Analysis
-
max time kernel
157s -
max time network
194s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27/08/2021, 16:02
General
-
Target
b7e27567f201a840d0f9c12cf0a2d734.exe
-
Size
264KB
-
MD5
b7e27567f201a840d0f9c12cf0a2d734
-
SHA1
1bc2fd9116bffab627b0ea37ff0bb7c49726b9a5
-
SHA256
eedbfa19e0dea5bf1cb8ddd108ecc4ddc8a67481fafa759e588da3125228992e
-
SHA512
30b0f5c7297e83c0ebeef938eea9edc18cc7149d1aef6a1eaa16c83d0f03167bd9fe8bb3a1f21a614af81c589e82a505a3f9d4e98934c7d452bec95eab205aac
Malware Config
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
Extracted
raccoon
fe582536ec580228180f270f7cb80a867860e010
-
url4cnc
https://telete.in/xylichanjk
Extracted
redline
pro
95.217.117.91:49317
Extracted
redline
MIX
manazyxsa.xyz:80
Extracted
redline
WORD1
94.26.249.88:1902
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 10 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7e27567f201a840d0f9c12cf0a2d734.exe"C:\Users\Admin\AppData\Local\Temp\b7e27567f201a840d0f9c12cf0a2d734.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b7e27567f201a840d0f9c12cf0a2d734.exe"C:\Users\Admin\AppData\Local\Temp\b7e27567f201a840d0f9c12cf0a2d734.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\C12.exeC:\Users\Admin\AppData\Local\Temp\C12.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\D2B.exeC:\Users\Admin\AppData\Local\Temp\D2B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\100A.exeC:\Users\Admin\AppData\Local\Temp\100A.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fvcnyonv\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xvfddtcs.exe" C:\Windows\SysWOW64\fvcnyonv\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create fvcnyonv binPath= "C:\Windows\SysWOW64\fvcnyonv\xvfddtcs.exe /d\"C:\Users\Admin\AppData\Local\Temp\100A.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description fvcnyonv "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start fvcnyonv2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\213A.exeC:\Users\Admin\AppData\Local\Temp\213A.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\239B.exeC:\Users\Admin\AppData\Local\Temp\239B.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\24B5.exeC:\Users\Admin\AppData\Local\Temp\24B5.exe1⤵
- Executes dropped EXE
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2ABE.exeC:\Users\Admin\AppData\Local\Temp\2ABE.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\fvcnyonv\xvfddtcs.exeC:\Windows\SysWOW64\fvcnyonv\xvfddtcs.exe /d"C:\Users\Admin\AppData\Local\Temp\100A.exe"1⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\35B7.exeC:\Users\Admin\AppData\Local\Temp\35B7.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
31.7MB
-
Filesize
128KB
-
Filesize
192KB
-
Filesize
8KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
8KB
-
Filesize
31.9MB
-
Filesize
572KB
-
Filesize
31.7MB
-
Filesize
100KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
88KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
31.7MB
-
Filesize
76KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
31.7MB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
36KB