Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 04:41
Static task
static1
Behavioral task
behavioral1
Sample
30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe
Resource
win11-20240412-en
General
-
Target
30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe
-
Size
324KB
-
MD5
b53fd458a492bc8159c7343ff6facaf9
-
SHA1
2ad05ffaf407e06a2e41216f66a3839f8d107273
-
SHA256
30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9
-
SHA512
1392b9b8ec4dd8105edd3b1361db62be6c160dc56263e194fab03ee5a2006ef6e33d25c37a2bae440f894a5a1fc45d0c3555c1c3160fc7b00fc2b1ef1f87f9bc
-
SSDEEP
3072:Vb1H04IyGEONN+odMzT9DkIbG9BLYmiFjDX845HaGexW4z6xJ6CP3xgpG:btN7eNsk21JHcGeNJCP
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.50:33080
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4784-21-0x0000000000690000-0x000000000070F000-memory.dmp family_redline behavioral1/memory/2800-22-0x0000000000400000-0x0000000000452000-memory.dmp family_redline behavioral1/memory/4784-23-0x0000000000690000-0x000000000070F000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 3332 -
Executes dropped EXE 1 IoCs
Processes:
9BB.exepid process 4784 9BB.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
9BB.exedescription pid process target process PID 4784 set thread context of 2800 4784 9BB.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exepid process 3016 30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe 3016 30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 3332 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exepid process 3016 30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
RegAsm.exedescription pid process Token: SeShutdownPrivilege 3332 Token: SeCreatePagefilePrivilege 3332 Token: SeShutdownPrivilege 3332 Token: SeCreatePagefilePrivilege 3332 Token: SeShutdownPrivilege 3332 Token: SeCreatePagefilePrivilege 3332 Token: SeShutdownPrivilege 3332 Token: SeCreatePagefilePrivilege 3332 Token: SeShutdownPrivilege 3332 Token: SeCreatePagefilePrivilege 3332 Token: SeDebugPrivilege 2800 RegAsm.exe Token: SeShutdownPrivilege 3332 Token: SeCreatePagefilePrivilege 3332 Token: SeShutdownPrivilege 3332 Token: SeCreatePagefilePrivilege 3332 Token: SeShutdownPrivilege 3332 Token: SeCreatePagefilePrivilege 3332 Token: SeShutdownPrivilege 3332 Token: SeCreatePagefilePrivilege 3332 -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
cmd.exe9BB.exedescription pid process target process PID 3332 wrote to memory of 4512 3332 cmd.exe PID 3332 wrote to memory of 4512 3332 cmd.exe PID 4512 wrote to memory of 1932 4512 cmd.exe reg.exe PID 4512 wrote to memory of 1932 4512 cmd.exe reg.exe PID 3332 wrote to memory of 4784 3332 9BB.exe PID 3332 wrote to memory of 4784 3332 9BB.exe PID 3332 wrote to memory of 4784 3332 9BB.exe PID 4784 wrote to memory of 2800 4784 9BB.exe RegAsm.exe PID 4784 wrote to memory of 2800 4784 9BB.exe RegAsm.exe PID 4784 wrote to memory of 2800 4784 9BB.exe RegAsm.exe PID 4784 wrote to memory of 2800 4784 9BB.exe RegAsm.exe PID 4784 wrote to memory of 2800 4784 9BB.exe RegAsm.exe PID 4784 wrote to memory of 2800 4784 9BB.exe RegAsm.exe PID 4784 wrote to memory of 2800 4784 9BB.exe RegAsm.exe PID 4784 wrote to memory of 2800 4784 9BB.exe RegAsm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe"C:\Users\Admin\AppData\Local\Temp\30c188b8b015cd09e21c82db0f53c74153fd0415ff096625501ff16df1e75de9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3016
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7579.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3740 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:1140
-
C:\Users\Admin\AppData\Local\Temp\9BB.exeC:\Users\Admin\AppData\Local\Temp\9BB.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7579.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\9BB.exeFilesize
491KB
MD57b7b5d55a8337975ed0ab4f9f426d525
SHA1d89bfa223df289305074dcf9b9a7d15b65e0634c
SHA25670832e266e86d980fbe532bc2a8f8409f3421284ddf0f7cb09fd2c8484da047a
SHA512b46b2758f5bb8028e9d53dfeb16b2522a06d65e98602508d4447ac23c42876558c33127092f11b98f8a18b0d306a733e4e4d992dc3e51946cb34549956383faa
-
C:\Users\Admin\AppData\Local\Temp\Tmp6CBA.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD5417a135c520fac3f0f4549a455f91dc0
SHA1c52989546620d45529374028c7a2a325842efc06
SHA2563195500480fcb19a941c3ff9dda874a70388e9b306e9ad90c3f0ee3e40022a9c
SHA512fc4709ebaa0ce2107c5ef7343de22ce1dac0cc1c29b989fed33f011edd8db7015693cb48cf40668b94178b66f4fff5ae3caed7d499ee7d87b1868493171f5c10
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD5dba4c9da0667b893c996fe4158a6283c
SHA14a39bc4dab3997076369f623d2a7506ced7b88ce
SHA256e6cc8c1bfa559ffdcb62d40a704206c2d3fa404f2dd94357a14a623b00d04d07
SHA5125496d4a33c35482e80eab0c22336fe67f51b5f65a37c63305833a741cb8365b6d0dcff3ededcfaeab2f85dd7a8e86b8186b37124fcdf594fb752990729c7e405
-
memory/2800-54-0x0000000006DC0000-0x0000000006DD2000-memory.dmpFilesize
72KB
-
memory/2800-57-0x0000000005830000-0x0000000005840000-memory.dmpFilesize
64KB
-
memory/2800-65-0x0000000008620000-0x0000000008B4C000-memory.dmpFilesize
5.2MB
-
memory/2800-64-0x0000000007F20000-0x00000000080E2000-memory.dmpFilesize
1.8MB
-
memory/2800-22-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/2800-61-0x0000000005830000-0x0000000005840000-memory.dmpFilesize
64KB
-
memory/2800-24-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/2800-25-0x0000000005E20000-0x00000000063C4000-memory.dmpFilesize
5.6MB
-
memory/2800-26-0x0000000005870000-0x0000000005902000-memory.dmpFilesize
584KB
-
memory/2800-27-0x0000000005830000-0x0000000005840000-memory.dmpFilesize
64KB
-
memory/2800-28-0x0000000005960000-0x000000000596A000-memory.dmpFilesize
40KB
-
memory/2800-60-0x0000000005A80000-0x0000000005AD0000-memory.dmpFilesize
320KB
-
memory/2800-45-0x0000000006550000-0x00000000065C6000-memory.dmpFilesize
472KB
-
memory/2800-46-0x0000000006CF0000-0x0000000006D0E000-memory.dmpFilesize
120KB
-
memory/2800-47-0x0000000074AC0000-0x0000000075270000-memory.dmpFilesize
7.7MB
-
memory/2800-59-0x00000000070F0000-0x0000000007156000-memory.dmpFilesize
408KB
-
memory/2800-58-0x0000000005830000-0x0000000005840000-memory.dmpFilesize
64KB
-
memory/2800-52-0x0000000007330000-0x0000000007948000-memory.dmpFilesize
6.1MB
-
memory/2800-53-0x0000000006E80000-0x0000000006F8A000-memory.dmpFilesize
1.0MB
-
memory/2800-56-0x0000000006F90000-0x0000000006FDC000-memory.dmpFilesize
304KB
-
memory/2800-55-0x0000000006E20000-0x0000000006E5C000-memory.dmpFilesize
240KB
-
memory/3016-1-0x0000000001BF0000-0x0000000001CF0000-memory.dmpFilesize
1024KB
-
memory/3016-8-0x0000000001BC0000-0x0000000001BCB000-memory.dmpFilesize
44KB
-
memory/3016-2-0x0000000001BC0000-0x0000000001BCB000-memory.dmpFilesize
44KB
-
memory/3016-3-0x0000000000400000-0x0000000001A1C000-memory.dmpFilesize
22.1MB
-
memory/3016-5-0x0000000000400000-0x0000000001A1C000-memory.dmpFilesize
22.1MB
-
memory/3332-4-0x00000000026B0000-0x00000000026C6000-memory.dmpFilesize
88KB
-
memory/4784-23-0x0000000000690000-0x000000000070F000-memory.dmpFilesize
508KB
-
memory/4784-21-0x0000000000690000-0x000000000070F000-memory.dmpFilesize
508KB