Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
16-07-2023 09:22
General
-
Target
95a2872b960a5ac372c19be5bb2d1f8cb50c75e043841b8862f8e0b0bcb8204a.exe
-
Size
303KB
-
MD5
566a85715428e226f1c5d48ca90b9e15
-
SHA1
f252975240083fd3ce4ff62a059d6dab226dd41d
-
SHA256
95a2872b960a5ac372c19be5bb2d1f8cb50c75e043841b8862f8e0b0bcb8204a
-
SHA512
2d716809dc374f5cc74f58e3ffca09d2bc7bbff8d27eef21ae768b9ee2148592b2572b194323fa64b814734b1a141d9c05db9a060f2c8e1080a566fc16672e4e
-
SSDEEP
3072:phLIBaL3BklS19u655D+kMxqrnRdFe1soM+e5CD9iwlgZDGW:PLIYL3BkgCS5vLejMID9iFG
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
Extracted
redline
cc
94.228.169.160:43800
-
auth_value
ec4d19a9dd758ace38b4f5b4a447b048
Extracted
lumma
gstatic-node.io
Signatures
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 24 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a2872b960a5ac372c19be5bb2d1f8cb50c75e043841b8862f8e0b0bcb8204a.exe"C:\Users\Admin\AppData\Local\Temp\95a2872b960a5ac372c19be5bb2d1f8cb50c75e043841b8862f8e0b0bcb8204a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F721.exeC:\Users\Admin\AppData\Local\Temp\F721.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 17562⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\FDE9.exeC:\Users\Admin\AppData\Local\Temp\FDE9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 4162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2636 -ip 26361⤵
-
C:\Users\Admin\AppData\Local\Temp\404.exeC:\Users\Admin\AppData\Local\Temp\404.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 34802⤵
- Program crash
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1408 -ip 14081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3204 -ip 32041⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5ab9327fce682d578e28456820e0d9baa
SHA148696ea54a5960a3f9bbbf96819a150ad93c33c1
SHA2561915d244bae2707f6531ea7ffc0fb7708f7cafcf2aa354223ea8112064b18eaf
SHA512dcfd05aeb32c42dd9b25c11e214fa7b9aac96c1bdb747ee71487bdce9f58cb6c691bb3266cd3f752b2abd83f9b17d297a767751bf14123dfc14820fb2cb6eaab
-
Filesize
381KB
MD5ab9327fce682d578e28456820e0d9baa
SHA148696ea54a5960a3f9bbbf96819a150ad93c33c1
SHA2561915d244bae2707f6531ea7ffc0fb7708f7cafcf2aa354223ea8112064b18eaf
SHA512dcfd05aeb32c42dd9b25c11e214fa7b9aac96c1bdb747ee71487bdce9f58cb6c691bb3266cd3f752b2abd83f9b17d297a767751bf14123dfc14820fb2cb6eaab
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
312KB
MD5eabf49a55264bcc12f51bd2710718d3d
SHA1f0e82807f27f2a96f925530bf7aabac46a4e7136
SHA256ef23ae66bc212bf8e435bf806ff120db2470364f3b7362fe05f48b09df225eed
SHA5126a232ec02136cafc35bfcc7168c4df591dd712c8f89f8f133154796c0754362f4911dc3220089757eef43247116fa1b115a15f0f1ba6f312e96df5e8f3bb89b3
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
2.0MB
MD571ef5fd46955ea0abd7800e7c99cc8b3
SHA1a9efdd480409e6b0a626ea6fd9efaf280b20bb75
SHA256fe20091e32e612a1b5b7043895ddf7d0131a544a6f86d177218645241070f32d
SHA512a5fb7bdb0df383295d35c7e7e73956e8f5061e9ec00e783fa36c8577234be3333bd8d26fd110de08b9809495587fb3f9b79742bd3fb178cf892c88c36a75e650
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
1.9MB
-
Filesize
1.9MB
-
Filesize
340KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
2.0MB
-
Filesize
88KB
-
Filesize
296KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
7.7MB
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
7.7MB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
5.6MB
-
Filesize
264KB
-
Filesize
64KB
-
Filesize
264KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1.8MB
-
Filesize
7.7MB
-
Filesize
264KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
1.6MB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
1.6MB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
64KB
-
Filesize
240KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
36KB