Malware Analysis Report

2025-03-15 05:01

Sample ID 231212-bc36tadec3
Target 03d2f72080a0ea3481802a20a4ffdf73.bin
SHA256 d3423d506c9ccc5f5ec5b4acf13716c4387cdc2d61f34b6a6e47dce65b2c9f2a
Tags
redline smokeloader @oleh_ps livetraffic up3 backdoor infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d3423d506c9ccc5f5ec5b4acf13716c4387cdc2d61f34b6a6e47dce65b2c9f2a

Threat Level: Known bad

The file 03d2f72080a0ea3481802a20a4ffdf73.bin was found to be: Known bad.

Malicious Activity Summary

redline smokeloader @oleh_ps livetraffic up3 backdoor infostealer trojan

RedLine

SmokeLoader

RedLine payload

Downloads MZ/PE file

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 01:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 01:00

Reported

2023-12-12 01:03

Platform

win7-20231023-en

Max time kernel

45s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9369.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D164.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 928 set thread context of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 928 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 928 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 928 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 928 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 928 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 928 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 928 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 928 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 928 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 928 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 928 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\SysWOW64\WerFault.exe
PID 928 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\SysWOW64\WerFault.exe
PID 928 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\SysWOW64\WerFault.exe
PID 928 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\SysWOW64\WerFault.exe
PID 1272 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\9369.exe
PID 1272 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\9369.exe
PID 1272 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\9369.exe
PID 1272 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\9369.exe
PID 1304 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9369.exe C:\Windows\SysWOW64\WerFault.exe
PID 1304 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9369.exe C:\Windows\SysWOW64\WerFault.exe
PID 1304 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9369.exe C:\Windows\SysWOW64\WerFault.exe
PID 1304 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9369.exe C:\Windows\SysWOW64\WerFault.exe
PID 1272 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\D164.exe
PID 1272 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\D164.exe
PID 1272 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\D164.exe
PID 1272 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\D164.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe

"C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 100

C:\Users\Admin\AppData\Local\Temp\9369.exe

C:\Users\Admin\AppData\Local\Temp\9369.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 540

C:\Users\Admin\AppData\Local\Temp\D164.exe

C:\Users\Admin\AppData\Local\Temp\D164.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-57LMV.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-57LMV.tmp\tuc3.tmp" /SL5="$60166,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\E9B5.exe

C:\Users\Admin\AppData\Local\Temp\E9B5.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
FR 185.221.198.96:80 185.221.198.96 tcp

Files

memory/2692-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2692-1-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2692-3-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2692-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2692-4-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1272-5-0x0000000002B20000-0x0000000002B36000-memory.dmp

memory/2692-6-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9369.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/1304-16-0x0000000000260000-0x000000000029C000-memory.dmp

memory/1304-21-0x0000000073A80000-0x000000007416E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D164.exe

MD5 73075bb46dd559a93e9311f599f65cbc
SHA1 7722b40dd1b2cee17b1203ba581e520431e738a0
SHA256 98465655cfe205e9803f088fe020495c8be141679bb4481c0be7ee4e095a4051
SHA512 33635c08c8b801acd9fcf3edad6b9f293007d89bc9d1ae52aee83b8a76820ff49887f5a99c7a8ef649c9077a9ddfe3c1d9711035a36ec8e7f1eafb83f49f427d

C:\Users\Admin\AppData\Local\Temp\D164.exe

MD5 05403a1b38575dead8a2d413317e3a88
SHA1 592abbfe69efda4d1b3f6e46019024f5a7492770
SHA256 88bce2bf1eaf52ff62dd873a3f1e241575203c44caf6565ee8fccd60db1e2bb3
SHA512 27c37d2f4279a372a4f2dcfe141addb1b3ca57eb6fb716260b658b84377d6b99e759312cfbd152d1f41c5fa1e41c70ef4d972f23e9a592d9733070c593073ebe

memory/2780-27-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/2780-28-0x0000000001140000-0x00000000025F6000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 9a3deab8b2777314e2207b7dbec91ad6
SHA1 56162725a3952213e532d6c4e0771e7b8beba295
SHA256 3172d0285972f3d86aeae6e16a11a1e9708ae33ba89c27ee0c20609a0f606df7
SHA512 e8a3be739f7f3fc9396d7e5403ee9d225594b9be84d1c06a3a0b8b837b1d00e84a2fc7c7250a0a2c594e02fd4082e8538a2b12683fee45a8823bb322b455dca6

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 a41b265046239f236829289655a78fc3
SHA1 c16eff012bee466f722510df16d6d56cb8afc6dc
SHA256 9cb727015aa35c1f557e588a07bb5818a1d2f00205dff0909f18509e74b8e4bd
SHA512 42ff8dcc0366c063bfb890e62b441037e52d49c4b39f11f622dabf35aab36c49ee0b3a8c9949f96db37f72a1ffe861177194198a54aead2613ff46fc9c98d525

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 378790459af1e3333bc24ebe31a4dced
SHA1 3d21fb2e18e8d2c686544e24384164087e615185
SHA256 1259a672eda1032af851a3df421d78219ca414828edcc463dce1fcf825a34c5a
SHA512 5d7db3bb482fa3461d64719b57cd9f1212defca7cba78540c05086c4d6fed0991b901d806c968087b32efb79a4d0244a1e4c3a3d18bd887bbffc3b76952ada4a

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 98b1f343c04fdde7ac49613ebe997735
SHA1 2b521fa94f44c737425fdd863aec1674fdeeac17
SHA256 f35a784211a72925373e7f8024ec8042c4da2a26ffade4714665529aceed8acb
SHA512 05f1e7b44673614a093d64e72da6aedf8ce852e16ee2d33a92090dc7d60eafcb8ee1d231238012e93c533a5fe276dabc22d9008e3979bb28b56eb9b92e0ab50a

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3f8d1fadbc3794847dbcae248bfb5935
SHA1 3d867cab3f038652dae56ca98f7a2a7b4135cf1f
SHA256 37bfb9c8f98d98ca7c36fc35a693b5964c9303f24ada66149b65064646605ad3
SHA512 0158b8dea7f5da49919a3d94675e360920ab3242e836c077a3fc69273bb8e02b640eb1799b756e737a367020c57504f23b5991d249ac1a36c92854a8b66f6fdb

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 af353329023d74cf5cc9e41f08554798
SHA1 63271e362591a464582357fd99d43e285e7615af
SHA256 3d4b7aa79b529dc9852e073435690158c73bd5c3864d21783457a613b07e7765
SHA512 9a5df52beb42090c6ebd10110866d78e7e37ecdacbc9bd291d6c490f4e2deebf2e90c80154eeddafc151022121c866f68c2e9fb3fe785aa79b9ac3a310564826

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 65c10b390b9b05a44025b9e87f016444
SHA1 2e65c0a64a1fdc2514502d4fcf069a96ca0145c3
SHA256 0f3c5fe959c3ca971946e1bae5b62729473bf2f73bc4a55449baca1e468001e7
SHA512 7c6528df9731813f48ab1c995e142af746f06a7dfe26d9bbb1f6227b0a2e36f77009c757f25355373dc7d2fe1fc1e077fa22f7315f70bee8a0e6f6e670344f98

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 4999943e9d53cf64cd9ff86ff2128c90
SHA1 7ecaec803a5e12e48245a57ecfd6cc310dae6ce0
SHA256 514cf5ad04f42be7695e6e26c0faf5b094fb619665562191bd533c7f69a3f548
SHA512 d1c6c338de13e1dd99ce119f1866eba8ac68a827b60ac25b8685ebbd7947622298d9b6582c291cb85e38d88e20a9c4ecd6aa2be1e4674af89e5c2345486b6714

memory/2560-61-0x00000000025B0000-0x00000000029A8000-memory.dmp

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 d2efa3c7fd7e4946752f02745374d813
SHA1 6a74b2c1475f1b9ad9271ea01bede7cb727c7325
SHA256 6908c264fa12e2991773e83ed4191ded57f1ce50571cbe7afbbb899f6b70c71a
SHA512 3ce24d4c38b4182fd1c45f64686b7f5f33c459c9775213f941574178101e3dfeeef62fa82a45c3682000d41eff8060a60de25f1ec782fe37fc97d00064229787

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 ef788256d06cfc54a920aaaa94ce81c9
SHA1 db80fb56f8f1bc5c02c72fd4260e11f6c57ddfff
SHA256 6a52ae44e20e9504df6cc77602b82a2999fad7f7cdbfee984cddc52c8aeb84f0
SHA512 45d5e1ea79c699aa947093643f28c7e9e8887e1020d0864eadb480a049491a29d2543f1a05b1745d97636b99d3d4f2f9c8d5ac7401e4224c9aec14d6b0763ede

memory/1672-68-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 5a89dfff9f1bb271c840557d321c39b3
SHA1 3bedf0a5b79fa7b5f6ff91b98a1cec97882064ae
SHA256 d67215286072a8b22b968021c1f52ce1d32a1e777f3665a9c1316b64caec9c50
SHA512 fadd2e5d0a49054fd339a62003ea2da00aa279d67957cf9c6f704c2a50124521d6ed87e443b23fcb055ebcb2626b352e564950dab778112c303080b025e00791

memory/2608-62-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 aeaf504220d32ea83499e859e3e23cba
SHA1 615d1f7b1542509417355ae6d7d257cdfe20505f
SHA256 f8b99a238903864600c0abbd51be90749226d5eab5b7b78ac2cd076344656593
SHA512 c5bd4bc001baa442127545510d9c6f0d6384a8b337e5c47e22f93465c9cce9efcd245fcff503fce1600abf68b59e74e44c1891ab9623d93d0d9960ca0135f32f

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 69703ec573166055f9f5b1b5fbd0ed57
SHA1 c1e693627e9c82830e328e2625b8fb98d3a545f9
SHA256 40ba219077d3392b1e362f2597f9a397c34832860745fef062c074aa43206c44
SHA512 9e7998890ec815e52489aa0cd023ea21af348857798c93e1471b9e09f783df2d56db5e21c83baf5622a55cab80f859b5d771ea49a0130697a8d33460276a2dbc

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 980cfdef3e29ec1760acf92746c37ef8
SHA1 48afdb8fb2e7066a9539e27a80cd843ed287f261
SHA256 de297fc6213b2ef871a443e6d824f9dea6015ec06c3bfea2044c68d278bcb560
SHA512 311f909fcf477b0d76f1874a6a0b50389c8f8764033a2fd08bf19287628d2dd29c7b21d80751439ef50df7d0aeb1a6054f962e55449ff05c7b967ee11083e0f7

memory/2560-79-0x00000000025B0000-0x00000000029A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-57LMV.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

\Users\Admin\AppData\Local\Temp\is-MUQJG.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2560-93-0x00000000029B0000-0x000000000329B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-MUQJG.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/2900-95-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2780-94-0x0000000073A80000-0x000000007416E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-57LMV.tmp\tuc3.tmp

MD5 22edfa50a5c504ac9bfb579da46bb400
SHA1 70f290181d6de3967e6375e1f7ece70aacd8c484
SHA256 0ee5f29cf4cdb99ec6bde83a18b6d168fbd89edebe8de1db79560013b949e79d
SHA512 d9adc82bd04014ccf54830108035aad6a9b71e073ae8f17ba322d192261a5b76bf8417ba10f0443eed6129872b21ff6807f61e48f15dd40d1f768f94cdfe0135

\Users\Admin\AppData\Local\Temp\is-MUQJG.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2560-109-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9B5.exe

MD5 c0d88f8aae28dc804d20c32e26c18f68
SHA1 e092cbd6b47608e9989a44eac6b47483a2374cd4
SHA256 fc654a2433da195fef503a5b101354d4658e5db491da80faca398f20c4ac0019
SHA512 8473dc64a49d9d22b99c87c6b9d1d0f01483a123e09f6e632bd2797d905d9084732cdda6a7c70fb667ae0922ebc1c9e96f85b9848abf609f927c06a36b07f725

memory/2328-116-0x0000000000340000-0x0000000000834000-memory.dmp

memory/2328-117-0x0000000073A80000-0x000000007416E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9B5.exe

MD5 8f84e4ed48a6c3c205dc51e8b513938b
SHA1 4d50ae872410696e6cd35e930b68f16499c6d298
SHA256 b8463101d88896fde8433a3df51619ae074741d0935ea33ef215e96d399fceb9
SHA512 69b835dbcf9c593aeb11eccf8bc9c99a25a8bc49f31c01f5936d0314a2d14ba151ba907f54623c6f27026fa133916f31823af8539fa1eb56e6d32402e12e7350

memory/2328-118-0x0000000004D90000-0x0000000004DD0000-memory.dmp

memory/2360-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2928-123-0x0000000000880000-0x0000000000980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 28723608bad04c4b3d370ceb46b6949a
SHA1 8f3d50b5e1eab8780208ebbdb9b601af77b32c99
SHA256 8623ba5b5103b9dbfe99a13c8f65660c3116084f903fb9d3722f8e9efc039786
SHA512 7a2b4ae3441507adbbbb217d906713c57b0e55642f546bf52965adf90db56647f5a460b501b66649a266de797874541af045e92fe2bb95bb684fad97003da105

memory/2360-133-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1996-134-0x0000000000380000-0x00000000003BC000-memory.dmp

memory/1996-132-0x0000000073A80000-0x000000007416E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDDB.exe

MD5 48b54acea6033933f795d7f176d9c709
SHA1 ffc789d34e225ba7d543e25403bc995ea6efc2f0
SHA256 a27d6fb30cbf5adc37bb22e39447be83bd137eadbc5e844823f917e3628c3c7d
SHA512 723aa2cdc537acd545e4c8b2d7ab1454d87304e2ccfd4886bfb3f537820a99c5252e0c320241b97608fec08124f491f4afe05560c82ea9ef057427da1f57b4e5

memory/2608-135-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1996-136-0x00000000072C0000-0x0000000007300000-memory.dmp

memory/2360-128-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2928-127-0x0000000000220000-0x0000000000229000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 01:00

Reported

2023-12-12 01:03

Platform

win10v2004-20231127-en

Max time kernel

41s

Max time network

70s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3F95.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3348 set thread context of 776 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3348 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3348 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3348 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3348 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3348 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3240 wrote to memory of 3348 N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE.exe
PID 3240 wrote to memory of 3348 N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE.exe
PID 3240 wrote to memory of 3348 N/A N/A C:\Users\Admin\AppData\Local\Temp\4BE.exe
PID 3240 wrote to memory of 3424 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F95.exe
PID 3240 wrote to memory of 3424 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F95.exe
PID 3240 wrote to memory of 3424 N/A N/A C:\Users\Admin\AppData\Local\Temp\3F95.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe

"C:\Users\Admin\AppData\Local\Temp\03d2f72080a0ea3481802a20a4ffdf73.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3348 -ip 3348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 320

C:\Users\Admin\AppData\Local\Temp\4BE.exe

C:\Users\Admin\AppData\Local\Temp\4BE.exe

C:\Users\Admin\AppData\Local\Temp\3F95.exe

C:\Users\Admin\AppData\Local\Temp\3F95.exe

C:\Users\Admin\AppData\Local\Temp\46F9.exe

C:\Users\Admin\AppData\Local\Temp\46F9.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FR 185.221.198.96:80 185.221.198.96 tcp
US 8.8.8.8:53 96.198.221.185.in-addr.arpa udp

Files

memory/776-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/776-1-0x0000000000400000-0x000000000040B000-memory.dmp

memory/776-3-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3240-2-0x00000000031D0000-0x00000000031E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4BE.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\3F95.exe

MD5 9433abba5fafdac018eaf7b73190457a
SHA1 faeebec1274bcb6c33a587281a9bfa9b94924ce4
SHA256 83f30cb09d52c611c5d8f62d77e636232634cce30e6407157dc027467468bfa8
SHA512 e0f374dc5d3f7b73cc557e74e6d94bda136656ee6949fa856f49bff924b532780075a6e57661659d73ecc1cb700348a57747d45f09643d5e29d5b0f266865d69

C:\Users\Admin\AppData\Local\Temp\3F95.exe

MD5 1b78b7a9fc990cf3dbd6471c1c671ba1
SHA1 8d081ef1e4a8479b146cfdecaacbc9f995f235a8
SHA256 37211afa4ea109300f981b936d6a5420c64dd15304d9a10e13a63d7b1e456329
SHA512 8f47ac5fa6de0ec560816daf6a57c8eccbfcfdf897df4dcdf10493ae78f77e8ac5e4405b9e573a05f55e793cfa70ebf9854a74b1bddf16eb55cca853dca571a5

memory/3424-17-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/3424-18-0x0000000000AC0000-0x0000000001F76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46F9.exe

MD5 d5efa425b6e8578f23bc4ee86d4f136a
SHA1 8d6e40b04d9e4143f6df8a4877efc692d9e7dada
SHA256 949f66a869fc4c8fce0b38e681082baa0940440b51d476130d60be83e18cac80
SHA512 0090022056805286f8374849d67d4a84e4f63ad478227d40a8d30ceb2b3e17538085e08078c0a905603c94788f05b39a5d4e6b368e8ec782f928154c62149e15

C:\Users\Admin\AppData\Local\Temp\46F9.exe

MD5 8694b4aff34b911a1562dc084e25b2c1
SHA1 4f3082ba74d65d850f64b2379802b910a653fd22
SHA256 98fb49a4252c3430494e7f96baa05ab61320661dc80c4a3b697e20e43741d56f
SHA512 5f0424800cd16490bcc00ce1aeb6fbaf34fe69ad234a28385dda5912b959b9e8552c3e7026299548a6e2d2ac62e606e466b65311ebda97f2ede9756be2bb5afc

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 f0823d70f95e183fc54bcc37c81d95f2
SHA1 22c7fd5d5ccaeb0938e14c20d986b2943c4985c0
SHA256 e633cda88724ae9ba9b0d1d20c8dc685a3f88bd7b38e8b37476b5e2882ceedda
SHA512 26f1e61ecc64faf73ccab6d81b7af18d977b049bab2ced2fd6417ace6d8ec65133640439185e81eec4ad23c8cc047f4633fba0922d7a7dd5ce954565513f3d85

memory/2296-32-0x0000000000220000-0x0000000000714000-memory.dmp

memory/2296-31-0x00000000745C0000-0x0000000074D70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 c9a8682dff510474e0868acc20fa0ebc
SHA1 8bd69bf3ab65987be7315b4bda3e09cea47f7ad5
SHA256 89353c95c774d990df898f0881c29cfe942db6f9c19b60ad529f3e143d5ca66d
SHA512 5989d47d4d5cad0eee18e4fcd990f5801f4284c4963f5827f49e1dcefd938afbf93a3dc2f74493529b7359f9be35b247abc6311177d8c8eb6ef27ac621ad2c6c

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4daa18ed9f7d7f4c16c028d022005bb5
SHA1 eee414d2c743c9c16eb2662f64065d52ce1547fc
SHA256 0963d0bc3c1bb2f1a134abfde4bdac4a168564ac624d8e44e0d2408b5e1d52bc
SHA512 fce9b67fe7320e0961e1a31f153fc30b56637dd56cc0f80a01ba9cadbdcaf828db6b5aa0fc0f02a589079ccb779b11d2c4377a7c10a3bbb2e8372a55cce29341

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 5dd44d0509871eec95c758d40f525d79
SHA1 73d493c6884b96f179180e5850d6334a7814c930
SHA256 fbfbdfa46ed671e652c67a4fddcf548ecadd8c9be6ef3e2c33e3163f2c147282
SHA512 ca51000cc3e2e9c2b9a38a258b1288abe6428947a2c9ffeb05d226199a24d1df6c5eb6795fcd735bcf0a98ce9d0e18bd8adcd1977aa8580cf591b6de20e2e27a

memory/2296-44-0x0000000005020000-0x00000000050B2000-memory.dmp

memory/2296-49-0x0000000005270000-0x000000000530C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\49B9.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a9f3e923bcb6de7761cfe1109361041c
SHA1 495e64bebdd0d6250da9afe4325e0a35c8f57eeb
SHA256 eb796a508341ac939ffd9f91a43966c1e500c330dc65803742d665a5720521cc
SHA512 86c02a95a955ef81de23d6d9b89ddcd8a9770f9934b7107f49ad0127eeea4513fc81d1158598ab4fb72bad244196baed53f26fa9e3f2a3f7a736844b8a794c8f

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2b318e46106f08179388e1ca7ffcf3b8
SHA1 564d0f3f1970cbdb0e9686da84ca0a332182dbb5
SHA256 98541844097eb48f78a0a594a8e5e22db7ba3d75b71c8f511eddbc4c5b2c5c46
SHA512 3f26e703a999558c169d106224f1cdbab4ccc10b6db4d992b89874dde22c510b3b3fca7ee1c6bdd5121b1ed38e028f654fc05b9cdabc4f1d73f86ddf65d1e119

memory/2296-64-0x0000000005260000-0x0000000005270000-memory.dmp