Analysis
-
max time kernel
154s -
max time network
158s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-08-2021 13:56
Static task
static1
Behavioral task
behavioral1
Sample
23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe
Resource
win10v20210410
General
-
Target
23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe
-
Size
280KB
-
MD5
c1c301d9b0ba8ba056707f2d2c82bd9d
-
SHA1
d70353b58f0576138abdf8dcac5064358a379305
-
SHA256
23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9
-
SHA512
1894b720c731c3f4dc90e42d98690bad2acaf6669fe7334064187bc4c21c662894447e635d76a9d06542e13529d56c1b0902585b47537ff04ece1669bb73b8f0
Malware Config
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1F4.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
1F4.exepid process 1660 1F4.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
1F4.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1F4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1F4.exe -
Deletes itself 1 IoCs
Processes:
pid process 1176 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1F4.exe themida behavioral1/memory/1660-68-0x0000000001330000-0x0000000001331000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
1F4.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1F4.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1F4.exepid process 1660 1F4.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exepid process 1672 23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe 1672 23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 1176 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1176 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exepid process 1672 23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
1F4.exedescription pid process Token: SeShutdownPrivilege 1176 Token: SeShutdownPrivilege 1176 Token: SeDebugPrivilege 1660 1F4.exe Token: SeShutdownPrivilege 1176 -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1176 1176 1176 1176 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1176 1176 1176 1176 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
description pid process target process PID 1176 wrote to memory of 1660 1176 1F4.exe PID 1176 wrote to memory of 1660 1176 1F4.exe PID 1176 wrote to memory of 1660 1176 1F4.exe PID 1176 wrote to memory of 1660 1176 1F4.exe PID 1176 wrote to memory of 1660 1176 1F4.exe PID 1176 wrote to memory of 1660 1176 1F4.exe PID 1176 wrote to memory of 1660 1176 1F4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe"C:\Users\Admin\AppData\Local\Temp\23d94c5414f81f6736b4ddc3cdc26097fb66d839d00079aa1c87c40a7e726cf9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1F4.exeC:\Users\Admin\AppData\Local\Temp\1F4.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1F4.exeMD5
1f6e49e83b13758948915b43fb388a94
SHA1c38876024e6e3cf46f804fc3d0aca553a263ffaf
SHA256624cfab55296eb7e9d73d9478455f96d4861ca92d45677909a7f2fb8532b1f63
SHA512462ed0fe61a8884bc337f7f970ab29c5e3b9dbe29a075fa385630febebfc8d0c0075cec46f4138c89667d4320c63fe296ec48fe6e82a895c02c33ea3441ca85f
-
memory/1176-63-0x0000000002E60000-0x0000000002E76000-memory.dmpFilesize
88KB
-
memory/1660-64-0x0000000000000000-mapping.dmp
-
memory/1660-68-0x0000000001330000-0x0000000001331000-memory.dmpFilesize
4KB
-
memory/1660-70-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/1672-60-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1672-61-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1672-62-0x0000000000400000-0x00000000023B1000-memory.dmpFilesize
31.7MB