Malware Analysis Report

2025-03-15 05:01

Sample ID 231212-bmmxkscdel
Target 10f0b6ad3a799cb16be2ebdd235cc73d.bin
SHA256 747e079572d43521d04a2ff8043497a4c688f05563b5a415fbb5527ec67fb999
Tags
smokeloader redline @oleh_ps livetraffic up3 backdoor infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

747e079572d43521d04a2ff8043497a4c688f05563b5a415fbb5527ec67fb999

Threat Level: Known bad

The file 10f0b6ad3a799cb16be2ebdd235cc73d.bin was found to be: Known bad.

Malicious Activity Summary

smokeloader redline @oleh_ps livetraffic up3 backdoor infostealer trojan

Smokeloader family

RedLine

RedLine payload

SmokeLoader

Downloads MZ/PE file

Executes dropped EXE

Deletes itself

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 01:15

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 01:15

Reported

2023-12-12 01:18

Platform

win7-20231025-en

Max time kernel

44s

Max time network

71s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8076.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BB64.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\8076.exe
PID 1184 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\8076.exe
PID 1184 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\8076.exe
PID 1184 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\8076.exe
PID 1184 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB64.exe
PID 1184 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB64.exe
PID 1184 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB64.exe
PID 1184 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\Temp\BB64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe

"C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe"

C:\Users\Admin\AppData\Local\Temp\8076.exe

C:\Users\Admin\AppData\Local\Temp\8076.exe

C:\Users\Admin\AppData\Local\Temp\BB64.exe

C:\Users\Admin\AppData\Local\Temp\BB64.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-3H1GC.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3H1GC.tmp\tuc3.tmp" /SL5="$9011C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\CD01.exe

C:\Users\Admin\AppData\Local\Temp\CD01.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\D50E.exe

C:\Users\Admin\AppData\Local\Temp\D50E.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

memory/1948-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1948-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1184-1-0x00000000029D0000-0x00000000029E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8076.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2768-12-0x00000000001A0000-0x00000000001DC000-memory.dmp

memory/2768-17-0x00000000749B0000-0x000000007509E000-memory.dmp

memory/2768-18-0x0000000007530000-0x0000000007570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BB64.exe

MD5 c8688a4de607f6b85b368b3ffaa20018
SHA1 fd236f35a9a97c697d04cbc7f5b1822afeeabc0d
SHA256 daff12d7ed13276cd10513d6229a1ad59ade734c31667cdae49e25b2dfaf4727
SHA512 2a6bd8629cd8b71bfb9bda5cd46821b6975abd0f678b7171956920176d3d6d932df0b03121e22abea60ad0035e8295c1bb1ef0cfb8f442b050ad972ff4414be2

C:\Users\Admin\AppData\Local\Temp\BB64.exe

MD5 0c12bae80222bc7acd8a4a24ee7e62dd
SHA1 556cec252270f0271ecaa48b04eb5fb95f34f3ac
SHA256 2e41d826b3e4800250d5245e3b481fb47500bb2fed2d304e49f50d97c7ca0816
SHA512 23cf7e95a5ce32cdcdf3f9b0a2cd9d3ee23447d497f8c6731930e5b66d97b8ad852575ad8ea8b13701669c84e52b300ab0779063167d1d9934bbf15144ff6eca

memory/2568-27-0x0000000000C00000-0x00000000020B6000-memory.dmp

memory/2568-26-0x00000000749B0000-0x000000007509E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 5b1abc4b01ce3d9ff998842c5d91753f
SHA1 935a215f14bbaf6bad5a2fd0816e910226c03bc4
SHA256 749f896635bafd5c9c6aade383a430bcd5839b7b0737325db79f2a9f0dc0d484
SHA512 f5c97eab547da280112e387689cac01bb4cedbaaab05729feddf649f70f50c037cb9e890ae3413a6953e4cebcbd8825ca30d7727f3e7ebb0170ca1137cad00f6

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 9f223f9189f0db37e8acd3141a6fcab2
SHA1 f1c20e57020b75879b52bf4b4913e2b00c5cf783
SHA256 ec1f1c6c05d9b2fb3cb2390c3c18f7ed2dc8d893ebfaee7079d11d72097472b4
SHA512 75f5a9cc4d15577dad2667fbd274ef9792f67a0783c8014018905dcb66ccb851cb30aeeb2b395e2e4de018354b89a68bf7ccce4805ff78e28ea29f78c8cf06ca

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 db5ff879e580ae10699a15f4b9dbe73a
SHA1 15b8fcba678aff18508838f356e34caf7e97e518
SHA256 3c3d84d79b3ac773599e641ee32818b879af07e7ca229662ccfa708bf494913e
SHA512 069142cb2065f12c2a007bcc56aae2adeaffa32defaaa79b70a86ccfea54484e675e91c88395dc342c2e4cfde78f5f5d303060c1a68a661cac3c918b29c5f6be

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 091d475f56a46f2b1523f44d3441608b
SHA1 490a983fdb60d255dc3511e10815af70840c799e
SHA256 350c0ea6dc8f74e476f6a94a8a18980a48a40b486b7313c5bda08704b4310569
SHA512 32a901c62bbffd5fa910903490ff5ae01d3bdf5e6fd3c33b7da1d9ef2a93f25a79df92b972f46cee63773b905f6bae6ffedf4349e32839182e8f33f5e57000d9

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 1a3d36f8cbdfcba14796272a5a2035e9
SHA1 e85859a592e8db0d426e3a626d19066ce4ebca74
SHA256 9c54f9489ca1e6a4529c34a02f61dd8555d9120b9a159329c119283866806908
SHA512 9ef11c37202a5d9aedaa69b6924fc475593302aece1b2960bdf4da74f5e6bbbe5720282930fa4e1c9845cc253b7dd70772b30bf75095a90d5238a55cc13eeeac

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 907e0259abe417ba817b4eb30766e554
SHA1 3ca7b4b68b6c48e5901e9622ba61fbd37b29fab8
SHA256 40007f2880fd5f361d2295d2a88057ad8379906e585f8640d49fe484c67366da
SHA512 b5096e6cf8a2b592be79c3022049e3558beaab5e16035df89bf267bb2cac4ccb8c16eb6e4f27954804ab3f881fb49a397107296d523f01aa346ad1433581017e

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c2f66d15f2d6c660047154704e7d186c
SHA1 36f72e94b82ed17f36d0ca722ada953b0ebc5bf4
SHA256 8cf00f2d21fe713193ada5cb47b37be9d872fbff4d025ed14567785c09411f1c
SHA512 3126404938b881d2d5520a1f5e2a5274d4bad56556087f7702a620256930736e10db1ac324e2c46991a7322a99270eef47087dc7d8c405691a683db012cf4f4e

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 585d32a4624328f41d7945036ff37d76
SHA1 471cfc4f36a285662df0148640d96c99e26f0a07
SHA256 056ac2773bf9f64fd98db791263b1f27fd6431d9029935bb4b67b9af8221d7b2
SHA512 039c996ba5898fe28ff5bb31ee3c8211e5e4f88255c72ca3ff47210f1559b3bcf90de7a98487009d84264b656042218b27aa677451389539861d43ff46234609

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 499dfc73c79759f1e2c2ee0a5ec14125
SHA1 6f2273ba02537cb25c8226c6304d55702452a4d8
SHA256 02875afdada992021bdae2ee45b5f6e391709c4bd1c029f320d9f76b8f2ab375
SHA512 f30cc7f29605cec0cea6d43e83e6d8ec89281e63d593ef861f17df4cec13352d77c2bc29a792671d715fa047b0bab19b818aa0b7ea671275c6892429ab245350

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d99924f2dfc384eec1d2ac3a206c919e
SHA1 4a6d73298601041318ceaafa38fb0052b70357d4
SHA256 f8d47a3e41176b8dd5ea76d0e4acc74a7f11c6a8c4dbbf55c8f837cd7c215a02
SHA512 97e340a1f481a37b94f7b27823de777863b580e3071d41120c26fe8430545555c64021f82674874410fe10736051b9409f4828fca8fe092013c398f98e2a6c48

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 e0595c11cd9653a2aa98980f7e3ca936
SHA1 9d281155cf5650dde1dd9d3f01fe2ba85fca9a8a
SHA256 de581dba0e0dd6fd0a832d18059eb4cef2c00a205cfb5d26e9996ffa3daddb85
SHA512 81c76120871aa94e545776dcd8d8336a17630c800ea7956faa687204bb2005f52fcf24d81db89f999b2e76a45c7d56f210b476c123b0fd702d9faf11d9baa6bf

memory/2740-61-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 089e3571fc7cb2c1e73084ef41508dfc
SHA1 cda63a0b68bc09b779556f9efed726d15859199c
SHA256 5d8b4a6bcd3c123ba5899ea047140c969cffca6b0f10409341a4427cf59b724d
SHA512 0763b70e4e106ac9234073fdd7a80665da15209930e2cd110a470385b4644e209c58df22f3d3a94eb43f49e398a39541148e0d814c5150de5905baaf3d253dcc

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 7350d36c57867ad287b47819ee66ebf2
SHA1 b708dac54368088090016e09204efb0ba6fdf45f
SHA256 944ebdd63cd9fc560de8cec365f1a2fe2cf89bde711a09e5faf2d4998ae75023
SHA512 f04849e7911c0ec4b26f7bc9ab2104e6c6d7c0f7d2a021d9673a4e25248db0914b59ce2b5b0a0975c9bddf90802b69934d4c69fe1e00e3ec379b606623924243

\Users\Admin\AppData\Local\Temp\is-3H1GC.tmp\tuc3.tmp

MD5 b71e63ae66b74f7cb7eb9b8d9a54b93a
SHA1 f141c8d241907f68ee8c10fa7ed619c6da3d3246
SHA256 468f2c6071e754918af2fc5960b4877a0932f98c4a5bd868947b3ca3c53f4207
SHA512 8b6ea07f177a8a3959c1090f6f1125b4de64597fd1a841afb67cd7de60c20c6823090b25188a2e315652149971cb03497e8aa03e75951acad110dab6581de9ef

\Users\Admin\AppData\Local\Temp\is-9IVA4.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-9IVA4.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-9IVA4.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-3H1GC.tmp\tuc3.tmp

MD5 537c9e674ba1471c5fa394debf334127
SHA1 24d05a6a47929788df539ff631b2ff4da361d721
SHA256 e89c94b807bf9fac572d06588d64d9d22664c47c07a6a3abfac453cce3aaecb5
SHA512 3a0390a865018cefbe92df7ab3266fadb8c398ca1f068c78c640e2acb55784a390090936f986efadbb056e95c1958f9e6c3bc5dc411871c5cf2348437c37cd17

C:\Users\Admin\AppData\Local\Temp\is-3H1GC.tmp\tuc3.tmp

MD5 7f78bb6550a0696443b287fff7fa7287
SHA1 ee0480e7ad80445f08f25d4b96844b0139278c9f
SHA256 a2c8252049a1bde29995dabd6fb3f4b22cb4f600535413f069baefa31ba8b86d
SHA512 aabfa5f015185850c864e60690284d518c541849a76911ccbfae0457b2b845f6448bf8170173bd546d5437d258ff92e2e50a407e2f5c81e8e55480e83a52e75a

memory/328-95-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 7d4d44566edd8c0e9040be55e55a8b28
SHA1 576f76c5846cf2981a220153ecb2ca47a97ed867
SHA256 208ccd94bef2e2fb26e61e244a89cd069027bdec9c6137f0442ed6b4e2c05c6e
SHA512 4138f3d2497ee071b44654a7a3bdfe9d776c700760ad2afdea249c2f85cc9766130edb8a08e69c581d6c6543408fb5984f7c68a5d34cd65036194037e3911354

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 66ce1468793d13b7c6fc560997166e12
SHA1 8c8f5dbe3d630be47706823d9ea50508a6dcc50b
SHA256 92eb4cac9bcc170c6c3cf96d1fa89f7afe3c6ad68e152736976b45ad69b27ae2
SHA512 25e9a4798dffe0e0f46fba7ea02a5413ee45b8051e81d33bd0138eb811f2c9d36b4f858d6fb867dbc0708fabe5ae0d8862b155eb424f0a96095e44a877e88eed

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 1b159fee94f49e50da540d2c70bdb412
SHA1 fa8b6fcfe71f716bb719b038cb400d7bcc29b26c
SHA256 88b132ebf36bd0451f56345998cb52145f45d4d3b0ba7dfdb05fc147afb891a0
SHA512 ad7424efb79f84acd287391d4f69a0d11ddac676853abe57b49f2612a703dbf5b72d0ea515a8933bf7c97cc3bc23c95cbcbda8d934c9a45b5b4a0e6cadfa15e7

memory/632-106-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2900-113-0x0000000000860000-0x0000000000960000-memory.dmp

memory/2264-115-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD01.exe

MD5 58ca0be9f1e7d28bc622e4ed73854737
SHA1 b4f3be3e1d7fcad146efaf5d4e81a957b66504fd
SHA256 e8051792f88add618f763cf8d512c8374937c8f9f6ac1a2a900d889fe7d0d08e
SHA512 685bf2aae1322337d7b4daaaac975a188c125f7d2e2661f9c1eace0e84b26d8ff3196dd79845ca6261d9b055be4c058edf547ca6860f6c431a48a7a4e5649451

C:\Users\Admin\AppData\Local\Temp\CD01.exe

MD5 1ebe3171ab5aefc4b7732dc0600f270a
SHA1 42ac1aeb9c7f1c63b6ddce95c98d09b1908bc9db
SHA256 9c9df9ef0f7424d236d15316a01be3baa539aafff2ac881be013686bc0b5ded1
SHA512 be3b122ac07d888f720513796d7a443e97c258df1e264381b0b7e6a5ac9dd06fa65e382aa292108a4be18cf2f437cb71df00b82951a57e4c8b78416f5adff27f

memory/552-121-0x0000000000CA0000-0x0000000001194000-memory.dmp

memory/552-120-0x00000000749B0000-0x000000007509E000-memory.dmp

memory/2264-112-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2900-111-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2264-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3064-122-0x00000000025B0000-0x00000000029A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 cc69138e8fd0277a7ba61029d2cea639
SHA1 79f1f2fcad1fc2ff19e227dfacf881b1fea26a1e
SHA256 85b05c3c0d72e7ca8e3c04d5a9271693f711faaf4a2d686cffe5b8d760d9dacf
SHA512 49302378d8e304cce9e4ec9fb35cef4deb063a9b69f30167754757fbbeab06abd2b524abae67c8ca64e0f5105496945adb3435d319acbc3bf1c45bb237056040

memory/2568-104-0x00000000749B0000-0x000000007509E000-memory.dmp

memory/2768-123-0x00000000749B0000-0x000000007509E000-memory.dmp

memory/552-124-0x0000000000C50000-0x0000000000C90000-memory.dmp

memory/2768-131-0x0000000007530000-0x0000000007570000-memory.dmp

memory/1324-130-0x0000000000070000-0x00000000000AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D50E.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/1324-133-0x0000000007120000-0x0000000007160000-memory.dmp

memory/1324-132-0x00000000749B0000-0x000000007509E000-memory.dmp

memory/3064-134-0x00000000029B0000-0x000000000329B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 01:15

Reported

2023-12-12 01:18

Platform

win10v2004-20231127-en

Max time kernel

41s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F750.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2E01.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3340 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\Temp\F750.exe
PID 3340 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\Temp\F750.exe
PID 3340 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\Temp\F750.exe
PID 3340 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\2E01.exe
PID 3340 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\2E01.exe
PID 3340 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\Temp\2E01.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe

"C:\Users\Admin\AppData\Local\Temp\10f0b6ad3a799cb16be2ebdd235cc73d.exe"

C:\Users\Admin\AppData\Local\Temp\F750.exe

C:\Users\Admin\AppData\Local\Temp\F750.exe

C:\Users\Admin\AppData\Local\Temp\2E01.exe

C:\Users\Admin\AppData\Local\Temp\2E01.exe

C:\Users\Admin\AppData\Local\Temp\3749.exe

C:\Users\Admin\AppData\Local\Temp\3749.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\3A38.exe

C:\Users\Admin\AppData\Local\Temp\3A38.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\3E31.exe

C:\Users\Admin\AppData\Local\Temp\3E31.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 89.135.221.88.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
FR 185.221.198.96:80 185.221.198.96 tcp
US 8.8.8.8:53 96.198.221.185.in-addr.arpa udp

Files

memory/3948-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3340-1-0x0000000002300000-0x0000000002316000-memory.dmp

memory/3948-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F750.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\2E01.exe

MD5 a0a75db836ecd28aceb1cce2d0106e2a
SHA1 4316a25e8c2778578c52b239f4298f41a865a031
SHA256 49747ae5e65800aeb1a0fce1ab6ad9cdd1c61064fe36da6bc1cb5ed3ee6445a1
SHA512 d0d2d24c12fe9c663516f77f10ab0bc1ca59619bfa9f4ca4c7719c57027396301c2f7b7a4fe2a5accfb37dc6a11d7864e0448a6c73b4eed8b4c427dd182842b0

C:\Users\Admin\AppData\Local\Temp\2E01.exe

MD5 91313768942ad07aeacd491b3d7d0ab9
SHA1 222de19b85ee0e00310fa56128c01c4f5a9af54e
SHA256 298b01941088b676e3d882977a21a1653c37e1bc94de922447c8576978fdc856
SHA512 ad0aaf184b0ddd52134d19f8a156986c38884e46be24b440e8f7487abae636573506cefa19047ed32d207d83af2da4245597f02cfdc5fa866c064cfa83f3a2ba

memory/1920-16-0x00000000752B0000-0x0000000075A60000-memory.dmp

memory/1920-17-0x0000000000D30000-0x00000000021E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3749.exe

MD5 f93b41d159dbba2ef0deb1a698fa2295
SHA1 2ab7dcf3e789cfee43a66d381b49bc5240be6b92
SHA256 5e81b68fc96dcb92c9a06e657ca32e6ac3c72a2d477544697023072de560b177
SHA512 39c6a6fb9e5d1553c96705b331108288663a73d539e6da4592b378c5887280472cc0e74fe334c2475089b06b33efdf10f81a584fd03878bbc8f31f3982658326

C:\Users\Admin\AppData\Local\Temp\3749.exe

MD5 5d41891ab94e3b99e72643a1617d3ffd
SHA1 4064f77373a51add18f9b8a0ed0685fa49ba3250
SHA256 2d5c54f9781b444a2c8a6f0a4e97f525a5460f683053974f20aab0b4d8585a3a
SHA512 543961680bbbd9ed281f25010a00dd35e58106dfba976b91afc87d6584cc883a28dc726b79bcfd04d81ad5c8578feee0b2294a05c6e6bef0da10d2a786043edc

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 1f2a58b3d6a3a778f489df529b65ceeb
SHA1 2bb0075233f4e9974463f9eaa3c30276e677f91a
SHA256 43a4e3bab19ba4262c7c9df76889fd6606f7353d8e8a0ba386a5d7f8ddb49dea
SHA512 7f8b277f760f6b027df3e4b25db990141c724e3603e7cefcdcaa044c329f4ff7f18eb15e9e76725b6db242f7e1cb0d26f2f381871fac840cf6eb4374a3444340

memory/564-25-0x00000000752B0000-0x0000000075A60000-memory.dmp

memory/564-31-0x0000000000E30000-0x0000000001324000-memory.dmp

memory/564-32-0x00000000061D0000-0x0000000006774000-memory.dmp

memory/564-35-0x0000000005C20000-0x0000000005CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 1edbb899cd009bc44d1c5af57cda0ca0
SHA1 7bdea65db8ee6c751d321de341a25104273201ee
SHA256 95ba3bbce27c862f69b8c68277cc6f32aacd5909aac091a2823629d39d0d6454
SHA512 9f3d33d682c57995a9f466c0c20351c1958640897e66391a6b06b1e58ba1820774f9faf723d957279aa9cda0729372e626af77647b05e15f380e81c532926d54

memory/564-37-0x0000000005F00000-0x0000000005F9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3A38.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

memory/2160-49-0x00000000752B0000-0x0000000075A60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8ccb6d662c03951b32809cea369bcca3
SHA1 e8831292dadd44bf3f36da904b4ef52674f70095
SHA256 cd0b1ce2dd04a89d654a3749e3a225426407838373a313b1526c66ecd0f03a9c
SHA512 1faa849abd7921e7ca39fd1299836de6cbf36266c11ab8476f35f2d0247db73ecc119f6492e733d310977b4045c3bd904cb4830a880dcf38b26ca79b99637358

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 431870c626da5d5bcbc6804ec76c8b3d
SHA1 e9955b11b27d37fb177e30fda7a6f6d3df465d72
SHA256 4a866cc834204db8fdea083280ec90b5e4631ea81a6341131ca121d3d5c71e7b
SHA512 adcdb61b7f3449a8e6b33110a29c6c5d31c91b906d3135e2777e0ed8bdc3aec07666c5ca125171db2ebeb85078c0d7805788ff34d0a0be5c472905f3423153ae