Analysis
-
max time kernel
24s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
24/12/2023, 03:03
General
-
Target
2fcad026daee519395baf02393e21f412d2f08ebec612d4fe25a5b8c3a64792e.exe
-
Size
36KB
-
MD5
b4bb298686ce7a113d33cb8662c15da5
-
SHA1
092547b22bfbc4be4e0b7f8ef1256bdf5d9eebcc
-
SHA256
2fcad026daee519395baf02393e21f412d2f08ebec612d4fe25a5b8c3a64792e
-
SHA512
58ff26b8b230aee1d1e3aadebc7827f953c52219cd73d054d7e72daaefce9a7ec01538958d71f4d1de2548be95d3cfdee411e424f5022eb065b22eb125fac873
-
SSDEEP
768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
redline
LiveTraffic
77.105.132.87:22221
Extracted
redline
666
195.20.16.103:18305
Signatures
-
Detect Lumma Stealer payload V4 3 IoCs
-
Detect ZGRat V1 4 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 6 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2fcad026daee519395baf02393e21f412d2f08ebec612d4fe25a5b8c3a64792e.exe"C:\Users\Admin\AppData\Local\Temp\2fcad026daee519395baf02393e21f412d2f08ebec612d4fe25a5b8c3a64792e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\A604.exeC:\Users\Admin\AppData\Local\Temp\A604.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A8F3.exeC:\Users\Admin\AppData\Local\Temp\A8F3.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe" /F1⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3548 -ip 35481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 8801⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\AC30.exeC:\Users\Admin\AppData\Local\Temp\AC30.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\29DD.exeC:\Users\Admin\AppData\Local\Temp\29DD.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\344E.exeC:\Users\Admin\AppData\Local\Temp\344E.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 6802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4660 -ip 46601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 6241⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1036 -ip 10361⤵
-
C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D1F6.exeC:\Users\Admin\AppData\Local\Temp\D1F6.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 2923⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 6003⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 11322⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\F5FA.exeC:\Users\Admin\AppData\Local\Temp\F5FA.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2412 -ip 24121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1036 -ip 10361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1036 -ip 10361⤵
-
C:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\0de90fc5c7\Utsysc.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD54f79e175bc02897b38ba12d1631fde6d
SHA1bb82bf7199246a56fefb5efcae7e78d1dd94fdfb
SHA256668b2aef829b8e22cdc72cadf412ded6f09d635459d6bb88c3bb7f24fc2b4dfa
SHA51269920dcf1be2d9198dfe55efd538caf48e7655b860a657fb51cf17e13b45106acb451571b1afca788386d6d460b59cd8eb56eb388fe50dc9b6ed0184db668447
-
Filesize
1.0MB
MD5353078f7e9412eeeff6b3d8649d7d801
SHA1888c7a17eed084895ad9c58b17aa1008dab68d5b
SHA25608afb5697594ac2b1cb16dcd21dd6d4f350e802bcac17036ffc0a9e6bb9e2d36
SHA512ebeaae2c40455b270f0bcf759231b9637df9e861b7513c8d14c89ebee29179c4967c73c999ce7b5750a292b4afd116bad1c8d8d145f69ef482f2e2dfbb219af0
-
Filesize
484KB
-
Filesize
200KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
200KB
-
Filesize
200KB
-
Filesize
484KB
-
Filesize
484KB
-
Filesize
64KB
-
Filesize
2.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
5.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
240KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
536KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
88KB
-
Filesize
1024KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
4.6MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
1024KB
-
Filesize
1024KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
1.6MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
496KB
-
Filesize
1024KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
328KB
-
Filesize
7.7MB
-
Filesize
5.2MB
-
Filesize
1.8MB
-
Filesize
1.0MB
-
Filesize
6.1MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
7.7MB