Analysis
-
max time kernel
162s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-08-2021 09:50
General
-
Target
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
-
Size
194KB
-
MD5
ced17a3bd52eab4a5105c0e58945b9de
-
SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5
-
SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486
-
SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 32 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 47 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D36E.exeC:\Users\Admin\AppData\Local\Temp\D36E.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DB7D.exeC:\Users\Admin\AppData\Local\Temp\DB7D.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\E10C.exeC:\Users\Admin\AppData\Local\Temp\E10C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 7362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 8482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 8242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 8682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 11882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13482⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 14282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 14002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13242⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 15362⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 14562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 15402⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13682⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 14282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13722⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 13282⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 12242⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D36E.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\D36E.exeMD5
1e0e17859c0a32b53ae0bafc4e55563b
SHA1590ef228cac03f6da4bdbc1b7e40557d61a3a043
SHA25676d03b8781c66aa25d74ec788dc9c1370ee01000926882c8be7f89f5dcb01d31
SHA5124494ad485fb73538b3e6f5e8e94a073bdddaf6ac50877051078646828c80b71a1e50a09d0ce84f65b021cc1bb0b4d22f317c2eef0dc29513ee927a9c8e7cdf72
-
C:\Users\Admin\AppData\Local\Temp\DB7D.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\DB7D.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\AppData\Local\Temp\E10C.exeMD5
fc1ecf8a0ed037f608a2e75de2e4bfcb
SHA13a66425ab626a3912bc023d02a8e104b1bd8ca52
SHA2568550aa53578ffe4fec8db131cf90bfa9ceac8e5e2759e1fed6c5249bcda57f49
SHA512f250dee19b6b0c61bc9c5fadb8918c0bd1f1638ecf4fac6da8763a0937795e2d4d42f11ccce3e1e9f2cf222e2fb8c5f997688c7b13de8fb3146b64f22f18451e
-
C:\Users\Admin\AppData\Local\Temp\E10C.exeMD5
fc1ecf8a0ed037f608a2e75de2e4bfcb
SHA13a66425ab626a3912bc023d02a8e104b1bd8ca52
SHA2568550aa53578ffe4fec8db131cf90bfa9ceac8e5e2759e1fed6c5249bcda57f49
SHA512f250dee19b6b0c61bc9c5fadb8918c0bd1f1638ecf4fac6da8763a0937795e2d4d42f11ccce3e1e9f2cf222e2fb8c5f997688c7b13de8fb3146b64f22f18451e
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/196-161-0x0000000000000000-mapping.dmp
-
memory/196-163-0x00000000001F0000-0x00000000001F6000-memory.dmpFilesize
24KB
-
memory/196-164-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/664-114-0x0000000002DA0000-0x0000000002DAA000-memory.dmpFilesize
40KB
-
memory/964-133-0x0000000000F20000-0x0000000000F21000-memory.dmpFilesize
4KB
-
memory/964-139-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/964-124-0x0000000000000000-mapping.dmp
-
memory/964-145-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/964-143-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/964-138-0x0000000077020000-0x00000000771AE000-memory.dmpFilesize
1.6MB
-
memory/1460-149-0x00000000030D0000-0x000000000313B000-memory.dmpFilesize
428KB
-
memory/1460-147-0x0000000003140000-0x00000000031B4000-memory.dmpFilesize
464KB
-
memory/1460-142-0x0000000000000000-mapping.dmp
-
memory/1980-158-0x00000000007C0000-0x00000000007C5000-memory.dmpFilesize
20KB
-
memory/1980-159-0x00000000007B0000-0x00000000007B9000-memory.dmpFilesize
36KB
-
memory/1980-157-0x0000000000000000-mapping.dmp
-
memory/2200-172-0x00000000079A0000-0x00000000079A1000-memory.dmpFilesize
4KB
-
memory/2200-171-0x00000000072A0000-0x00000000072A1000-memory.dmpFilesize
4KB
-
memory/2200-177-0x0000000007590000-0x0000000007591000-memory.dmpFilesize
4KB
-
memory/2200-122-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/2200-178-0x00000000083D0000-0x00000000083D1000-memory.dmpFilesize
4KB
-
memory/2200-174-0x0000000007470000-0x0000000007471000-memory.dmpFilesize
4KB
-
memory/2200-141-0x0000000005DB0000-0x0000000005DB1000-memory.dmpFilesize
4KB
-
memory/2200-128-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/2200-121-0x0000000077020000-0x00000000771AE000-memory.dmpFilesize
1.6MB
-
memory/2200-118-0x0000000000000000-mapping.dmp
-
memory/2200-179-0x0000000007750000-0x0000000007751000-memory.dmpFilesize
4KB
-
memory/2200-180-0x0000000007ED0000-0x0000000007ED1000-memory.dmpFilesize
4KB
-
memory/2200-132-0x0000000005D60000-0x0000000005D61000-memory.dmpFilesize
4KB
-
memory/2200-127-0x00000000063D0000-0x00000000063D1000-memory.dmpFilesize
4KB
-
memory/2284-166-0x0000000000520000-0x0000000000524000-memory.dmpFilesize
16KB
-
memory/2284-165-0x0000000000000000-mapping.dmp
-
memory/2284-167-0x0000000000510000-0x0000000000519000-memory.dmpFilesize
36KB
-
memory/2336-146-0x0000000000000000-mapping.dmp
-
memory/2336-150-0x00000000005F0000-0x00000000005FC000-memory.dmpFilesize
48KB
-
memory/2336-148-0x0000000000800000-0x0000000000807000-memory.dmpFilesize
28KB
-
memory/2496-176-0x0000000000800000-0x0000000000809000-memory.dmpFilesize
36KB
-
memory/2496-175-0x0000000000810000-0x0000000000815000-memory.dmpFilesize
20KB
-
memory/2496-173-0x0000000000000000-mapping.dmp
-
memory/2788-154-0x0000000000000000-mapping.dmp
-
memory/2788-155-0x00000000010A0000-0x00000000010A9000-memory.dmpFilesize
36KB
-
memory/2788-156-0x0000000001090000-0x000000000109F000-memory.dmpFilesize
60KB
-
memory/3024-117-0x0000000000750000-0x0000000000766000-memory.dmpFilesize
88KB
-
memory/3424-162-0x0000000000400000-0x0000000002D05000-memory.dmpFilesize
41.0MB
-
memory/3424-129-0x0000000000000000-mapping.dmp
-
memory/3424-160-0x0000000004930000-0x00000000049C1000-memory.dmpFilesize
580KB
-
memory/3544-169-0x00000000010B0000-0x00000000010B5000-memory.dmpFilesize
20KB
-
memory/3544-170-0x00000000010A0000-0x00000000010A9000-memory.dmpFilesize
36KB
-
memory/3544-168-0x0000000000000000-mapping.dmp
-
memory/3772-151-0x0000000000000000-mapping.dmp
-
memory/3772-152-0x0000000000930000-0x0000000000937000-memory.dmpFilesize
28KB
-
memory/3772-153-0x0000000000920000-0x000000000092B000-memory.dmpFilesize
44KB
-
memory/3904-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3904-116-0x0000000000402E1A-mapping.dmp