180 wrote to memory of 1388 3180 Process not Found 110 PID 3180 wrote to memory of 1388 3180 Process not Found 110 PID 3180 wrote to memory of 1388 3180 Process not Found 110 PID 3180 wrote to memory of 1388 3180 Process not Found 110 PID 3180 wrote to memory of 4304 3180 Process not Found 111 PID 3180 wrote to memory of 4304 3180 Process not Found 111 PID 3180 wrote to memory of 4304 3180 Process not Found 111 PID 3180 wrote to memory of 4304 3180 Process not Found 111 PID 3180 wrote to memory of 3368 3180 Process not Found 112 PID 3180 wrote to memory of 3368 3180 Process not Found 112 PID 3180 wrote to memory of 3368 3180 Process not Found 112 PID 3180 wrote to memory of 2408 3180 Process not Found 113 PID 3180 wrote to memory of 2408 3180 Process not Found 113 PID 3180 wrote to memory of 2408 3180 Process not Found 113 PID 3180 wrote to memory of 2408 3180 Process not Found 113 PID 3668 wrote to memory of 1456 3668 F0A9.exe 114 PID 3668 wrote to memory of 1456 3668 F0A9.exe 114 PID 3668 wrote to memory of 1456 3668 F0A9.exe 114 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe"C:\Users\Admin\AppData\Local\Temp\7ff07ccc087a7d29c89cfd7fd5eb9f5d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3876
-
C:\Users\Admin\AppData\Local\Temp\F0A9.exeC:\Users\Admin\AppData\Local\Temp\F0A9.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1456
-
-
C:\Users\Admin\AppData\Local\Temp\F492.exeC:\Users\Admin\AppData\Local\Temp\F492.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 13042⤵
- Program crash
PID:4312
-
-
C:\Users\Admin\AppData\Local\Temp\F9C3.exeC:\Users\Admin\AppData\Local\Temp\F9C3.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:4752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1522⤵
- Program crash
PID:4516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4136 -ip 41361⤵PID:4888
-
C:\Users\Admin\AppData\Local\Temp\FEA6.exeC:\Users\Admin\AppData\Local\Temp\FEA6.exe1⤵
- Executes dropped EXE
PID:4308 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 34682⤵
- Program crash
PID:4712
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1188
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2896
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4120
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1704
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2616
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1388
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4304
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3368
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4308 -ip 43081⤵PID:2828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 404 -ip 4041⤵PID:4160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
1.8MB
MD5d5c139fe384e12358c394790b740a429
SHA1835188fc822341f9226c13412e00f45d666b85f2
SHA256da8b2ceff64640f1ab5c0acd225762994b9830d50a1db77f7da09ca6f4e33a2e
SHA51208c7781bfe816ff698e2b7cde8bf4a7c5581a2c7c372d1dc51375af5625b9b4132b380c2a2bdbc028f3ad3a02574baf312d1249acb26abc4585a3bfecc670506
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
381KB
MD5ab9327fce682d578e28456820e0d9baa
SHA148696ea54a5960a3f9bbbf96819a150ad93c33c1
SHA2561915d244bae2707f6531ea7ffc0fb7708f7cafcf2aa354223ea8112064b18eaf
SHA512dcfd05aeb32c42dd9b25c11e214fa7b9aac96c1bdb747ee71487bdce9f58cb6c691bb3266cd3f752b2abd83f9b17d297a767751bf14123dfc14820fb2cb6eaab
-
Filesize
381KB
MD5ab9327fce682d578e28456820e0d9baa
SHA148696ea54a5960a3f9bbbf96819a150ad93c33c1
SHA2561915d244bae2707f6531ea7ffc0fb7708f7cafcf2aa354223ea8112064b18eaf
SHA512dcfd05aeb32c42dd9b25c11e214fa7b9aac96c1bdb747ee71487bdce9f58cb6c691bb3266cd3f752b2abd83f9b17d297a767751bf14123dfc14820fb2cb6eaab
-
Filesize
584.4MB
MD57c01f07ed80441df4e2c4918d8dde942
SHA1562b63aa843458e7dff96bb69d14a8e362ecb3b5
SHA25633aeb365b3d543f954819915e87614f914b93490a9359073ae9e609273bbbf9c
SHA5125b258e0958b90f7ae1f7c5debcd51bed93060126e6388774ba0e01c88af5087d75bfc53c8311609359702530fcd8468f69e9782d9dd92fce9d8b2597b09912cd
-
Filesize
585.7MB
MD5d8228f5fa8383a3f31bd93d8a666834d
SHA1000a3529d8d6739912ad85985e65768ecde7eaa6
SHA2561465dba99aed368d5b78f901118ee6773cb3946308d07f0b5e60485ee6fe050d
SHA512f4e4dd88efc3c4720931288497b290c19b546af6c4c68ad0bf80ce2db2857b31b16ba5551bf786e0f0e46a367c424b6972744bcb67b5b7c8a570f1e213358ccf