Analysis Overview
SHA256
f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2
Threat Level: Known bad
The file f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2 was found to be: Known bad.
Malicious Activity Summary
RedLine
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
Unsigned PE
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-27 23:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-27 23:55
Reported
2023-09-27 23:58
Platform
win10v2004-20230915-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
RedLine
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2C61.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2D1D.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3172 wrote to memory of 4844 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2C61.exe |
| PID 3172 wrote to memory of 4844 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2C61.exe |
| PID 3172 wrote to memory of 4844 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2C61.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe
"C:\Users\Admin\AppData\Local\Temp\f87ac551ea3ec7a2cac41bad47eee34f2bc2d208a1588a1250087337d64714c2.exe"
C:\Users\Admin\AppData\Local\Temp\2C61.exe
C:\Users\Admin\AppData\Local\Temp\2C61.exe
C:\Users\Admin\AppData\Local\Temp\2D1D.exe
C:\Users\Admin\AppData\Local\Temp\2D1D.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\304B.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\304B.dll
C:\Users\Admin\AppData\Local\Temp\3240.exe
C:\Users\Admin\AppData\Local\Temp\3240.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\3454.exe
C:\Users\Admin\AppData\Local\Temp\3454.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1172 -ip 1172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 368
C:\Users\Admin\AppData\Local\Temp\47CD.exe
C:\Users\Admin\AppData\Local\Temp\47CD.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3454.exe" -Force
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| BG | 193.42.32.101:80 | 193.42.32.101 | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 101.32.42.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
Files
memory/2320-0-0x0000000002190000-0x00000000021A5000-memory.dmp
memory/2320-1-0x00000000001C0000-0x00000000001C9000-memory.dmp
memory/2320-2-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2320-3-0x0000000000400000-0x000000000044F000-memory.dmp
memory/3172-4-0x0000000003240000-0x0000000003256000-memory.dmp
memory/2320-5-0x0000000000400000-0x000000000044F000-memory.dmp
memory/2320-9-0x00000000001C0000-0x00000000001C9000-memory.dmp
memory/2320-8-0x0000000002190000-0x00000000021A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2C61.exe
| MD5 | 8c581ea3a1ea8a3792e8a1ce692272c5 |
| SHA1 | 0888e77676d8b9c1d919c3fce1f08053f829349d |
| SHA256 | aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630 |
| SHA512 | b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca |
C:\Users\Admin\AppData\Local\Temp\2C61.exe
| MD5 | 8c581ea3a1ea8a3792e8a1ce692272c5 |
| SHA1 | 0888e77676d8b9c1d919c3fce1f08053f829349d |
| SHA256 | aebf7862b39cb99fe17f34b7f34cd4badb0ec4b35ab4662b8614a2996e336630 |
| SHA512 | b57c0432da908655a99783b615bb6c2eee46b89b884920cd59b853de5150c9c03f6fb44155b746255247e97afb112495a62a13f793f37f6f2092ab7df9cab1ca |
C:\Users\Admin\AppData\Local\Temp\2D1D.exe
| MD5 | 91bcd7b719ed166914dccdca25b28e14 |
| SHA1 | 2cc7758c97bbe851cadcdbd6a3158358b690d97f |
| SHA256 | 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b |
| SHA512 | 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0 |
C:\Users\Admin\AppData\Local\Temp\2D1D.exe
| MD5 | 91bcd7b719ed166914dccdca25b28e14 |
| SHA1 | 2cc7758c97bbe851cadcdbd6a3158358b690d97f |
| SHA256 | 76caf7bc6b371e4caf0b0216d6d04f9497f8c3cec68f6528bae429d2f92c638b |
| SHA512 | 5442042ce0c38637da8e55c65028c8c0392b282776ae206e2bc5e455158f3d69de4ecd43ab79ebb70257a28414afc2c17fdb8390a0902b989ae67257cc0070d0 |
C:\Users\Admin\AppData\Local\Temp\304B.dll
| MD5 | 1ab6c1d7f480fa84080c5ea04328841c |
| SHA1 | 4e98a73776cdb17fcbef5d3c24c2c809443317e0 |
| SHA256 | 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f |
| SHA512 | 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2 |
C:\Users\Admin\AppData\Local\Temp\3240.exe
| MD5 | e38e0c7603b34e1d6612412537f9ad60 |
| SHA1 | a5c64ee337b723f270912031d6b39a16e118b55b |
| SHA256 | 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc |
| SHA512 | 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c |
C:\Users\Admin\AppData\Local\Temp\3240.exe
| MD5 | e38e0c7603b34e1d6612412537f9ad60 |
| SHA1 | a5c64ee337b723f270912031d6b39a16e118b55b |
| SHA256 | 6b9b65805c8e2e937afd2a1ba7602cbcd80358f2e75e04160e419615e1e1bcdc |
| SHA512 | 9b592034875ebeda47421f7cbd749005a551145aa68c05bade27eed789e26a363fa810df03dad0180327580ca53f6064946511642827f13e8b234f69e9387a5c |
C:\Users\Admin\AppData\Local\Temp\3454.exe
| MD5 | 8a648cfc49900458f2826a9c9ef0c249 |
| SHA1 | 4ccbf306cbf710c888306fb64dd0db8a454b088c |
| SHA256 | 56a70d420ecefd9ecf3103be1e075306abb0af704d28e1aad41756e4287e2a4e |
| SHA512 | 8d55011b881d3aef4200109d4f3dee3bea7dfc89c858ffc7d2a600369e565012f6260085cbeb948a739c0746b5cafd582d83983c1f1b67e3cfb54d992ddffe4a |
memory/1192-28-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\304B.dll
| MD5 | 1ab6c1d7f480fa84080c5ea04328841c |
| SHA1 | 4e98a73776cdb17fcbef5d3c24c2c809443317e0 |
| SHA256 | 71998d732d2df7220d044181117be67b53bc1566d66dcf4a4ace737112915a1f |
| SHA512 | 34766634f8bdb7ea1e2bd64db0719697b1550b854d059f84e0b97ac30cbc8a76b50537459d8845087d5cbcd4f55c2cc344a904b6239630587e204e8a9b7b8fb2 |
C:\Users\Admin\AppData\Local\Temp\3454.exe
| MD5 | 8a648cfc49900458f2826a9c9ef0c249 |
| SHA1 | 4ccbf306cbf710c888306fb64dd0db8a454b088c |
| SHA256 | 56a70d420ecefd9ecf3103be1e075306abb0af704d28e1aad41756e4287e2a4e |
| SHA512 | 8d55011b881d3aef4200109d4f3dee3bea7dfc89c858ffc7d2a600369e565012f6260085cbeb948a739c0746b5cafd582d83983c1f1b67e3cfb54d992ddffe4a |
memory/4528-33-0x0000000010000000-0x00000000102A9000-memory.dmp
memory/4204-36-0x0000000074040000-0x00000000747F0000-memory.dmp
memory/4204-37-0x0000000005270000-0x000000000530C000-memory.dmp
memory/1192-39-0x0000000002B10000-0x0000000002B16000-memory.dmp
memory/4204-34-0x0000000000970000-0x0000000000A10000-memory.dmp
memory/4204-41-0x00000000058C0000-0x0000000005E64000-memory.dmp
memory/4528-40-0x0000000002C00000-0x0000000002C06000-memory.dmp
memory/1192-38-0x0000000074040000-0x00000000747F0000-memory.dmp
memory/4204-42-0x00000000053B0000-0x0000000005442000-memory.dmp
memory/4204-43-0x00000000055C0000-0x00000000055D0000-memory.dmp
memory/4204-44-0x0000000005370000-0x000000000537A000-memory.dmp
memory/4204-46-0x00000000055D0000-0x00000000055F8000-memory.dmp
memory/1192-54-0x00000000052D0000-0x00000000052E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\47CD.exe
| MD5 | dbac035d695ef90ef64a8a1823be1c70 |
| SHA1 | 9149869b57ef67edc3a75b9bc52ba5e8371cb516 |
| SHA256 | 702840d4f81d7624a973d78fb80d57e74486d2026489acbd9b6122b6aecdfab3 |
| SHA512 | 46bb754eb905d2bc7971a7cdd8d805590fe8db79f1c63377f76e9b72f899fbe83d9adf88cb716304f842e52f750826436bc60233b8d82316125ae830be671aa0 |
C:\Users\Admin\AppData\Local\Temp\47CD.exe
| MD5 | 568dde481b816b4d8a6fad212ea3c3ed |
| SHA1 | da944c28e647e6019fdfc6f24950cb961b1e2f36 |
| SHA256 | dd3638e7775aa8c6e29a2f81e7a6eb89beed163fe391483192f4f58c34059580 |
| SHA512 | 3497838fe995d14cb2c346b6a9909c3da3a64740f68454cb4d16d6cd91c3db7211666fa524358c303b7293dfe4a5ac795f94dd2e43c4ac7f4835a47a2862be81 |
memory/3684-57-0x0000000074040000-0x00000000747F0000-memory.dmp
memory/1192-56-0x0000000005320000-0x000000000535C000-memory.dmp
memory/3684-55-0x0000000000B40000-0x00000000011D4000-memory.dmp
memory/1192-51-0x0000000005290000-0x00000000052A2000-memory.dmp
memory/1192-59-0x0000000005360000-0x00000000053AC000-memory.dmp
memory/4204-49-0x0000000005620000-0x000000000563A000-memory.dmp
memory/1192-47-0x00000000053F0000-0x00000000054FA000-memory.dmp
memory/1192-45-0x0000000005900000-0x0000000005F18000-memory.dmp