Analysis
-
max time kernel
153s -
max time network
197s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-08-2021 09:02
Static task
static1
Behavioral task
behavioral1
Sample
d86d71d53b351a9d3c585b7e8b24d525.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
d86d71d53b351a9d3c585b7e8b24d525.exe
Resource
win10v20210408
General
-
Target
d86d71d53b351a9d3c585b7e8b24d525.exe
-
Size
180KB
-
MD5
d86d71d53b351a9d3c585b7e8b24d525
-
SHA1
590a404f7a297f97a8bf78f072a152c7ebdea277
-
SHA256
eaa52f460d64093ebcf267e2fa4ebe342b31ee442127afe065892b790409eb33
-
SHA512
d52dad0397efd9c9973b754d63e710ce04916672acfb4e25f492d597aed944c287744804eec4b267665aea023ac4cd3f9e928a1800fed9db1af9f5681d971a97
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\4700.exe family_redline C:\Users\Admin\AppData\Local\Temp\4E9F.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
3D7D.exe4700.exe4E9F.exepid process 1800 3D7D.exe 1676 4700.exe 1008 4E9F.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
4700.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4700.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4700.exe -
Deletes itself 1 IoCs
Processes:
pid process 1192 -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\4700.exe themida behavioral1/memory/1676-72-0x00000000013D0000-0x00000000013D1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\4E9F.exe themida -
Processes:
4700.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4700.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
4700.exepid process 1676 4700.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d86d71d53b351a9d3c585b7e8b24d525.exedescription pid process target process PID 1248 set thread context of 1728 1248 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d86d71d53b351a9d3c585b7e8b24d525.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d86d71d53b351a9d3c585b7e8b24d525.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d86d71d53b351a9d3c585b7e8b24d525.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d86d71d53b351a9d3c585b7e8b24d525.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d86d71d53b351a9d3c585b7e8b24d525.exepid process 1728 d86d71d53b351a9d3c585b7e8b24d525.exe 1728 d86d71d53b351a9d3c585b7e8b24d525.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1192 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
d86d71d53b351a9d3c585b7e8b24d525.exepid process 1728 d86d71d53b351a9d3c585b7e8b24d525.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1192 Token: SeShutdownPrivilege 1192 Token: SeShutdownPrivilege 1192 -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1192 1192 1192 1192 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1192 1192 1192 1192 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3D7D.exepid process 1800 3D7D.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
d86d71d53b351a9d3c585b7e8b24d525.exedescription pid process target process PID 1248 wrote to memory of 1728 1248 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 1248 wrote to memory of 1728 1248 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 1248 wrote to memory of 1728 1248 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 1248 wrote to memory of 1728 1248 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 1248 wrote to memory of 1728 1248 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 1248 wrote to memory of 1728 1248 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 1248 wrote to memory of 1728 1248 d86d71d53b351a9d3c585b7e8b24d525.exe d86d71d53b351a9d3c585b7e8b24d525.exe PID 1192 wrote to memory of 1800 1192 3D7D.exe PID 1192 wrote to memory of 1800 1192 3D7D.exe PID 1192 wrote to memory of 1800 1192 3D7D.exe PID 1192 wrote to memory of 1800 1192 3D7D.exe PID 1192 wrote to memory of 1676 1192 4700.exe PID 1192 wrote to memory of 1676 1192 4700.exe PID 1192 wrote to memory of 1676 1192 4700.exe PID 1192 wrote to memory of 1676 1192 4700.exe PID 1192 wrote to memory of 1676 1192 4700.exe PID 1192 wrote to memory of 1676 1192 4700.exe PID 1192 wrote to memory of 1676 1192 4700.exe PID 1192 wrote to memory of 1008 1192 4E9F.exe PID 1192 wrote to memory of 1008 1192 4E9F.exe PID 1192 wrote to memory of 1008 1192 4E9F.exe PID 1192 wrote to memory of 1008 1192 4E9F.exe PID 1192 wrote to memory of 1008 1192 4E9F.exe PID 1192 wrote to memory of 1008 1192 4E9F.exe PID 1192 wrote to memory of 1008 1192 4E9F.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1728
-
C:\Users\Admin\AppData\Local\Temp\3D7D.exeC:\Users\Admin\AppData\Local\Temp\3D7D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1800
-
C:\Users\Admin\AppData\Local\Temp\4700.exeC:\Users\Admin\AppData\Local\Temp\4700.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1676
-
C:\Users\Admin\AppData\Local\Temp\4E9F.exeC:\Users\Admin\AppData\Local\Temp\4E9F.exe1⤵
- Executes dropped EXE
PID:1008
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3D7D.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\4700.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\4E9F.exeMD5
59c690680f9f34cb23d2c3353f8205ea
SHA11bc6a815d43eec601454dfb720c80ca046e9a125
SHA256d6d47982016b513dfa7da883e9be374f0663fef49a7858195e88a4fa14e4086c
SHA512aa4c0be25b1a49c34acddb23a4421aad3a963abf3b4bfe825aa8c8db90d952e675609f6b16392b8b482eac13c1dbe1e2c9ae16d4eef4d35fcf97e882291f12e3
-
memory/1008-74-0x0000000000000000-mapping.dmp
-
memory/1192-64-0x0000000002B50000-0x0000000002B66000-memory.dmpFilesize
88KB
-
memory/1248-63-0x00000000001C0000-0x00000000001CA000-memory.dmpFilesize
40KB
-
memory/1676-69-0x0000000000000000-mapping.dmp
-
memory/1676-72-0x00000000013D0000-0x00000000013D1000-memory.dmpFilesize
4KB
-
memory/1728-62-0x00000000769B1000-0x00000000769B3000-memory.dmpFilesize
8KB
-
memory/1728-61-0x0000000000402E1A-mapping.dmp
-
memory/1728-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1800-65-0x0000000000000000-mapping.dmp