Analysis
-
max time kernel
150s -
max time network
129s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
24-09-2021 22:05
Static task
static1
Behavioral task
behavioral1
Sample
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe
Resource
win10-en-20210920
General
-
Target
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe
-
Size
287KB
-
MD5
6cbf95206889d06445d284b862cf18bf
-
SHA1
c85b2f93e81da0d5759f195afdf91a645343fe5d
-
SHA256
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cfbf9fc9ed24d8dc7d143
-
SHA512
45d81eddf9e9c38ed9b8ec6510b6b34c752c5ccc01e22028549ef19921308a8531dbb8c5f9f79833e5df350dd47dc2a3edd430926d45f4f1f31fd329c50393e4
Malware Config
Extracted
smokeloader
2020
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Extracted
redline
2k superstar
185.244.180.224:39957
Extracted
raccoon
d4d8e30c16491ca1c11f7aa675764335342faedf
-
url4cnc
https://t.me/hcdrom1
Extracted
raccoon
5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4
-
url4cnc
https://t.me/agrybirdsgamerept
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1636-67-0x0000000002F70000-0x0000000002F8F000-memory.dmp family_redline behavioral1/memory/1636-73-0x0000000004A30000-0x0000000004A4E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
2E.exe77F.exeCFC.exe10F3.exeokgouu.exepid process 1636 2E.exe 952 77F.exe 1200 CFC.exe 560 10F3.exe 1696 okgouu.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
CFC.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CFC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CFC.exe -
Deletes itself 1 IoCs
Processes:
pid process 1428 -
Drops startup file 1 IoCs
Processes:
77F.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\77F.vbs 77F.exe -
Loads dropped DLL 2 IoCs
Processes:
powershell.exepid process 1428 560 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
okgouu.exe77F.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\okgouu = "\"C:\\Users\\Admin\\AppData\\Roaming\\okgouu.exe\"" okgouu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\77F = "\"C:\\Users\\Admin\\AppData\\Roaming\\77F.exe\"" 77F.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
CFC.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CFC.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
CFC.exepid process 1200 CFC.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exedescription pid process target process PID 1424 set thread context of 1120 1424 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exepid process 1120 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe 1120 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1428 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exepid process 1120 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
2E.exe77F.exepowershell.exeokgouu.exepowershell.exedescription pid process Token: SeShutdownPrivilege 1428 Token: SeShutdownPrivilege 1428 Token: SeShutdownPrivilege 1428 Token: SeShutdownPrivilege 1428 Token: SeShutdownPrivilege 1428 Token: SeDebugPrivilege 1636 2E.exe Token: SeDebugPrivilege 952 77F.exe Token: SeDebugPrivilege 560 powershell.exe Token: SeDebugPrivilege 1696 okgouu.exe Token: SeDebugPrivilege 760 powershell.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
pid process 1428 1428 1428 1428 1428 1428 -
Suspicious use of SendNotifyMessage 10 IoCs
Processes:
pid process 1428 1428 1428 1428 1428 1428 1428 1428 1428 1428 -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe77F.exepowershell.exeokgouu.exeWScript.exedescription pid process target process PID 1424 wrote to memory of 1120 1424 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe PID 1424 wrote to memory of 1120 1424 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe PID 1424 wrote to memory of 1120 1424 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe PID 1424 wrote to memory of 1120 1424 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe PID 1424 wrote to memory of 1120 1424 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe PID 1424 wrote to memory of 1120 1424 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe PID 1424 wrote to memory of 1120 1424 e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe PID 1428 wrote to memory of 1636 1428 2E.exe PID 1428 wrote to memory of 1636 1428 2E.exe PID 1428 wrote to memory of 1636 1428 2E.exe PID 1428 wrote to memory of 1636 1428 2E.exe PID 1428 wrote to memory of 952 1428 77F.exe PID 1428 wrote to memory of 952 1428 77F.exe PID 1428 wrote to memory of 952 1428 77F.exe PID 1428 wrote to memory of 1200 1428 CFC.exe PID 1428 wrote to memory of 1200 1428 CFC.exe PID 1428 wrote to memory of 1200 1428 CFC.exe PID 1428 wrote to memory of 1200 1428 CFC.exe PID 1428 wrote to memory of 560 1428 10F3.exe PID 1428 wrote to memory of 560 1428 10F3.exe PID 1428 wrote to memory of 560 1428 10F3.exe PID 1428 wrote to memory of 560 1428 10F3.exe PID 952 wrote to memory of 560 952 77F.exe powershell.exe PID 952 wrote to memory of 560 952 77F.exe powershell.exe PID 952 wrote to memory of 560 952 77F.exe powershell.exe PID 560 wrote to memory of 1696 560 powershell.exe okgouu.exe PID 560 wrote to memory of 1696 560 powershell.exe okgouu.exe PID 560 wrote to memory of 1696 560 powershell.exe okgouu.exe PID 1696 wrote to memory of 812 1696 okgouu.exe WScript.exe PID 1696 wrote to memory of 812 1696 okgouu.exe WScript.exe PID 1696 wrote to memory of 812 1696 okgouu.exe WScript.exe PID 812 wrote to memory of 760 812 WScript.exe powershell.exe PID 812 wrote to memory of 760 812 WScript.exe powershell.exe PID 812 wrote to memory of 760 812 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe"C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe"C:\Users\Admin\AppData\Local\Temp\e3d023e5f6f2e7eebfb12204edd3ac526e830ecc051cf.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1120
-
C:\Users\Admin\AppData\Local\Temp\2E.exeC:\Users\Admin\AppData\Local\Temp\2E.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
C:\Users\Admin\AppData\Local\Temp\77F.exeC:\Users\Admin\AppData\Local\Temp\77F.exe1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AG8AcAAtAHAAcgBvAGMAZQBzAHMAIAAtAEkAZAAgADkANQAyADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAbwBrAGcAbwB1AHUALgBlAHgAZQAiADsAIABTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAzADsAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwANwA3AEYALgBlAHgAZQAiACAALQBGAG8AcgBjAGUA2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\AppData\Local\Temp\okgouu.exe"C:\Users\Admin\AppData\Local\Temp\okgouu.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\voxudocww.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\5⤵
- Suspicious use of AdjustPrivilegeToken
PID:760
-
C:\Users\Admin\AppData\Local\Temp\CFC.exeC:\Users\Admin\AppData\Local\Temp\CFC.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1200
-
C:\Users\Admin\AppData\Local\Temp\10F3.exeC:\Users\Admin\AppData\Local\Temp\10F3.exe1⤵
- Executes dropped EXE
PID:560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
885cb6e5ebea328d840713882a7ff412
SHA17a8f0cfa23054e9bf2a16222d9a02aa80546d55a
SHA2568705fa55cba407024395f636436eb29457d26c954ea2d581d0d19afade1ee3ea
SHA512084ef9ba8ad7a594a30545b2214328863903167a433052954f47efb3f8041e135cd40a4441e7172563647deb66fff93a3543960456d07e21a5f22f3d96d613a3
-
MD5
4266f72b05afa83f395e890b76eadf69
SHA1489386ba56760821f6e35712028410da476fe258
SHA2566b1e04d8ef0395166da7d784c80ec3b8e85593ec862e54c07976ef14b28c70e4
SHA512a375f17bc9283e7edb8f492d616ec3f192d9943251a4323138c99b565dbb03a5734b4116b7b47830680dea16713155cb96e51ea32ce96f479c48e9bd0bb9556a
-
MD5
0a465be9c75469e6f2398b2668a2c5f2
SHA19b610498a08345fe3280b6c79ed4b5d1945d6a79
SHA256eca0040a928bb7f215b2379bf40b65397d4ead565ab8ad9a19c61740228e9f33
SHA512eaa28aafc65e1d847f292e9e43279913b737bfb6649758548df11ebbb3de7c8c6c8e0568091b7f4261feea14a63e2dac68cb7bc1c4c0c1ef517a14f6a02873c9
-
MD5
0a465be9c75469e6f2398b2668a2c5f2
SHA19b610498a08345fe3280b6c79ed4b5d1945d6a79
SHA256eca0040a928bb7f215b2379bf40b65397d4ead565ab8ad9a19c61740228e9f33
SHA512eaa28aafc65e1d847f292e9e43279913b737bfb6649758548df11ebbb3de7c8c6c8e0568091b7f4261feea14a63e2dac68cb7bc1c4c0c1ef517a14f6a02873c9
-
MD5
80950391f894f81ef75eaecbd50747f4
SHA101488b302cd42243826f8f34d147071a73f39061
SHA256cc5a84ba775fa7d79b15b3903899aca266f179bd4d630b4bd8c47d5fec08bd89
SHA51222a6b41acd437088b006f959dc29a95be6965d0ca7eda9184227c03b9a9581e27df436620642474150af4917f7a2ddf7eef8c795ef929c0b996e1348cf659f37
-
MD5
ac2ed87a0febfc631bb7a28bcb5fa017
SHA1046da6715a7e1f1d262532d9027d31a38562149e
SHA256194bcd7016f40d1dfe07de5f3e8b3f1e2c4428e70293fef0dae9cc23b45cc968
SHA512a76f597fbcdf7aff19aef23f35005cf3625fec149dfe49a10d7733ddbd96ce4c8274db5714c60537bba9d0e3e4b4638707bafd147060ed3a6c0c357990fef9d7
-
MD5
ac2ed87a0febfc631bb7a28bcb5fa017
SHA1046da6715a7e1f1d262532d9027d31a38562149e
SHA256194bcd7016f40d1dfe07de5f3e8b3f1e2c4428e70293fef0dae9cc23b45cc968
SHA512a76f597fbcdf7aff19aef23f35005cf3625fec149dfe49a10d7733ddbd96ce4c8274db5714c60537bba9d0e3e4b4638707bafd147060ed3a6c0c357990fef9d7
-
MD5
4b13abd262e6f452b680b7c404285a32
SHA1a5b55774c48678a82ab377a7d23a00ec6a174dea
SHA256e09b4b2ffbca61fbfaa017d9a6c7c60ec4242bfc468bf2f58887e79c97966eff
SHA5128dc590452e549d1dbb582e6552e5cfe960adeb43987435b67d6d1f18d3ff44e7be01f638a7f62f7f47da561303fdc5203ca4412639662f170b6e0022e3ae6bc8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD51bcf7e6cc24b45c1b8c3c441fc0f0e64
SHA1a70673aea1d53a29ce4da2e14b83095ff1a8327a
SHA256dfb3defe9a50cfc629749cbcad4e281d216a06c186a84333aab68f68d5625e5e
SHA5125896b4f14c65b89a3614018638c023166bb70bcaf3a1b41a01a3bb3881795eadb8577376ffd4a5648c8e3efbc00a371d7c440326cc8f5f83f9df2d9d566f1115
-
MD5
0a465be9c75469e6f2398b2668a2c5f2
SHA19b610498a08345fe3280b6c79ed4b5d1945d6a79
SHA256eca0040a928bb7f215b2379bf40b65397d4ead565ab8ad9a19c61740228e9f33
SHA512eaa28aafc65e1d847f292e9e43279913b737bfb6649758548df11ebbb3de7c8c6c8e0568091b7f4261feea14a63e2dac68cb7bc1c4c0c1ef517a14f6a02873c9
-
MD5
ac2ed87a0febfc631bb7a28bcb5fa017
SHA1046da6715a7e1f1d262532d9027d31a38562149e
SHA256194bcd7016f40d1dfe07de5f3e8b3f1e2c4428e70293fef0dae9cc23b45cc968
SHA512a76f597fbcdf7aff19aef23f35005cf3625fec149dfe49a10d7733ddbd96ce4c8274db5714c60537bba9d0e3e4b4638707bafd147060ed3a6c0c357990fef9d7