Analysis
-
max time kernel
152s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-08-2021 09:02
General
-
Target
d86d71d53b351a9d3c585b7e8b24d525.exe
-
Size
180KB
-
MD5
d86d71d53b351a9d3c585b7e8b24d525
-
SHA1
590a404f7a297f97a8bf78f072a152c7ebdea277
-
SHA256
eaa52f460d64093ebcf267e2fa4ebe342b31ee442127afe065892b790409eb33
-
SHA512
d52dad0397efd9c9973b754d63e710ce04916672acfb4e25f492d597aed944c287744804eec4b267665aea023ac4cd3f9e928a1800fed9db1af9f5681d971a97
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 32 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"C:\Users\Admin\AppData\Local\Temp\d86d71d53b351a9d3c585b7e8b24d525.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7AFD.exeC:\Users\Admin\AppData\Local\Temp\7AFD.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\82BE.exeC:\Users\Admin\AppData\Local\Temp\82BE.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\887C.exeC:\Users\Admin\AppData\Local\Temp\887C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 7442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 7482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 8802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 11842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 11882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 13442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 13282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 11522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 13202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 14082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 15202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 15802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 13882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 13362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 15402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 16482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 15202⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 17682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 18282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 16762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 19322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 19642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 20282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 16682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 18762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 20362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 20322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 18562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 17682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 18082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 17082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7AFD.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\7AFD.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\82BE.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\82BE.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\887C.exeMD5
fa5832dd51887a1b02c0ec71fc4b69b4
SHA14465429197dae92d5bcf35148cbcd5087a360c03
SHA256a5316932344a3c83e2e2bddb6cb19d73ce03fc820c20a573d5e7866071a84a5e
SHA512aaf2e99bc0f3009c08a5f43b8d1a48da36d06d7c6b93e2d1c2974e7412f3b5d008cff71a66ff9ad37d54b30de5872d5362b965c60a42f483b0a0c457102b0b07
-
C:\Users\Admin\AppData\Local\Temp\887C.exeMD5
fa5832dd51887a1b02c0ec71fc4b69b4
SHA14465429197dae92d5bcf35148cbcd5087a360c03
SHA256a5316932344a3c83e2e2bddb6cb19d73ce03fc820c20a573d5e7866071a84a5e
SHA512aaf2e99bc0f3009c08a5f43b8d1a48da36d06d7c6b93e2d1c2974e7412f3b5d008cff71a66ff9ad37d54b30de5872d5362b965c60a42f483b0a0c457102b0b07
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/396-153-0x0000000000000000-mapping.dmp
-
memory/396-154-0x0000000003190000-0x0000000003197000-memory.dmpFilesize
28KB
-
memory/396-155-0x0000000003180000-0x000000000318B000-memory.dmpFilesize
44KB
-
memory/656-114-0x00000000049D0000-0x00000000049DA000-memory.dmpFilesize
40KB
-
memory/696-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/696-116-0x0000000000402E1A-mapping.dmp
-
memory/740-141-0x00000000049A0000-0x0000000004A31000-memory.dmpFilesize
580KB
-
memory/740-129-0x0000000000000000-mapping.dmp
-
memory/740-144-0x0000000000400000-0x0000000002D05000-memory.dmpFilesize
41.0MB
-
memory/908-174-0x0000000000000000-mapping.dmp
-
memory/908-176-0x00000000009B0000-0x00000000009B5000-memory.dmpFilesize
20KB
-
memory/908-177-0x00000000009A0000-0x00000000009A9000-memory.dmpFilesize
36KB
-
memory/1164-133-0x0000000077D90000-0x0000000077F1E000-memory.dmpFilesize
1.6MB
-
memory/1164-134-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/1164-124-0x0000000000000000-mapping.dmp
-
memory/1164-146-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/1164-143-0x0000000005A40000-0x0000000005A41000-memory.dmpFilesize
4KB
-
memory/1196-167-0x0000000003440000-0x0000000003449000-memory.dmpFilesize
36KB
-
memory/1196-166-0x0000000003450000-0x0000000003454000-memory.dmpFilesize
16KB
-
memory/1196-165-0x0000000000000000-mapping.dmp
-
memory/1316-172-0x0000000000F10000-0x0000000000F15000-memory.dmpFilesize
20KB
-
memory/1316-173-0x0000000000F00000-0x0000000000F09000-memory.dmpFilesize
36KB
-
memory/1316-168-0x0000000000000000-mapping.dmp
-
memory/2060-156-0x0000000000000000-mapping.dmp
-
memory/2060-158-0x0000000000D90000-0x0000000000D9F000-memory.dmpFilesize
60KB
-
memory/2060-157-0x0000000000DA0000-0x0000000000DA9000-memory.dmpFilesize
36KB
-
memory/2620-163-0x00000000009D0000-0x00000000009D6000-memory.dmpFilesize
24KB
-
memory/2620-162-0x0000000000000000-mapping.dmp
-
memory/2620-164-0x00000000009C0000-0x00000000009CC000-memory.dmpFilesize
48KB
-
memory/2884-149-0x0000000000BA0000-0x0000000000C14000-memory.dmpFilesize
464KB
-
memory/2884-150-0x0000000000B30000-0x0000000000B9B000-memory.dmpFilesize
428KB
-
memory/2884-145-0x0000000000000000-mapping.dmp
-
memory/3060-117-0x00000000013F0000-0x0000000001406000-memory.dmpFilesize
88KB
-
memory/3412-142-0x00000000056D0000-0x00000000056D1000-memory.dmpFilesize
4KB
-
memory/3412-170-0x0000000007250000-0x0000000007251000-memory.dmpFilesize
4KB
-
memory/3412-178-0x0000000006F70000-0x0000000006F71000-memory.dmpFilesize
4KB
-
memory/3412-118-0x0000000000000000-mapping.dmp
-
memory/3412-132-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/3412-127-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/3412-121-0x0000000077D90000-0x0000000077F1E000-memory.dmpFilesize
1.6MB
-
memory/3412-139-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/3412-169-0x0000000006B50000-0x0000000006B51000-memory.dmpFilesize
4KB
-
memory/3412-179-0x0000000007090000-0x0000000007091000-memory.dmpFilesize
4KB
-
memory/3412-171-0x0000000006AD0000-0x0000000006AD1000-memory.dmpFilesize
4KB
-
memory/3412-180-0x0000000007130000-0x0000000007131000-memory.dmpFilesize
4KB
-
memory/3412-128-0x00000000055B0000-0x00000000055B1000-memory.dmpFilesize
4KB
-
memory/3412-122-0x0000000001160000-0x0000000001161000-memory.dmpFilesize
4KB
-
memory/3412-175-0x0000000007C80000-0x0000000007C81000-memory.dmpFilesize
4KB
-
memory/3588-161-0x0000000000870000-0x0000000000879000-memory.dmpFilesize
36KB
-
memory/3588-159-0x0000000000000000-mapping.dmp
-
memory/3588-160-0x0000000000880000-0x0000000000885000-memory.dmpFilesize
20KB
-
memory/3752-152-0x0000000000690000-0x000000000069C000-memory.dmpFilesize
48KB
-
memory/3752-148-0x0000000000000000-mapping.dmp
-
memory/3752-151-0x00000000006A0000-0x00000000006A7000-memory.dmpFilesize
28KB