Analysis
-
max time kernel
206s -
max time network
246s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
13/10/2023, 10:01
General
-
Target
file.exe
-
Size
1.2MB
-
MD5
4a8c24ac955635a139201c1d84d278b5
-
SHA1
c13a1926b55d1446bb46b736776df84424a7dff5
-
SHA256
95b032534407f098cd6afaf8388a08348f7c3ce991059cd65eb66885451018cf
-
SHA512
bef6aa1879f27538a33cb210275420f9ffbf2021e2a764d501bd941812d54ef0879d497dbc4f077e56ccce93c74a1f0a4ddc4f68adae58dc7ba54cd523e83f34
-
SSDEEP
24576:WyAoAMct0ajNNo7uRQAk7jZfi+/PADc99oLNPeN+TDeeu01xJ8rcSb1sz5:lBAMctXNY3jV9/PkI90NY+TqU1kXsz
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Extracted
redline
breha
77.91.124.55:19071
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 8 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ7HX48.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WQ7HX48.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LY7SV69.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LY7SV69.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\le2Tz50.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\le2Tz50.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1er22hK0.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1er22hK0.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 5686⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2bt3535.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2bt3535.exe5⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3fT23rI.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3fT23rI.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4VD762yN.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4VD762yN.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xF0Jr3.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xF0Jr3.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EA52.tmp\EA53.tmp\EA54.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5xF0Jr3.exe"3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1656 -ip 16561⤵
-
C:\Users\Admin\AppData\Local\Temp\F7DE.exeC:\Users\Admin\AppData\Local\Temp\F7DE.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
1.2MB
MD54d3c24b7d27be63f4758f7260abc2706
SHA1316e3760f3973b78bbd1c23aece719cc364a6ddf
SHA256056c5ab3c05140c67d349473778d07b059ec490bff16786956a21617b3081f95
SHA512b1892f2ae0c2f911c21bdb21602d24d9dfaf12cbe1763409b6c6dc01546392fc311c611d5f404155b04397e24f0d8b16c2f194e35e505b1219076693ce742acc
-
Filesize
1.2MB
MD54d3c24b7d27be63f4758f7260abc2706
SHA1316e3760f3973b78bbd1c23aece719cc364a6ddf
SHA256056c5ab3c05140c67d349473778d07b059ec490bff16786956a21617b3081f95
SHA512b1892f2ae0c2f911c21bdb21602d24d9dfaf12cbe1763409b6c6dc01546392fc311c611d5f404155b04397e24f0d8b16c2f194e35e505b1219076693ce742acc
-
Filesize
98KB
MD5e09dc8c02a3c18cba9b1f84c855b5db6
SHA1356ae83d66baecf6e72c7ffb709c32f3b6c5b5ed
SHA256271efe7ada044340f03cfc7f3f4955bf6215805eaadc29eb49260133c0692117
SHA512d73c9b13ee6c3e44b1ff9e11988762057ab97015d10fa8da4b6b2dd8aa1a356ffd3aecf2eaa5b27c3e8b2015c196b6a1f8b46c98415a703b30d64759181d8463
-
Filesize
98KB
MD5e09dc8c02a3c18cba9b1f84c855b5db6
SHA1356ae83d66baecf6e72c7ffb709c32f3b6c5b5ed
SHA256271efe7ada044340f03cfc7f3f4955bf6215805eaadc29eb49260133c0692117
SHA512d73c9b13ee6c3e44b1ff9e11988762057ab97015d10fa8da4b6b2dd8aa1a356ffd3aecf2eaa5b27c3e8b2015c196b6a1f8b46c98415a703b30d64759181d8463
-
Filesize
1.1MB
MD547f28327b54e30203387d94411ce14aa
SHA14f300271a4cf7b7d23eb079aed0fa3410b0b7c81
SHA2561694b80a0120341d9842ceb53179973db213311e26d796ac8a3d67004409a1d0
SHA512c0f8350d9e990a6261381b47b5e6374af6e17aaa5d80e3d610ee208d3e5798aeca2856087c0498606fcc5942d48859dffeca37d650504b9b6b909b27e4e72948
-
Filesize
1.1MB
MD547f28327b54e30203387d94411ce14aa
SHA14f300271a4cf7b7d23eb079aed0fa3410b0b7c81
SHA2561694b80a0120341d9842ceb53179973db213311e26d796ac8a3d67004409a1d0
SHA512c0f8350d9e990a6261381b47b5e6374af6e17aaa5d80e3d610ee208d3e5798aeca2856087c0498606fcc5942d48859dffeca37d650504b9b6b909b27e4e72948
-
Filesize
1.2MB
MD5c7e934f407ac2df2d175798b7bf10479
SHA1ea0dd1f0253a697aa5fcd21ffca658cff4d5b533
SHA256eb37b948c22a10c325ee2b09a22ecaf10fe29a120eb0daff6db894a3b8ee2cc4
SHA5123cde25e5a5e75ee607629b3a308789153626272462852c82edea3d1fa4fcbba562cdc202b66beb5a3ef85d5ba9298fe1b6915e61cf667128a16f4fa1cf5271e5
-
Filesize
1.2MB
MD5c7e934f407ac2df2d175798b7bf10479
SHA1ea0dd1f0253a697aa5fcd21ffca658cff4d5b533
SHA256eb37b948c22a10c325ee2b09a22ecaf10fe29a120eb0daff6db894a3b8ee2cc4
SHA5123cde25e5a5e75ee607629b3a308789153626272462852c82edea3d1fa4fcbba562cdc202b66beb5a3ef85d5ba9298fe1b6915e61cf667128a16f4fa1cf5271e5
-
Filesize
708KB
MD55779552cc759e8e26cc13d5bbefa0fba
SHA18a74c56a9f86c482c56b8eb6211e47fee5640937
SHA256037762e16cc11708445aa02839820a33e465178e74d26f2c0c76d5c4dd856b40
SHA51234c4505ae703a7bc7e99b728640b864f8bacfda36a4166d4e7601a6ef2f554e17edfad7e0311da67af4441d8679069b01ae2be833156174d41ac1566a8a2acdd
-
Filesize
708KB
MD55779552cc759e8e26cc13d5bbefa0fba
SHA18a74c56a9f86c482c56b8eb6211e47fee5640937
SHA256037762e16cc11708445aa02839820a33e465178e74d26f2c0c76d5c4dd856b40
SHA51234c4505ae703a7bc7e99b728640b864f8bacfda36a4166d4e7601a6ef2f554e17edfad7e0311da67af4441d8679069b01ae2be833156174d41ac1566a8a2acdd
-
Filesize
966KB
MD528ecf44eb598ac3d66b23bd37446af94
SHA1fa5ad2c8e5a60d37ea70bb5c437cee973faee61a
SHA2564ae4214b5ae3d1cb9637cc1a29e3d7c56fe4d5807cf16eaab9d3c4cbc45bc1fe
SHA5122b3decdbd70f903b65f15d4083d6dc794127dd03df0740799257af1c60213f3f925f436b25df32a8e096b811fddb28bf8dfa1cfc08d49fbf245ce75739e33eaf
-
Filesize
966KB
MD528ecf44eb598ac3d66b23bd37446af94
SHA1fa5ad2c8e5a60d37ea70bb5c437cee973faee61a
SHA2564ae4214b5ae3d1cb9637cc1a29e3d7c56fe4d5807cf16eaab9d3c4cbc45bc1fe
SHA5122b3decdbd70f903b65f15d4083d6dc794127dd03df0740799257af1c60213f3f925f436b25df32a8e096b811fddb28bf8dfa1cfc08d49fbf245ce75739e33eaf
-
Filesize
330KB
MD5213b2be572a95324ac8090d03aca5761
SHA1092495ec377476bae19d6426ec64bba7f36a9d59
SHA2565df0942f840ef9f1ff04b87160525d529766b9adaf98409bf254ec61f705f6bf
SHA512c231e793be680cb15b54c5aad0a95c2446d073f8026eca18ebc67b68bd608f8be27046a968049f15c0779b9ce051caee6487879a197d3a1237fdcdcd25f3f601
-
Filesize
330KB
MD5213b2be572a95324ac8090d03aca5761
SHA1092495ec377476bae19d6426ec64bba7f36a9d59
SHA2565df0942f840ef9f1ff04b87160525d529766b9adaf98409bf254ec61f705f6bf
SHA512c231e793be680cb15b54c5aad0a95c2446d073f8026eca18ebc67b68bd608f8be27046a968049f15c0779b9ce051caee6487879a197d3a1237fdcdcd25f3f601
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
232KB
MD53ff825411b1fe07e712a5dcae34f80eb
SHA1e3e4358cabfa74d6e36e26754b01ed78434a6877
SHA25669bba958a5dcd8650921b25d978c4847819eb83adc143ba2bd396811d7d73739
SHA512325c098b5a0a0ffee16a6074616126f9f4c7930b74507d38c63a294f659ab26fe1674af85a8ff495bd268aa821cc9d85f80f11ab1e7f828015920220e456ab81
-
Filesize
180KB
MD53f305144feb3040cf41b216841537ec2
SHA1ae9066cc3b40be6250e7e6a90bcc2de160067b84
SHA25689fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1
SHA512ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e
-
Filesize
180KB
MD53f305144feb3040cf41b216841537ec2
SHA1ae9066cc3b40be6250e7e6a90bcc2de160067b84
SHA25689fec546032f1fc58fb08e79ab626d7e2401a5958b81a928ab5e0c1540e180b1
SHA512ca3993ad5d0a376809e304a49eaf81c8ba3ecbe40e7085573698b1870291034f9bbfdec552b640b32d92b2f0b359f33c40f694f401abaf81d70ab7a6484a798e
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
6.1MB
-
Filesize
248KB
-
Filesize
1.0MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB