Analysis Overview
SHA256
d3423d506c9ccc5f5ec5b4acf13716c4387cdc2d61f34b6a6e47dce65b2c9f2a
Threat Level: Known bad
The file 03d2f72080a0ea3481802a20a4ffdf73.bin was found to be: Known bad.
Malicious Activity Summary
RedLine
SmokeLoader
RedLine payload
Downloads MZ/PE file
Executes dropped EXE
Suspicious use of SetThreadContext
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-12 01:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-12 01:00
Reported
2023-12-12 01:03
Platform
win7-20231023-en
Max time kernel
45s
Max time network
72s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9369.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D164.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 928 set thread context of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\9369.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe
"C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 100
C:\Users\Admin\AppData\Local\Temp\9369.exe
C:\Users\Admin\AppData\Local\Temp\9369.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 540
C:\Users\Admin\AppData\Local\Temp\D164.exe
C:\Users\Admin\AppData\Local\Temp\D164.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-57LMV.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-57LMV.tmp\tuc3.tmp" /SL5="$60166,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\E9B5.exe
C:\Users\Admin\AppData\Local\Temp\E9B5.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
Files
memory/2692-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2692-1-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2692-3-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2692-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2692-4-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1272-5-0x0000000002B20000-0x0000000002B36000-memory.dmp
memory/2692-6-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9369.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
memory/1304-16-0x0000000000260000-0x000000000029C000-memory.dmp
memory/1304-21-0x0000000073A80000-0x000000007416E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D164.exe
| MD5 | 73075bb46dd559a93e9311f599f65cbc |
| SHA1 | 7722b40dd1b2cee17b1203ba581e520431e738a0 |
| SHA256 | 98465655cfe205e9803f088fe020495c8be141679bb4481c0be7ee4e095a4051 |
| SHA512 | 33635c08c8b801acd9fcf3edad6b9f293007d89bc9d1ae52aee83b8a76820ff49887f5a99c7a8ef649c9077a9ddfe3c1d9711035a36ec8e7f1eafb83f49f427d |
C:\Users\Admin\AppData\Local\Temp\D164.exe
| MD5 | 05403a1b38575dead8a2d413317e3a88 |
| SHA1 | 592abbfe69efda4d1b3f6e46019024f5a7492770 |
| SHA256 | 88bce2bf1eaf52ff62dd873a3f1e241575203c44caf6565ee8fccd60db1e2bb3 |
| SHA512 | 27c37d2f4279a372a4f2dcfe141addb1b3ca57eb6fb716260b658b84377d6b99e759312cfbd152d1f41c5fa1e41c70ef4d972f23e9a592d9733070c593073ebe |
memory/2780-27-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/2780-28-0x0000000001140000-0x00000000025F6000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 9a3deab8b2777314e2207b7dbec91ad6 |
| SHA1 | 56162725a3952213e532d6c4e0771e7b8beba295 |
| SHA256 | 3172d0285972f3d86aeae6e16a11a1e9708ae33ba89c27ee0c20609a0f606df7 |
| SHA512 | e8a3be739f7f3fc9396d7e5403ee9d225594b9be84d1c06a3a0b8b837b1d00e84a2fc7c7250a0a2c594e02fd4082e8538a2b12683fee45a8823bb322b455dca6 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | a41b265046239f236829289655a78fc3 |
| SHA1 | c16eff012bee466f722510df16d6d56cb8afc6dc |
| SHA256 | 9cb727015aa35c1f557e588a07bb5818a1d2f00205dff0909f18509e74b8e4bd |
| SHA512 | 42ff8dcc0366c063bfb890e62b441037e52d49c4b39f11f622dabf35aab36c49ee0b3a8c9949f96db37f72a1ffe861177194198a54aead2613ff46fc9c98d525 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 378790459af1e3333bc24ebe31a4dced |
| SHA1 | 3d21fb2e18e8d2c686544e24384164087e615185 |
| SHA256 | 1259a672eda1032af851a3df421d78219ca414828edcc463dce1fcf825a34c5a |
| SHA512 | 5d7db3bb482fa3461d64719b57cd9f1212defca7cba78540c05086c4d6fed0991b901d806c968087b32efb79a4d0244a1e4c3a3d18bd887bbffc3b76952ada4a |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 98b1f343c04fdde7ac49613ebe997735 |
| SHA1 | 2b521fa94f44c737425fdd863aec1674fdeeac17 |
| SHA256 | f35a784211a72925373e7f8024ec8042c4da2a26ffade4714665529aceed8acb |
| SHA512 | 05f1e7b44673614a093d64e72da6aedf8ce852e16ee2d33a92090dc7d60eafcb8ee1d231238012e93c533a5fe276dabc22d9008e3979bb28b56eb9b92e0ab50a |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 3f8d1fadbc3794847dbcae248bfb5935 |
| SHA1 | 3d867cab3f038652dae56ca98f7a2a7b4135cf1f |
| SHA256 | 37bfb9c8f98d98ca7c36fc35a693b5964c9303f24ada66149b65064646605ad3 |
| SHA512 | 0158b8dea7f5da49919a3d94675e360920ab3242e836c077a3fc69273bb8e02b640eb1799b756e737a367020c57504f23b5991d249ac1a36c92854a8b66f6fdb |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | af353329023d74cf5cc9e41f08554798 |
| SHA1 | 63271e362591a464582357fd99d43e285e7615af |
| SHA256 | 3d4b7aa79b529dc9852e073435690158c73bd5c3864d21783457a613b07e7765 |
| SHA512 | 9a5df52beb42090c6ebd10110866d78e7e37ecdacbc9bd291d6c490f4e2deebf2e90c80154eeddafc151022121c866f68c2e9fb3fe785aa79b9ac3a310564826 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 65c10b390b9b05a44025b9e87f016444 |
| SHA1 | 2e65c0a64a1fdc2514502d4fcf069a96ca0145c3 |
| SHA256 | 0f3c5fe959c3ca971946e1bae5b62729473bf2f73bc4a55449baca1e468001e7 |
| SHA512 | 7c6528df9731813f48ab1c995e142af746f06a7dfe26d9bbb1f6227b0a2e36f77009c757f25355373dc7d2fe1fc1e077fa22f7315f70bee8a0e6f6e670344f98 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 4999943e9d53cf64cd9ff86ff2128c90 |
| SHA1 | 7ecaec803a5e12e48245a57ecfd6cc310dae6ce0 |
| SHA256 | 514cf5ad04f42be7695e6e26c0faf5b094fb619665562191bd533c7f69a3f548 |
| SHA512 | d1c6c338de13e1dd99ce119f1866eba8ac68a827b60ac25b8685ebbd7947622298d9b6582c291cb85e38d88e20a9c4ecd6aa2be1e4674af89e5c2345486b6714 |
memory/2560-61-0x00000000025B0000-0x00000000029A8000-memory.dmp
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | d2efa3c7fd7e4946752f02745374d813 |
| SHA1 | 6a74b2c1475f1b9ad9271ea01bede7cb727c7325 |
| SHA256 | 6908c264fa12e2991773e83ed4191ded57f1ce50571cbe7afbbb899f6b70c71a |
| SHA512 | 3ce24d4c38b4182fd1c45f64686b7f5f33c459c9775213f941574178101e3dfeeef62fa82a45c3682000d41eff8060a60de25f1ec782fe37fc97d00064229787 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | ef788256d06cfc54a920aaaa94ce81c9 |
| SHA1 | db80fb56f8f1bc5c02c72fd4260e11f6c57ddfff |
| SHA256 | 6a52ae44e20e9504df6cc77602b82a2999fad7f7cdbfee984cddc52c8aeb84f0 |
| SHA512 | 45d5e1ea79c699aa947093643f28c7e9e8887e1020d0864eadb480a049491a29d2543f1a05b1745d97636b99d3d4f2f9c8d5ac7401e4224c9aec14d6b0763ede |
memory/1672-68-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 5a89dfff9f1bb271c840557d321c39b3 |
| SHA1 | 3bedf0a5b79fa7b5f6ff91b98a1cec97882064ae |
| SHA256 | d67215286072a8b22b968021c1f52ce1d32a1e777f3665a9c1316b64caec9c50 |
| SHA512 | fadd2e5d0a49054fd339a62003ea2da00aa279d67957cf9c6f704c2a50124521d6ed87e443b23fcb055ebcb2626b352e564950dab778112c303080b025e00791 |
memory/2608-62-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | aeaf504220d32ea83499e859e3e23cba |
| SHA1 | 615d1f7b1542509417355ae6d7d257cdfe20505f |
| SHA256 | f8b99a238903864600c0abbd51be90749226d5eab5b7b78ac2cd076344656593 |
| SHA512 | c5bd4bc001baa442127545510d9c6f0d6384a8b337e5c47e22f93465c9cce9efcd245fcff503fce1600abf68b59e74e44c1891ab9623d93d0d9960ca0135f32f |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 69703ec573166055f9f5b1b5fbd0ed57 |
| SHA1 | c1e693627e9c82830e328e2625b8fb98d3a545f9 |
| SHA256 | 40ba219077d3392b1e362f2597f9a397c34832860745fef062c074aa43206c44 |
| SHA512 | 9e7998890ec815e52489aa0cd023ea21af348857798c93e1471b9e09f783df2d56db5e21c83baf5622a55cab80f859b5d771ea49a0130697a8d33460276a2dbc |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 980cfdef3e29ec1760acf92746c37ef8 |
| SHA1 | 48afdb8fb2e7066a9539e27a80cd843ed287f261 |
| SHA256 | de297fc6213b2ef871a443e6d824f9dea6015ec06c3bfea2044c68d278bcb560 |
| SHA512 | 311f909fcf477b0d76f1874a6a0b50389c8f8764033a2fd08bf19287628d2dd29c7b21d80751439ef50df7d0aeb1a6054f962e55449ff05c7b967ee11083e0f7 |
memory/2560-79-0x00000000025B0000-0x00000000029A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-57LMV.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
\Users\Admin\AppData\Local\Temp\is-MUQJG.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2560-93-0x00000000029B0000-0x000000000329B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-MUQJG.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/2900-95-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2780-94-0x0000000073A80000-0x000000007416E000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-57LMV.tmp\tuc3.tmp
| MD5 | 22edfa50a5c504ac9bfb579da46bb400 |
| SHA1 | 70f290181d6de3967e6375e1f7ece70aacd8c484 |
| SHA256 | 0ee5f29cf4cdb99ec6bde83a18b6d168fbd89edebe8de1db79560013b949e79d |
| SHA512 | d9adc82bd04014ccf54830108035aad6a9b71e073ae8f17ba322d192261a5b76bf8417ba10f0443eed6129872b21ff6807f61e48f15dd40d1f768f94cdfe0135 |
\Users\Admin\AppData\Local\Temp\is-MUQJG.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2560-109-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9B5.exe
| MD5 | c0d88f8aae28dc804d20c32e26c18f68 |
| SHA1 | e092cbd6b47608e9989a44eac6b47483a2374cd4 |
| SHA256 | fc654a2433da195fef503a5b101354d4658e5db491da80faca398f20c4ac0019 |
| SHA512 | 8473dc64a49d9d22b99c87c6b9d1d0f01483a123e09f6e632bd2797d905d9084732cdda6a7c70fb667ae0922ebc1c9e96f85b9848abf609f927c06a36b07f725 |
memory/2328-116-0x0000000000340000-0x0000000000834000-memory.dmp
memory/2328-117-0x0000000073A80000-0x000000007416E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9B5.exe
| MD5 | 8f84e4ed48a6c3c205dc51e8b513938b |
| SHA1 | 4d50ae872410696e6cd35e930b68f16499c6d298 |
| SHA256 | b8463101d88896fde8433a3df51619ae074741d0935ea33ef215e96d399fceb9 |
| SHA512 | 69b835dbcf9c593aeb11eccf8bc9c99a25a8bc49f31c01f5936d0314a2d14ba151ba907f54623c6f27026fa133916f31823af8539fa1eb56e6d32402e12e7350 |
memory/2328-118-0x0000000004D90000-0x0000000004DD0000-memory.dmp
memory/2360-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2928-123-0x0000000000880000-0x0000000000980000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 28723608bad04c4b3d370ceb46b6949a |
| SHA1 | 8f3d50b5e1eab8780208ebbdb9b601af77b32c99 |
| SHA256 | 8623ba5b5103b9dbfe99a13c8f65660c3116084f903fb9d3722f8e9efc039786 |
| SHA512 | 7a2b4ae3441507adbbbb217d906713c57b0e55642f546bf52965adf90db56647f5a460b501b66649a266de797874541af045e92fe2bb95bb684fad97003da105 |
memory/2360-133-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1996-134-0x0000000000380000-0x00000000003BC000-memory.dmp
memory/1996-132-0x0000000073A80000-0x000000007416E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EDDB.exe
| MD5 | 48b54acea6033933f795d7f176d9c709 |
| SHA1 | ffc789d34e225ba7d543e25403bc995ea6efc2f0 |
| SHA256 | a27d6fb30cbf5adc37bb22e39447be83bd137eadbc5e844823f917e3628c3c7d |
| SHA512 | 723aa2cdc537acd545e4c8b2d7ab1454d87304e2ccfd4886bfb3f537820a99c5252e0c320241b97608fec08124f491f4afe05560c82ea9ef057427da1f57b4e5 |
memory/2608-135-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1996-136-0x00000000072C0000-0x0000000007300000-memory.dmp
memory/2360-128-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2928-127-0x0000000000220000-0x0000000000229000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-12 01:00
Reported
2023-12-12 01:03
Platform
win10v2004-20231127-en
Max time kernel
41s
Max time network
70s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4BE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3F95.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3348 set thread context of 776 | N/A | C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe
"C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3348 -ip 3348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 320
C:\Users\Admin\AppData\Local\Temp\4BE.exe
C:\Users\Admin\AppData\Local\Temp\4BE.exe
C:\Users\Admin\AppData\Local\Temp\3F95.exe
C:\Users\Admin\AppData\Local\Temp\3F95.exe
C:\Users\Admin\AppData\Local\Temp\46F9.exe
C:\Users\Admin\AppData\Local\Temp\46F9.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
| US | 8.8.8.8:53 | 96.198.221.185.in-addr.arpa | udp |
Files
memory/776-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/776-1-0x0000000000400000-0x000000000040B000-memory.dmp
memory/776-3-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3240-2-0x00000000031D0000-0x00000000031E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4BE.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
C:\Users\Admin\AppData\Local\Temp\3F95.exe
| MD5 | 9433abba5fafdac018eaf7b73190457a |
| SHA1 | faeebec1274bcb6c33a587281a9bfa9b94924ce4 |
| SHA256 | 83f30cb09d52c611c5d8f62d77e636232634cce30e6407157dc027467468bfa8 |
| SHA512 | e0f374dc5d3f7b73cc557e74e6d94bda136656ee6949fa856f49bff924b532780075a6e57661659d73ecc1cb700348a57747d45f09643d5e29d5b0f266865d69 |
C:\Users\Admin\AppData\Local\Temp\3F95.exe
| MD5 | 1b78b7a9fc990cf3dbd6471c1c671ba1 |
| SHA1 | 8d081ef1e4a8479b146cfdecaacbc9f995f235a8 |
| SHA256 | 37211afa4ea109300f981b936d6a5420c64dd15304d9a10e13a63d7b1e456329 |
| SHA512 | 8f47ac5fa6de0ec560816daf6a57c8eccbfcfdf897df4dcdf10493ae78f77e8ac5e4405b9e573a05f55e793cfa70ebf9854a74b1bddf16eb55cca853dca571a5 |
memory/3424-17-0x00000000745C0000-0x0000000074D70000-memory.dmp
memory/3424-18-0x0000000000AC0000-0x0000000001F76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\46F9.exe
| MD5 | d5efa425b6e8578f23bc4ee86d4f136a |
| SHA1 | 8d6e40b04d9e4143f6df8a4877efc692d9e7dada |
| SHA256 | 949f66a869fc4c8fce0b38e681082baa0940440b51d476130d60be83e18cac80 |
| SHA512 | 0090022056805286f8374849d67d4a84e4f63ad478227d40a8d30ceb2b3e17538085e08078c0a905603c94788f05b39a5d4e6b368e8ec782f928154c62149e15 |
C:\Users\Admin\AppData\Local\Temp\46F9.exe
| MD5 | 8694b4aff34b911a1562dc084e25b2c1 |
| SHA1 | 4f3082ba74d65d850f64b2379802b910a653fd22 |
| SHA256 | 98fb49a4252c3430494e7f96baa05ab61320661dc80c4a3b697e20e43741d56f |
| SHA512 | 5f0424800cd16490bcc00ce1aeb6fbaf34fe69ad234a28385dda5912b959b9e8552c3e7026299548a6e2d2ac62e606e466b65311ebda97f2ede9756be2bb5afc |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | f0823d70f95e183fc54bcc37c81d95f2 |
| SHA1 | 22c7fd5d5ccaeb0938e14c20d986b2943c4985c0 |
| SHA256 | e633cda88724ae9ba9b0d1d20c8dc685a3f88bd7b38e8b37476b5e2882ceedda |
| SHA512 | 26f1e61ecc64faf73ccab6d81b7af18d977b049bab2ced2fd6417ace6d8ec65133640439185e81eec4ad23c8cc047f4633fba0922d7a7dd5ce954565513f3d85 |
memory/2296-32-0x0000000000220000-0x0000000000714000-memory.dmp
memory/2296-31-0x00000000745C0000-0x0000000074D70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | c9a8682dff510474e0868acc20fa0ebc |
| SHA1 | 8bd69bf3ab65987be7315b4bda3e09cea47f7ad5 |
| SHA256 | 89353c95c774d990df898f0881c29cfe942db6f9c19b60ad529f3e143d5ca66d |
| SHA512 | 5989d47d4d5cad0eee18e4fcd990f5801f4284c4963f5827f49e1dcefd938afbf93a3dc2f74493529b7359f9be35b247abc6311177d8c8eb6ef27ac621ad2c6c |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 4daa18ed9f7d7f4c16c028d022005bb5 |
| SHA1 | eee414d2c743c9c16eb2662f64065d52ce1547fc |
| SHA256 | 0963d0bc3c1bb2f1a134abfde4bdac4a168564ac624d8e44e0d2408b5e1d52bc |
| SHA512 | fce9b67fe7320e0961e1a31f153fc30b56637dd56cc0f80a01ba9cadbdcaf828db6b5aa0fc0f02a589079ccb779b11d2c4377a7c10a3bbb2e8372a55cce29341 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 5dd44d0509871eec95c758d40f525d79 |
| SHA1 | 73d493c6884b96f179180e5850d6334a7814c930 |
| SHA256 | fbfbdfa46ed671e652c67a4fddcf548ecadd8c9be6ef3e2c33e3163f2c147282 |
| SHA512 | ca51000cc3e2e9c2b9a38a258b1288abe6428947a2c9ffeb05d226199a24d1df6c5eb6795fcd735bcf0a98ce9d0e18bd8adcd1977aa8580cf591b6de20e2e27a |
memory/2296-44-0x0000000005020000-0x00000000050B2000-memory.dmp
memory/2296-49-0x0000000005270000-0x000000000530C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\49B9.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | a9f3e923bcb6de7761cfe1109361041c |
| SHA1 | 495e64bebdd0d6250da9afe4325e0a35c8f57eeb |
| SHA256 | eb796a508341ac939ffd9f91a43966c1e500c330dc65803742d665a5720521cc |
| SHA512 | 86c02a95a955ef81de23d6d9b89ddcd8a9770f9934b7107f49ad0127eeea4513fc81d1158598ab4fb72bad244196baed53f26fa9e3f2a3f7a736844b8a794c8f |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2b318e46106f08179388e1ca7ffcf3b8 |
| SHA1 | 564d0f3f1970cbdb0e9686da84ca0a332182dbb5 |
| SHA256 | 98541844097eb48f78a0a594a8e5e22db7ba3d75b71c8f511eddbc4c5b2c5c46 |
| SHA512 | 3f26e703a999558c169d106224f1cdbab4ccc10b6db4d992b89874dde22c510b3b3fca7ee1c6bdd5121b1ed38e028f654fc05b9cdabc4f1d73f86ddf65d1e119 |
memory/2296-64-0x0000000005260000-0x0000000005270000-memory.dmp