Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15/09/2023, 21:39
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe
Resource
win10v2004-20230915-en
General
-
Target
SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe
-
Size
267KB
-
MD5
24dbebd26b029b6304bed121b5af43c4
-
SHA1
6657d33ab6958b155c67cc12d55647b1b0bc28ad
-
SHA256
9e7c8aea93412acc8d8de3a956e8485a86caf40c626b2abd491bd5404df1bfbb
-
SHA512
470559b9db03a1b3c10a6e91a1e03c6b15979a3d754c9f2a5684a06e87a9722bd7929872fa8cb15b8c5f183fead77272e57966095b493a1b608e93130db4ddf8
-
SSDEEP
3072:QXUMeUgFUvuQ+qOsW8gPwI0eNcCOdvriM5vVos1lRLootRbrNpm:OUMeAvuQ+qOsWttcpRriMMIS
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/572-49-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 1660 5242.exe 3852 uhugjdv -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1660 set thread context of 1188 1660 5242.exe 80 PID 1188 set thread context of 572 1188 AddInProcess32.exe 85 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uhugjdv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uhugjdv Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uhugjdv -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2088 SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe 2088 SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found 2540 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2540 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2088 SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe 3852 uhugjdv -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeShutdownPrivilege 2540 Process not Found Token: SeCreatePagefilePrivilege 2540 Process not Found Token: SeDebugPrivilege 1660 5242.exe Token: SeShutdownPrivilege 2540 Process not Found Token: SeCreatePagefilePrivilege 2540 Process not Found Token: SeDebugPrivilege 1188 AddInProcess32.exe Token: SeShutdownPrivilege 2540 Process not Found Token: SeCreatePagefilePrivilege 2540 Process not Found Token: SeShutdownPrivilege 2540 Process not Found Token: SeCreatePagefilePrivilege 2540 Process not Found Token: SeShutdownPrivilege 2540 Process not Found Token: SeCreatePagefilePrivilege 2540 Process not Found Token: SeShutdownPrivilege 2540 Process not Found Token: SeCreatePagefilePrivilege 2540 Process not Found Token: SeDebugPrivilege 572 ilasm.exe Token: SeShutdownPrivilege 2540 Process not Found Token: SeCreatePagefilePrivilege 2540 Process not Found -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 2540 wrote to memory of 1660 2540 Process not Found 78 PID 2540 wrote to memory of 1660 2540 Process not Found 78 PID 2540 wrote to memory of 1660 2540 Process not Found 78 PID 1660 wrote to memory of 1188 1660 5242.exe 80 PID 1660 wrote to memory of 1188 1660 5242.exe 80 PID 1660 wrote to memory of 1188 1660 5242.exe 80 PID 1660 wrote to memory of 1188 1660 5242.exe 80 PID 1660 wrote to memory of 1188 1660 5242.exe 80 PID 1660 wrote to memory of 1188 1660 5242.exe 80 PID 1660 wrote to memory of 1188 1660 5242.exe 80 PID 1660 wrote to memory of 1188 1660 5242.exe 80 PID 1660 wrote to memory of 408 1660 5242.exe 81 PID 1660 wrote to memory of 408 1660 5242.exe 81 PID 1660 wrote to memory of 408 1660 5242.exe 81 PID 1660 wrote to memory of 408 1660 5242.exe 81 PID 1660 wrote to memory of 408 1660 5242.exe 81 PID 1660 wrote to memory of 408 1660 5242.exe 81 PID 1660 wrote to memory of 408 1660 5242.exe 81 PID 1660 wrote to memory of 408 1660 5242.exe 81 PID 1660 wrote to memory of 3344 1660 5242.exe 82 PID 1660 wrote to memory of 3344 1660 5242.exe 82 PID 1660 wrote to memory of 3344 1660 5242.exe 82 PID 1660 wrote to memory of 3344 1660 5242.exe 82 PID 1660 wrote to memory of 3344 1660 5242.exe 82 PID 1660 wrote to memory of 3344 1660 5242.exe 82 PID 1660 wrote to memory of 3344 1660 5242.exe 82 PID 1660 wrote to memory of 3344 1660 5242.exe 82 PID 1660 wrote to memory of 2488 1660 5242.exe 83 PID 1660 wrote to memory of 2488 1660 5242.exe 83 PID 1660 wrote to memory of 2488 1660 5242.exe 83 PID 1660 wrote to memory of 2488 1660 5242.exe 83 PID 1660 wrote to memory of 2488 1660 5242.exe 83 PID 1660 wrote to memory of 2488 1660 5242.exe 83 PID 1660 wrote to memory of 2488 1660 5242.exe 83 PID 1660 wrote to memory of 2488 1660 5242.exe 83 PID 1660 wrote to memory of 3620 1660 5242.exe 84 PID 1660 wrote to memory of 3620 1660 5242.exe 84 PID 1660 wrote to memory of 3620 1660 5242.exe 84 PID 1660 wrote to memory of 3620 1660 5242.exe 84 PID 1660 wrote to memory of 3620 1660 5242.exe 84 PID 1660 wrote to memory of 3620 1660 5242.exe 84 PID 1660 wrote to memory of 3620 1660 5242.exe 84 PID 1660 wrote to memory of 3620 1660 5242.exe 84 PID 1188 wrote to memory of 572 1188 AddInProcess32.exe 85 PID 1188 wrote to memory of 572 1188 AddInProcess32.exe 85 PID 1188 wrote to memory of 572 1188 AddInProcess32.exe 85 PID 1188 wrote to memory of 572 1188 AddInProcess32.exe 85 PID 1188 wrote to memory of 572 1188 AddInProcess32.exe 85 PID 1188 wrote to memory of 572 1188 AddInProcess32.exe 85 PID 1188 wrote to memory of 572 1188 AddInProcess32.exe 85 PID 1188 wrote to memory of 572 1188 AddInProcess32.exe 85 PID 1660 wrote to memory of 1356 1660 5242.exe 86 PID 1660 wrote to memory of 1356 1660 5242.exe 86 PID 1660 wrote to memory of 1356 1660 5242.exe 86 PID 1660 wrote to memory of 1356 1660 5242.exe 86 PID 1660 wrote to memory of 1356 1660 5242.exe 86 PID 1660 wrote to memory of 1356 1660 5242.exe 86 PID 1660 wrote to memory of 1356 1660 5242.exe 86 PID 1660 wrote to memory of 1356 1660 5242.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.Kryptik.KMY.gen.Eldorado.22433.13822.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2088
-
C:\Users\Admin\AppData\Local\Temp\5242.exeC:\Users\Admin\AppData\Local\Temp\5242.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:572
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:408
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:3344
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:2488
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:3620
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:1356
-
-
C:\Users\Admin\AppData\Roaming\uhugjdvC:\Users\Admin\AppData\Roaming\uhugjdv1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
505KB
MD53082e7832f7a31397990d4d3ae4c75c9
SHA1769b150e219c7e8d7221f7a0f0ba6ef617fd036d
SHA256716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740
SHA5128e371f4b075070daf8efb449ab87d923eb4d3cad74d7c9c3d3cef76f43f268c0e4aabe6fa1f801e20ac49e25f9bac70338044fbe9bd408883429ca34fb98ade4
-
Filesize
505KB
MD53082e7832f7a31397990d4d3ae4c75c9
SHA1769b150e219c7e8d7221f7a0f0ba6ef617fd036d
SHA256716f6379cc32afb03ef2639b14e32b4df5538b99b84dafe355b39f8934e7c740
SHA5128e371f4b075070daf8efb449ab87d923eb4d3cad74d7c9c3d3cef76f43f268c0e4aabe6fa1f801e20ac49e25f9bac70338044fbe9bd408883429ca34fb98ade4
-
Filesize
267KB
MD524dbebd26b029b6304bed121b5af43c4
SHA16657d33ab6958b155c67cc12d55647b1b0bc28ad
SHA2569e7c8aea93412acc8d8de3a956e8485a86caf40c626b2abd491bd5404df1bfbb
SHA512470559b9db03a1b3c10a6e91a1e03c6b15979a3d754c9f2a5684a06e87a9722bd7929872fa8cb15b8c5f183fead77272e57966095b493a1b608e93130db4ddf8
-
Filesize
267KB
MD524dbebd26b029b6304bed121b5af43c4
SHA16657d33ab6958b155c67cc12d55647b1b0bc28ad
SHA2569e7c8aea93412acc8d8de3a956e8485a86caf40c626b2abd491bd5404df1bfbb
SHA512470559b9db03a1b3c10a6e91a1e03c6b15979a3d754c9f2a5684a06e87a9722bd7929872fa8cb15b8c5f183fead77272e57966095b493a1b608e93130db4ddf8