Overview

overview

10

Static

static

3

42909ef96f...e6.exe

windows7-x64

10

42909ef96f...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    05-01-2024 02:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42909ef96fc66ee4ad2b1182f06ecbe6.exe

  • Size

    3.8MB

  • MD5

    42909ef96fc66ee4ad2b1182f06ecbe6

  • SHA1

    9ccde9b068c6dca4172df09853e8b9aa9dcded94

  • SHA256

    4cafb22334d394a75bf299e8b582791b939af7d462c79b4423948a34f364481b

  • SHA512

    e54ef137f1a12fa1c77090ade5e6fd5c404f84a5c3d0b9227fe95eb72d30e6d03fd0431c265569f7b08dc5f416973081264aa3d634399f30ad273da8f4559f9a

  • SSDEEP

    98304:Ub9fEIQBU9HIJ0tyFximjgX7dJw1mLPKZ4ygx2EjufaWte:UpfEIvdIJ0WxHjm5JwSiZ3rEAaH

Score
10/10
ffdroiderredlinesectopratsmokeloadersocelarspub2backdoorevasioninfostealerratstealertrojanvmprotect

Malware Config

Extracted

Family

ffdroider

C2

http://128.1.32.84

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

C2

92.119.112.202:13340

Signatures

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider
  • FFDroider payload 2 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 48 IoCs
  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies registry class 8 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • NTFS ADS 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:868
    • C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      2⤵
        PID:684
    • C:\Users\Admin\AppData\Local\Temp\42909ef96fc66ee4ad2b1182f06ecbe6.exe
      "C:\Users\Admin\AppData\Local\Temp\42909ef96fc66ee4ad2b1182f06ecbe6.exe"
      1⤵
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Users\Admin\AppData\Local\Temp\xtect20.exe
        "C:\Users\Admin\AppData\Local\Temp\xtect20.exe"
        2⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        PID:852
      • C:\Users\Admin\AppData\Local\Temp\pub2.exe
        "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:2900
      • C:\Users\Admin\AppData\Local\Temp\Install.exe
        "C:\Users\Admin\AppData\Local\Temp\Install.exe"
        2⤵
          PID:1552
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c taskkill /f /im chrome.exe
            3⤵
              PID:1436
          • C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
            "C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1852
          • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
            "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2784
          • C:\Users\Admin\AppData\Local\Temp\Files.exe
            "C:\Users\Admin\AppData\Local\Temp\Files.exe"
            2⤵
            • Executes dropped EXE
            PID:2512
          • C:\Users\Admin\AppData\Local\Temp\BearVpn_3.exe
            "C:\Users\Admin\AppData\Local\Temp\BearVpn_3.exe"
            2⤵
            • Executes dropped EXE
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            PID:2492
          • C:\Users\Admin\AppData\Local\Temp\Folder.exe
            "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2884
          • C:\Users\Admin\AppData\Local\Temp\Fille.exe
            "C:\Users\Admin\AppData\Local\Temp\Fille.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2576
        • C:\Windows\system32\services.exe
          C:\Windows\system32\services.exe
          1⤵
            PID:484
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k SystemNetworkService
              2⤵
              • Modifies registry class
              PID:1724
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c cmd < Crescente.ini
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2540
            • C:\Windows\SysWOW64\cmd.exe
              cmd
              2⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1796
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.com
            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.com k
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetThreadContext
            PID:1160
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1584
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
            1⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:2280
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2280 CREDAT:275457 /prefetch:2
              2⤵
              • Modifies Internet Explorer settings
              • NTFS ADS
              • Suspicious use of SetWindowsHookEx
              PID:624
          • C:\Windows\SysWOW64\rundll32.exe
            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
            1⤵
            • Loads dropped DLL
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1784
          • C:\Windows\system32\rUNdlL32.eXe
            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
            1⤵
            • Process spawned unexpected child process
            PID:2200
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 184
            1⤵
            • Loads dropped DLL
            • Program crash
            PID:576
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 30
            1⤵
            • Runs ping.exe
            PID:784
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mantenere.exe.com
            Mantenere.exe.com k
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:592
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^lmesxrORijUjeOjnoLtleIpFEzCCKScCJihKoesqpDBLYVUYVpGiCQFBdvNwBjigQsDUABfuxtqninHJmDGAjhqSBLxMfdnXvjUGsqbxTANbPixRPrCXGGeDdLaPiD$" Piramide.ini
            1⤵
              PID:2116
            • C:\Users\Admin\AppData\Local\Temp\Folder.exe
              "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
              1⤵
              • Executes dropped EXE
              PID:2204
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /f /im chrome.exe
              1⤵
              • Kills process with taskkill
              PID:336
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "-1592080453991248001-9818938815591646461496025544431437603-13922671331070331929"
              1⤵
                PID:2116
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1552

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\BearVpn_3.exe
                Filesize

                8KB

                MD5

                60fda22bdeacf110bd17e573d4755179

                SHA1

                9ec652c1adfdd612ff94d5405b37d6ce2cdeee58

                SHA256

                75c08d47e30fb238396887e7dfe14468e8f55563fd157ff27620e91e37a9a9a0

                SHA512

                29b5a77bbf9ab7dfd6914fdb7ca516c329aa6dcd23958276f2373566ce94b294add0ecd241f83ff77456a558b2089d7d2cee0867b1b5de7630f62b3b73848afb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Files.exe
                Filesize

                239KB

                MD5

                9d8cf8de9b97800927728c11c3ea1a05

                SHA1

                0f22a1883ee171c6dd3ca2a7989e3585852fb3e7

                SHA256

                684be08639023e02b2940bea89373e8657bf7b4fb826d22455058ae40f3b57f3

                SHA512

                021834c482a20e7d998ffd8af980f0b73a16c13967966d9ec211d269ec2df990d8f5313b9567e5daaa590dfa91abe2ec57a7a9693197e110b75f035b6f404887

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Fille.exe
                Filesize

                1.1MB

                MD5

                e35987fd2d4cd3ff879d467319e43709

                SHA1

                f55a7b78b464043abfb153e7f6d2d0688b78b261

                SHA256

                4ca6fef9e1702bbe7f84460fb9bb7cbd2085553b7fa489936e145291846175c8

                SHA512

                fee1fd18f42956b48f033cbcc8183c5893b9ec1a458165d585ef32e3c258f13739f74ddd3e6cf58ac200cbc1fca3fded71bf97692b9179396b2aab51a14f7b63

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Folder.exe
                Filesize

                712KB

                MD5

                b89068659ca07ab9b39f1c580a6f9d39

                SHA1

                7e3e246fcf920d1ada06900889d099784fe06aa5

                SHA256

                9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

                SHA512

                940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

                Download Submit

              • \Users\Admin\AppData\Local\Temp\KRSetp.exe
                Filesize

                166KB

                MD5

                63ead911676a9c9431f185fa3b415dc7

                SHA1

                bf86775b8713f8461fd7cc81104e7abedabd2885

                SHA256

                9e90ed11bd37b8004921c0b5c1668d2a3780b223055d6f4a31ce2ede411a3dfd

                SHA512

                e78d110b96404c63b86b7c5c91eff18221be0a846a4e11bca633ac0e7a2c5b40be2d5e1bc5645f9d3144a9c3d38a05809f3fe21a129333344cbd4de9e39d3c9c

                Download Submit

              • memory/868-190-0x0000000001260000-0x00000000012AC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/868-193-0x0000000001D60000-0x0000000001DD1000-memory.dmp

                Filesize

                452KB

                Download

              • memory/868-194-0x0000000001260000-0x00000000012AC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/868-192-0x0000000001D60000-0x0000000001DD1000-memory.dmp

                Filesize

                452KB

                Download

              • memory/868-206-0x0000000001D60000-0x0000000001DD1000-memory.dmp

                Filesize

                452KB

                Download

              • memory/1160-504-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1380-519-0x0000000002A80000-0x0000000002A95000-memory.dmp

                Filesize

                84KB

                Download

              • memory/1584-525-0x0000000000090000-0x00000000000AE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1584-507-0x0000000000090000-0x00000000000AE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1584-530-0x0000000000090000-0x00000000000AE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1584-528-0x0000000000090000-0x00000000000AE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/1584-524-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-197-0x0000000000060000-0x00000000000AC000-memory.dmp

                Filesize

                304KB

                Download

              • memory/1724-897-0x0000000000270000-0x00000000002E1000-memory.dmp

                Filesize

                452KB

                Download

              • memory/1724-923-0x0000000000270000-0x00000000002E1000-memory.dmp

                Filesize

                452KB

                Download

              • memory/1724-205-0x0000000000270000-0x00000000002E1000-memory.dmp

                Filesize

                452KB

                Download

              • memory/1724-1253-0x0000000000270000-0x00000000002E1000-memory.dmp

                Filesize

                452KB

                Download

              • memory/1724-201-0x0000000000270000-0x00000000002E1000-memory.dmp

                Filesize

                452KB

                Download

              • memory/1724-1468-0x0000000000270000-0x00000000002E1000-memory.dmp

                Filesize

                452KB

                Download

              • memory/1724-1470-0x0000000000270000-0x00000000002E1000-memory.dmp

                Filesize

                452KB

                Download

              • memory/1784-189-0x0000000002040000-0x0000000002141000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/1784-199-0x0000000001F40000-0x0000000001F9D000-memory.dmp

                Filesize

                372KB

                Download

              • memory/1784-191-0x0000000001F40000-0x0000000001F9D000-memory.dmp

                Filesize

                372KB

                Download

              • memory/1852-161-0x0000000000400000-0x000000000063B000-memory.dmp

                Filesize

                2.2MB

                Download

              • memory/1852-128-0x0000000000400000-0x000000000063B000-memory.dmp

                Filesize

                2.2MB

                Download

              • memory/2492-105-0x0000000000A40000-0x0000000000A48000-memory.dmp

                Filesize

                32KB

                Download

              • memory/2492-125-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/2492-181-0x0000000002240000-0x00000000022C0000-memory.dmp

                Filesize

                512KB

                Download

              • memory/2492-351-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/2784-106-0x00000000008C0000-0x00000000008F2000-memory.dmp

                Filesize

                200KB

                Download

              • memory/2784-352-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/2784-186-0x000000001AFE0000-0x000000001B060000-memory.dmp

                Filesize

                512KB

                Download

              • memory/2784-495-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/2784-132-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

                Filesize

                9.9MB

                Download

              • memory/2784-182-0x0000000000280000-0x0000000000286000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2784-149-0x0000000000250000-0x0000000000256000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2784-162-0x0000000000260000-0x0000000000286000-memory.dmp

                Filesize

                152KB

                Download

              • memory/2848-204-0x00000000026C0000-0x00000000026C2000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2848-179-0x0000000003F40000-0x000000000417B000-memory.dmp

                Filesize

                2.2MB

                Download

              • memory/2848-150-0x0000000003F40000-0x000000000417B000-memory.dmp

                Filesize

                2.2MB

                Download

              • memory/2848-159-0x0000000003F40000-0x000000000417B000-memory.dmp

                Filesize

                2.2MB

                Download

              • memory/2848-160-0x0000000003F40000-0x000000000417B000-memory.dmp

                Filesize

                2.2MB

                Download

              • memory/2900-346-0x0000000000540000-0x0000000000640000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/2900-523-0x0000000000220000-0x0000000000229000-memory.dmp

                Filesize

                36KB

                Download

              • memory/2900-520-0x0000000000400000-0x000000000046E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2900-345-0x0000000000400000-0x000000000046E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2900-353-0x0000000000400000-0x000000000046E000-memory.dmp

                Filesize

                440KB

                Download

              • memory/2900-347-0x0000000000220000-0x0000000000229000-memory.dmp

                Filesize

                36KB

                Download