Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-08-2021 07:58
Static task
static1
Behavioral task
behavioral1
Sample
c86c3183fa6d592afe2d5d3f5ab2102f.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c86c3183fa6d592afe2d5d3f5ab2102f.exe
Resource
win10v20210408
General
-
Target
c86c3183fa6d592afe2d5d3f5ab2102f.exe
-
Size
180KB
-
MD5
c86c3183fa6d592afe2d5d3f5ab2102f
-
SHA1
9d0b8ccfad76fdb0a4c7a5c33bcbc22382d925d7
-
SHA256
33a4297298b2ca7b92d4462884eb53abda20d500998e1edb4bc8e7cb646bba1f
-
SHA512
04adde0aca8cf31f508a517171d0ae1b9c0749a1a50ec0120e69ca527193c63cee1f82e4f6ce4f5831ffe4e406e1b371c3dcbac2a9008703868b54c07a8f6057
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
28C5.exe2CBC.exe2FC9.exe31CD.exeRuntimebroker.exe3F07.exepid process 268 28C5.exe 624 2CBC.exe 1932 2FC9.exe 524 31CD.exe 1152 Runtimebroker.exe 1388 3F07.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
3F07.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3F07.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3F07.exe -
Deletes itself 1 IoCs
Processes:
pid process 1200 -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
2CBC.exepid process 624 2CBC.exe 624 2CBC.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\3F07.exe themida behavioral1/memory/1388-92-0x0000000000030000-0x0000000000031000-memory.dmp themida -
Processes:
3F07.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3F07.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
3F07.exepid process 1388 3F07.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c86c3183fa6d592afe2d5d3f5ab2102f.exedescription pid process target process PID 1076 set thread context of 1260 1076 c86c3183fa6d592afe2d5d3f5ab2102f.exe c86c3183fa6d592afe2d5d3f5ab2102f.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c86c3183fa6d592afe2d5d3f5ab2102f.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c86c3183fa6d592afe2d5d3f5ab2102f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c86c3183fa6d592afe2d5d3f5ab2102f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c86c3183fa6d592afe2d5d3f5ab2102f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c86c3183fa6d592afe2d5d3f5ab2102f.exepid process 1260 c86c3183fa6d592afe2d5d3f5ab2102f.exe 1260 c86c3183fa6d592afe2d5d3f5ab2102f.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1200 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
c86c3183fa6d592afe2d5d3f5ab2102f.exepid process 1260 c86c3183fa6d592afe2d5d3f5ab2102f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
3F07.exedescription pid process Token: SeShutdownPrivilege 1200 Token: SeShutdownPrivilege 1200 Token: SeDebugPrivilege 1388 3F07.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1200 1200 1200 1200 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1200 1200 1200 1200 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
28C5.exepid process 268 28C5.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
c86c3183fa6d592afe2d5d3f5ab2102f.exe2CBC.exe2FC9.exedescription pid process target process PID 1076 wrote to memory of 1260 1076 c86c3183fa6d592afe2d5d3f5ab2102f.exe c86c3183fa6d592afe2d5d3f5ab2102f.exe PID 1076 wrote to memory of 1260 1076 c86c3183fa6d592afe2d5d3f5ab2102f.exe c86c3183fa6d592afe2d5d3f5ab2102f.exe PID 1076 wrote to memory of 1260 1076 c86c3183fa6d592afe2d5d3f5ab2102f.exe c86c3183fa6d592afe2d5d3f5ab2102f.exe PID 1076 wrote to memory of 1260 1076 c86c3183fa6d592afe2d5d3f5ab2102f.exe c86c3183fa6d592afe2d5d3f5ab2102f.exe PID 1076 wrote to memory of 1260 1076 c86c3183fa6d592afe2d5d3f5ab2102f.exe c86c3183fa6d592afe2d5d3f5ab2102f.exe PID 1076 wrote to memory of 1260 1076 c86c3183fa6d592afe2d5d3f5ab2102f.exe c86c3183fa6d592afe2d5d3f5ab2102f.exe PID 1076 wrote to memory of 1260 1076 c86c3183fa6d592afe2d5d3f5ab2102f.exe c86c3183fa6d592afe2d5d3f5ab2102f.exe PID 1200 wrote to memory of 268 1200 28C5.exe PID 1200 wrote to memory of 268 1200 28C5.exe PID 1200 wrote to memory of 268 1200 28C5.exe PID 1200 wrote to memory of 268 1200 28C5.exe PID 1200 wrote to memory of 624 1200 2CBC.exe PID 1200 wrote to memory of 624 1200 2CBC.exe PID 1200 wrote to memory of 624 1200 2CBC.exe PID 1200 wrote to memory of 624 1200 2CBC.exe PID 1200 wrote to memory of 1932 1200 2FC9.exe PID 1200 wrote to memory of 1932 1200 2FC9.exe PID 1200 wrote to memory of 1932 1200 2FC9.exe PID 1200 wrote to memory of 1932 1200 2FC9.exe PID 624 wrote to memory of 1152 624 2CBC.exe Runtimebroker.exe PID 624 wrote to memory of 1152 624 2CBC.exe Runtimebroker.exe PID 624 wrote to memory of 1152 624 2CBC.exe Runtimebroker.exe PID 624 wrote to memory of 1152 624 2CBC.exe Runtimebroker.exe PID 1200 wrote to memory of 524 1200 31CD.exe PID 1200 wrote to memory of 524 1200 31CD.exe PID 1200 wrote to memory of 524 1200 31CD.exe PID 1200 wrote to memory of 524 1200 31CD.exe PID 1200 wrote to memory of 1388 1200 3F07.exe PID 1200 wrote to memory of 1388 1200 3F07.exe PID 1200 wrote to memory of 1388 1200 3F07.exe PID 1200 wrote to memory of 1388 1200 3F07.exe PID 1200 wrote to memory of 1388 1200 3F07.exe PID 1200 wrote to memory of 1388 1200 3F07.exe PID 1200 wrote to memory of 1388 1200 3F07.exe PID 1932 wrote to memory of 1984 1932 2FC9.exe cmd.exe PID 1932 wrote to memory of 1984 1932 2FC9.exe cmd.exe PID 1932 wrote to memory of 1984 1932 2FC9.exe cmd.exe PID 1932 wrote to memory of 1984 1932 2FC9.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c86c3183fa6d592afe2d5d3f5ab2102f.exe"C:\Users\Admin\AppData\Local\Temp\c86c3183fa6d592afe2d5d3f5ab2102f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c86c3183fa6d592afe2d5d3f5ab2102f.exe"C:\Users\Admin\AppData\Local\Temp\c86c3183fa6d592afe2d5d3f5ab2102f.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\28C5.exeC:\Users\Admin\AppData\Local\Temp\28C5.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\2CBC.exeC:\Users\Admin\AppData\Local\Temp\2CBC.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2FC9.exeC:\Users\Admin\AppData\Local\Temp\2FC9.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\31CD.exeC:\Users\Admin\AppData\Local\Temp\31CD.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3F07.exeC:\Users\Admin\AppData\Local\Temp\3F07.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\Users\Admin\AppData\Local\Temp\28C5.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\2CBC.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\Users\Admin\AppData\Local\Temp\2CBC.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
C:\Users\Admin\AppData\Local\Temp\2FC9.exeMD5
fca71e7a0ce2ad16e265ef018754f83e
SHA193d3405d5182792ca7c5751074b5b0f84db55a75
SHA256225f7736bb84bbdbec725c94304bc872a194072fa00978c4c9aa4d5ad14ee571
SHA5122203c807007135c3f565fe2de1d93c5f1c0b5fe10176fd78f6ef620244480b431ca9025ecc57ededf9037cd3fb796991debd3e942f89352383f03e3c72942b3a
-
C:\Users\Admin\AppData\Local\Temp\2FC9.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\31CD.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\31CD.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\3F07.exeMD5
717d65dba56f47e540dca074c3977b3d
SHA1d58aa30f826f41663e693f0ad930fdce584f1672
SHA25661fb1160ae372d9ba1c95400d5439450c6a66cdf073fa50ee2d5d10c4952cbb3
SHA512b06e4358411eb8f6315c574922c021bd57218b3e6a0ed727df6b44e20e7818d40fb0347050ce9145ea7e0fd56a7fa93a2358e524c0df030d6d44067c7c83510d
-
C:\Users\Admin\AppData\Local\Temp\s.batMD5
cabe7cc35b425be9d50ca033769574bb
SHA1788364a91f5ea9bedae369b76813c2833f6e9652
SHA25644f264134bb4ad3cb1d7d5d01a73e7ecf2615588a79d4260df650e102d2c5004
SHA512a3461af102b17d1c0c22c61737d6a7724c6f87eaffdb347bcd5fcdf64e312be048c041b4242e4e42e2cc1a68fdfc3fb251c5449a0d50f2f7f89bb2b531e72e25
-
\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
\ProgramData\Runtimebroker.exeMD5
4f2f17aaf39970811b9f822b1496dc01
SHA1bf89cf8fbf826b02d4d3eebe8ef3aee1455dc876
SHA2563ea9f73f3772290bdfe770b50dc7c726098b6712d327acc90200b31980c8576b
SHA51244c35d1b0188a05c65fb5089ab5c6c5fb4baf65d3e6d065c96db167a5cccf344185a40fda256da69f518275670ca3e0bc1097064edb8cf0ac0c2c604cd1368a9
-
memory/268-65-0x0000000000000000-mapping.dmp
-
memory/524-97-0x00000000009F0000-0x00000000009F1000-memory.dmpFilesize
4KB
-
memory/524-80-0x0000000000000000-mapping.dmp
-
memory/524-94-0x0000000001270000-0x0000000001271000-memory.dmpFilesize
4KB
-
memory/624-76-0x0000000000400000-0x0000000002C7C000-memory.dmpFilesize
40.5MB
-
memory/624-69-0x0000000000000000-mapping.dmp
-
memory/624-75-0x0000000000270000-0x00000000002AB000-memory.dmpFilesize
236KB
-
memory/1076-63-0x0000000000220000-0x000000000022A000-memory.dmpFilesize
40KB
-
memory/1152-85-0x0000000000400000-0x0000000002C7C000-memory.dmpFilesize
40.5MB
-
memory/1152-79-0x0000000000000000-mapping.dmp
-
memory/1200-64-0x0000000002B60000-0x0000000002B76000-memory.dmpFilesize
88KB
-
memory/1260-62-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1260-61-0x0000000000402E1A-mapping.dmp
-
memory/1260-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1388-88-0x0000000000000000-mapping.dmp
-
memory/1388-92-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/1388-96-0x0000000004EB0000-0x0000000004EB1000-memory.dmpFilesize
4KB
-
memory/1932-73-0x0000000000000000-mapping.dmp
-
memory/1932-98-0x0000000004E70000-0x0000000005081000-memory.dmpFilesize
2.1MB
-
memory/1932-99-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/1932-87-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/1932-86-0x0000000002FD0000-0x0000000003213000-memory.dmpFilesize
2.3MB
-
memory/1984-101-0x0000000000000000-mapping.dmp