Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-08-2021 11:49
General
-
Target
51d84ec7f9fd6f9cc4ed1c491a6419df.exe
-
Size
182KB
-
MD5
51d84ec7f9fd6f9cc4ed1c491a6419df
-
SHA1
fa21e010d7e6d52484ace0722d6e20dbc2c964f8
-
SHA256
fdacbb575b9ae8cba7286e562abd4d3547089e0ea17b4885b3a4a738b83831fb
-
SHA512
212333b42e76fee070dbaadf67602a6fa4c5492823cd61034706b6b43f63f52b0dc26997976051178204c70a9bd9881ac10556bf96d4effd8a32d4e82f68363b
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 32 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\639D.exeC:\Users\Admin\AppData\Local\Temp\639D.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6B8D.exeC:\Users\Admin\AppData\Local\Temp\6B8D.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\76B9.exeC:\Users\Admin\AppData\Local\Temp\76B9.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 7642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 7682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 8642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 11842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 14042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 11722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 14082⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 14322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 14722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 12642⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 16522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 13362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 15042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 16322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\639D.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\639D.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\6B8D.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\6B8D.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\76B9.exeMD5
760dcf3d0a64b3de5987b1f94a2ec13c
SHA1bf6cd26c3c4f89d47ed06ef9a83cc6503c5e8229
SHA256b550a523160a67aff256cfbab57e4f3fd71c2580d3dae36424b147b27439a39b
SHA512ab8d92496952f87b426232babcc8d1d87ff0fc3417a5f0f07dab742b074c2f39803aa36716ad967a070555a06bad72151da460da8e7dd8f646f8e0536c61ce1e
-
C:\Users\Admin\AppData\Local\Temp\76B9.exeMD5
760dcf3d0a64b3de5987b1f94a2ec13c
SHA1bf6cd26c3c4f89d47ed06ef9a83cc6503c5e8229
SHA256b550a523160a67aff256cfbab57e4f3fd71c2580d3dae36424b147b27439a39b
SHA512ab8d92496952f87b426232babcc8d1d87ff0fc3417a5f0f07dab742b074c2f39803aa36716ad967a070555a06bad72151da460da8e7dd8f646f8e0536c61ce1e
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/504-174-0x0000000000810000-0x0000000000819000-memory.dmpFilesize
36KB
-
memory/504-172-0x0000000000000000-mapping.dmp
-
memory/504-173-0x0000000000820000-0x0000000000824000-memory.dmpFilesize
16KB
-
memory/644-170-0x00000000012B0000-0x00000000012B6000-memory.dmpFilesize
24KB
-
memory/644-169-0x0000000000000000-mapping.dmp
-
memory/644-171-0x00000000012A0000-0x00000000012AC000-memory.dmpFilesize
48KB
-
memory/1508-175-0x0000000000000000-mapping.dmp
-
memory/1508-176-0x0000000000820000-0x0000000000825000-memory.dmpFilesize
20KB
-
memory/1508-177-0x0000000000810000-0x0000000000819000-memory.dmpFilesize
36KB
-
memory/1524-178-0x0000000000000000-mapping.dmp
-
memory/1524-179-0x0000000003060000-0x0000000003065000-memory.dmpFilesize
20KB
-
memory/1524-180-0x0000000003050000-0x0000000003059000-memory.dmpFilesize
36KB
-
memory/1664-149-0x0000000000B70000-0x0000000000B77000-memory.dmpFilesize
28KB
-
memory/1664-148-0x0000000000000000-mapping.dmp
-
memory/1664-150-0x0000000000B60000-0x0000000000B6C000-memory.dmpFilesize
48KB
-
memory/2204-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2204-115-0x0000000000402E1A-mapping.dmp
-
memory/2240-126-0x00000000773F0000-0x000000007757E000-memory.dmpFilesize
1.6MB
-
memory/2240-156-0x0000000007DD0000-0x0000000007DD1000-memory.dmpFilesize
4KB
-
memory/2240-118-0x0000000000000000-mapping.dmp
-
memory/2240-121-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2240-132-0x0000000003820000-0x0000000003821000-memory.dmpFilesize
4KB
-
memory/2240-130-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/2240-127-0x00000000058F0000-0x00000000058F1000-memory.dmpFilesize
4KB
-
memory/2240-125-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/2240-124-0x00000000037F0000-0x00000000037F1000-memory.dmpFilesize
4KB
-
memory/2240-154-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/2240-155-0x00000000073A0000-0x00000000073A1000-memory.dmpFilesize
4KB
-
memory/2240-123-0x0000000005E80000-0x0000000005E81000-memory.dmpFilesize
4KB
-
memory/2240-157-0x0000000006F90000-0x0000000006F91000-memory.dmpFilesize
4KB
-
memory/2240-159-0x00000000070B0000-0x00000000070B1000-memory.dmpFilesize
4KB
-
memory/2240-161-0x00000000079D0000-0x00000000079D1000-memory.dmpFilesize
4KB
-
memory/2240-160-0x0000000007090000-0x0000000007091000-memory.dmpFilesize
4KB
-
memory/2364-147-0x0000000003050000-0x00000000030BB000-memory.dmpFilesize
428KB
-
memory/2364-145-0x0000000000000000-mapping.dmp
-
memory/2364-146-0x00000000030C0000-0x0000000003134000-memory.dmpFilesize
464KB
-
memory/2732-158-0x0000000000000000-mapping.dmp
-
memory/2732-162-0x0000000001200000-0x0000000001209000-memory.dmpFilesize
36KB
-
memory/2732-163-0x0000000000FF0000-0x0000000000FFF000-memory.dmpFilesize
60KB
-
memory/2764-151-0x0000000000000000-mapping.dmp
-
memory/2764-152-0x0000000003060000-0x0000000003067000-memory.dmpFilesize
28KB
-
memory/2764-153-0x0000000003050000-0x000000000305B000-memory.dmpFilesize
44KB
-
memory/3016-116-0x0000000002E20000-0x0000000002E2A000-memory.dmpFilesize
40KB
-
memory/3036-117-0x00000000006A0000-0x00000000006B6000-memory.dmpFilesize
88KB
-
memory/3532-138-0x00000000773F0000-0x000000007757E000-memory.dmpFilesize
1.6MB
-
memory/3532-139-0x0000000001E80000-0x0000000001E81000-memory.dmpFilesize
4KB
-
memory/3532-133-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/3532-128-0x0000000000000000-mapping.dmp
-
memory/3576-164-0x0000000002DE0000-0x0000000002F2A000-memory.dmpFilesize
1.3MB
-
memory/3576-165-0x0000000000400000-0x0000000002D05000-memory.dmpFilesize
41.0MB
-
memory/3576-142-0x0000000000000000-mapping.dmp
-
memory/4076-167-0x0000000000190000-0x0000000000195000-memory.dmpFilesize
20KB
-
memory/4076-166-0x0000000000000000-mapping.dmp
-
memory/4076-168-0x0000000000180000-0x0000000000189000-memory.dmpFilesize
36KB