Analysis
-
max time kernel
34s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30/12/2023, 15:50
General
-
Target
0x000600000002321e-639.exe
-
Size
38KB
-
MD5
251a04dcae43d733a7beff1724f99fbe
-
SHA1
834cd1e1c218ac4a71003cb3151acb0cff0ef073
-
SHA256
a1e4f033baf6ddddff930d3e0da1020e20bc79cb053b5ab525252778a8c1f06a
-
SHA512
f8177efc94121708127518d7ee8d6fccda2a8b6c6859021646f60d8897ece75c8efaef864d42e31603e8d660b8124c7e33a4a23501b0997faa42eefe4e296786
-
SSDEEP
768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3
Malware Config
Extracted
smokeloader
2022
http://185.215.113.68/fks/index.php
Extracted
smokeloader
up3
Extracted
stealc
http://185.172.128.79
-
url_path
/3886d2276f6914c4.php
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
redline
LiveTraffic
20.79.30.95:13856
Extracted
redline
777
195.20.16.103:20440
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Stealc
Stealc is an infostealer written in C++.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 9 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000600000002321e-639.exe"C:\Users\Admin\AppData\Local\Temp\0x000600000002321e-639.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\AC7C.exeC:\Users\Admin\AppData\Local\Temp\AC7C.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe2⤵
-
C:\ProgramData\Java Updater\9kao179kg.exe/prstb3⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 11485⤵
- Program crash
-
-
-
-
C:\ProgramData\Java Updater\9kao179kg.exe/prstb3⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 11485⤵
- Program crash
-
-
-
-
C:\ProgramData\Java Updater\9kao179kg.exe/prstb3⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 11485⤵
- Program crash
-
-
-
-
C:\ProgramData\Java Updater\9kao179kg.exe/prstb3⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 10805⤵
- Program crash
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C6FA.exeC:\Users\Admin\AppData\Local\Temp\C6FA.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\tuc4.exe"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\is-POGE2.tmp\tuc4.tmp"C:\Users\Admin\AppData\Local\Temp\is-POGE2.tmp\tuc4.tmp" /SL5="$50208,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"3⤵
-
C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -i4⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" helpmsg 234⤵
-
-
C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe"C:\Program Files (x86)\DataPumpCRT\datapumpcrt.exe" -s4⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 11244⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2112 -s 5163⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\etopt.exe"C:\Users\Admin\AppData\Local\Temp\etopt.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\nsgD499.tmp.exeC:\Users\Admin\AppData\Local\Temp\nsgD499.tmp.exe3⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 9963⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 3282⤵
- Program crash
-
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 helpmsg 231⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1652 -ip 16521⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes1⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\F629.exeC:\Users\Admin\AppData\Local\Temp\F629.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\33C0.exeC:\Users\Admin\AppData\Local\Temp\33C0.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 11163⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\39CC.exeC:\Users\Admin\AppData\Local\Temp\39CC.exe1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)1⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5500 -ip 55001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5524 -ip 55241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2656 -ip 26561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2112 -ip 21121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4176 -ip 41761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1316 -ip 13161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5896 -ip 58961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4736 -ip 47361⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD5c90bf3d3631d8409f012e9b9007aa50c
SHA126daf84cb380353da4cb6de36a023459de2f83a8
SHA256f99fd23856936c07c9d51856f22c199630ad3c8e1d41f08a1dbc433624406336
SHA512bc6c89bbb591ed044118821f99c693dea9f0f3af23e5320b0ce5be8d706b373ca26061667ab04a933f34a04dd4038cf35e321ca38b516cbd6f6e0aba7887a0d4
-
Filesize
44KB
MD5276a168c49b56d271dae8753960cb84b
SHA165a7b5f6c86f1d1651d2ce013600fc8c79b257fb
SHA256f9df2a1b00ff9458a08e909697c1a6943f1310cc7436629c481efdf64b3722bc
SHA5121505e89c388f4f32b90b05a40b01f8c8e9956ceb98d7b2377fd7b3c99915fd171558c5df02b1fa29db9ec3393678f3f8dce4491809952589c6e4ed1b1bac3347
-
Filesize
92KB
MD5babe614b1f0307680c90b42879efc3f6
SHA138adf3aedef1353ce1057e421d5265f2dc8cf757
SHA2563e19e2459742eb5f41bc0f1478099982ffb3175f4087b2d104528bcfd0172e0b
SHA5127edc1e3e2c64e540ae570eb18a68092757c141098132f90e3eff6a07e2e86c89f625eb89b8b147b810422136cb9b5d58cff69f26504fc99612e7c1621b2664ac
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
3.8MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
12.2MB
-
Filesize
108KB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
372KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
272KB
-
Filesize
600KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
652KB
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
112KB
-
Filesize
4.3MB
-
Filesize
4.3MB
-
Filesize
1024KB
-
Filesize
972KB
-
Filesize
8.9MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
5.4MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
752KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
9.1MB
-
Filesize
7.7MB
-
Filesize
18.9MB
-
Filesize
7.7MB
-
Filesize
9.1MB
-
Filesize
9.1MB
-
Filesize
4.0MB
-
Filesize
16.0MB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
328KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
576KB