Analysis
-
max time kernel
82s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 10:32
Static task
static1
Behavioral task
behavioral1
Sample
633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe
Resource
win11-20240221-en
General
-
Target
633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe
-
Size
204KB
-
MD5
3f6f77f2a1a79b61b366714e81155d93
-
SHA1
df858f5ffa1193f6a2aff97cc8d420c904b95e17
-
SHA256
633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573
-
SHA512
747b1fc16ff30eb9f4bea3f481d2b82199ab8a8d67ade39ae4820b6c360bc2a840915f6f99cc406f8bc1efc088fa800f9227f507d5cf49b096017e5983d4d4b4
-
SSDEEP
3072:Z3SDLqRgTHASJxi5iyAJ7oI4Z4tEmPgc2F/:Z3dRgTHAGo5BEoI4Z4tEvcC/
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.0:29587
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4284-26-0x0000000000400000-0x0000000000450000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 3496 -
Executes dropped EXE 2 IoCs
Processes:
5149.exeA3EE.exepid process 844 5149.exe 1420 A3EE.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
5149.exedescription pid process target process PID 844 set thread context of 4284 844 5149.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 224 844 WerFault.exe 5149.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exepid process 532 633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe 532 633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 3496 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exepid process 532 633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
5149.exeRegAsm.exedescription pid process Token: SeShutdownPrivilege 3496 Token: SeCreatePagefilePrivilege 3496 Token: SeShutdownPrivilege 3496 Token: SeCreatePagefilePrivilege 3496 Token: SeShutdownPrivilege 3496 Token: SeCreatePagefilePrivilege 3496 Token: SeDebugPrivilege 844 5149.exe Token: SeShutdownPrivilege 3496 Token: SeCreatePagefilePrivilege 3496 Token: SeShutdownPrivilege 3496 Token: SeCreatePagefilePrivilege 3496 Token: SeShutdownPrivilege 3496 Token: SeCreatePagefilePrivilege 3496 Token: SeDebugPrivilege 4284 RegAsm.exe Token: SeShutdownPrivilege 3496 Token: SeCreatePagefilePrivilege 3496 Token: SeShutdownPrivilege 3496 Token: SeCreatePagefilePrivilege 3496 Token: SeShutdownPrivilege 3496 Token: SeCreatePagefilePrivilege 3496 Token: SeShutdownPrivilege 3496 Token: SeCreatePagefilePrivilege 3496 -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
cmd.exe5149.execmd.exedescription pid process target process PID 3496 wrote to memory of 3012 3496 cmd.exe PID 3496 wrote to memory of 3012 3496 cmd.exe PID 3012 wrote to memory of 1584 3012 cmd.exe reg.exe PID 3012 wrote to memory of 1584 3012 cmd.exe reg.exe PID 3496 wrote to memory of 844 3496 5149.exe PID 3496 wrote to memory of 844 3496 5149.exe PID 3496 wrote to memory of 844 3496 5149.exe PID 844 wrote to memory of 3604 844 5149.exe RegAsm.exe PID 844 wrote to memory of 3604 844 5149.exe RegAsm.exe PID 844 wrote to memory of 3604 844 5149.exe RegAsm.exe PID 844 wrote to memory of 4284 844 5149.exe RegAsm.exe PID 844 wrote to memory of 4284 844 5149.exe RegAsm.exe PID 844 wrote to memory of 4284 844 5149.exe RegAsm.exe PID 844 wrote to memory of 4284 844 5149.exe RegAsm.exe PID 844 wrote to memory of 4284 844 5149.exe RegAsm.exe PID 844 wrote to memory of 4284 844 5149.exe RegAsm.exe PID 844 wrote to memory of 4284 844 5149.exe RegAsm.exe PID 844 wrote to memory of 4284 844 5149.exe RegAsm.exe PID 3496 wrote to memory of 1420 3496 A3EE.exe PID 3496 wrote to memory of 1420 3496 A3EE.exe PID 3496 wrote to memory of 1420 3496 A3EE.exe PID 3496 wrote to memory of 1208 3496 cmd.exe PID 3496 wrote to memory of 1208 3496 cmd.exe PID 1208 wrote to memory of 1644 1208 cmd.exe reg.exe PID 1208 wrote to memory of 1644 1208 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe"C:\Users\Admin\AppData\Local\Temp\633f529507c1b10770ee864e3799d15cd187138a7998f313ab080ad646012573.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C796.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2272,i,17338911640954948469,1637568328132129119,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Local\Temp\5149.exeC:\Users\Admin\AppData\Local\Temp\5149.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 2602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 844 -ip 8441⤵
-
C:\Users\Admin\AppData\Local\Temp\A3EE.exeC:\Users\Admin\AppData\Local\Temp\A3EE.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6BE.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5149.exeFilesize
392KB
MD589ec2c6bf09ed9a38bd11acb2a41cd1b
SHA1408549982b687ca8dd5efb0e8b704a374bd8909d
SHA256da1e155c46ca6b23409d059b6d85341c0b86c92d2c69dbda85eef3894313662d
SHA512c565dbb25dd35ae8dce2a4cf15640053aca8b99c5c78db23648e6618ef316362b77142c6524b47089a7ea05632adee091ec5e82ed95aeb86d2331b8c5f8cc56a
-
C:\Users\Admin\AppData\Local\Temp\A3EE.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\C796.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
memory/532-1-0x0000000000770000-0x0000000000870000-memory.dmpFilesize
1024KB
-
memory/532-2-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/532-3-0x0000000002280000-0x000000000228B000-memory.dmpFilesize
44KB
-
memory/532-5-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/844-22-0x00000000059D0000-0x00000000059E0000-memory.dmpFilesize
64KB
-
memory/844-21-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/844-20-0x0000000000E90000-0x0000000000EF4000-memory.dmpFilesize
400KB
-
memory/844-23-0x00000000032A0000-0x00000000032A1000-memory.dmpFilesize
4KB
-
memory/844-39-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/844-29-0x0000000003440000-0x0000000005440000-memory.dmpFilesize
32.0MB
-
memory/1420-62-0x00000000030C0000-0x00000000030C1000-memory.dmpFilesize
4KB
-
memory/1420-63-0x00000000030D0000-0x00000000030D1000-memory.dmpFilesize
4KB
-
memory/1420-64-0x0000000000470000-0x0000000001155000-memory.dmpFilesize
12.9MB
-
memory/1420-60-0x00000000030A0000-0x00000000030A1000-memory.dmpFilesize
4KB
-
memory/1420-58-0x0000000003070000-0x0000000003071000-memory.dmpFilesize
4KB
-
memory/1420-61-0x00000000030B0000-0x00000000030B1000-memory.dmpFilesize
4KB
-
memory/1420-59-0x0000000000470000-0x0000000001155000-memory.dmpFilesize
12.9MB
-
memory/1420-57-0x0000000003060000-0x0000000003061000-memory.dmpFilesize
4KB
-
memory/1420-52-0x0000000000470000-0x0000000001155000-memory.dmpFilesize
12.9MB
-
memory/1420-65-0x00000000030E0000-0x00000000030E1000-memory.dmpFilesize
4KB
-
memory/3496-4-0x0000000002DE0000-0x0000000002DF6000-memory.dmpFilesize
88KB
-
memory/4284-31-0x0000000074650000-0x0000000074E00000-memory.dmpFilesize
7.7MB
-
memory/4284-41-0x0000000007130000-0x00000000072F2000-memory.dmpFilesize
1.8MB
-
memory/4284-42-0x0000000007830000-0x0000000007D5C000-memory.dmpFilesize
5.2MB
-
memory/4284-40-0x0000000006180000-0x00000000061E6000-memory.dmpFilesize
408KB
-
memory/4284-47-0x0000000007500000-0x0000000007550000-memory.dmpFilesize
320KB
-
memory/4284-38-0x0000000005950000-0x000000000599C000-memory.dmpFilesize
304KB
-
memory/4284-37-0x00000000057D0000-0x000000000580C000-memory.dmpFilesize
240KB
-
memory/4284-36-0x0000000005770000-0x0000000005782000-memory.dmpFilesize
72KB
-
memory/4284-35-0x0000000005840000-0x000000000594A000-memory.dmpFilesize
1.0MB
-
memory/4284-34-0x00000000065F0000-0x0000000006C08000-memory.dmpFilesize
6.1MB
-
memory/4284-33-0x00000000056A0000-0x00000000056AA000-memory.dmpFilesize
40KB
-
memory/4284-32-0x00000000054C0000-0x00000000054D0000-memory.dmpFilesize
64KB
-
memory/4284-30-0x0000000005510000-0x00000000055A2000-memory.dmpFilesize
584KB
-
memory/4284-28-0x0000000005A20000-0x0000000005FC4000-memory.dmpFilesize
5.6MB
-
memory/4284-26-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB