Analysis
-
max time kernel
40s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
24-09-2021 16:31
General
-
Target
2c1a477bf201d3cae1e15c81d164fb05.exe
-
Size
285KB
-
MD5
2c1a477bf201d3cae1e15c81d164fb05
-
SHA1
5dba8661b62ac6ef622e7e14678369c1dc94f586
-
SHA256
843140b0a3f095d74fe2682d3ae029d4da70a5bae79850cf047a72c9d4a882c0
-
SHA512
4460f5217e1557bf99f79dc08eeebcc42814f9deb186b61429fa084fe5b4b81e6279007fac5d7d776610eb2bfdfcdbfbdc0e39ff5e911fa07f494651d283cd9d
Malware Config
Extracted
smokeloader
2020
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Extracted
redline
135.181.142.223:30397
Extracted
redline
178.132.3.103:80
Extracted
raccoon
5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4
-
url4cnc
https://t.me/agrybirdsgamerept
Extracted
redline
700$
65.21.231.57:60751
Extracted
redline
russianhack
109.234.38.212:6677
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 14 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
XMRig Miner Payload 2 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 12 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Themida packer 4 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c1a477bf201d3cae1e15c81d164fb05.exe"C:\Users\Admin\AppData\Local\Temp\2c1a477bf201d3cae1e15c81d164fb05.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2c1a477bf201d3cae1e15c81d164fb05.exe"C:\Users\Admin\AppData\Local\Temp\2c1a477bf201d3cae1e15c81d164fb05.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\BF1.exeC:\Users\Admin\AppData\Local\Temp\BF1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BF1.exeC:\Users\Admin\AppData\Local\Temp\BF1.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\EB0.exeC:\Users\Admin\AppData\Local\Temp\EB0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EB0.exeC:\Users\Admin\AppData\Local\Temp\EB0.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\146C.exeC:\Users\Admin\AppData\Local\Temp\146C.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\1A17.exeC:\Users\Admin\AppData\Local\Temp\1A17.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xolwagtw\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\geommclb.exe" C:\Windows\SysWOW64\xolwagtw\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create xolwagtw binPath= "C:\Windows\SysWOW64\xolwagtw\geommclb.exe /d\"C:\Users\Admin\AppData\Local\Temp\1A17.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description xolwagtw "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start xolwagtw2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\207E.exeC:\Users\Admin\AppData\Local\Temp\207E.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2BD5.exeC:\Users\Admin\AppData\Local\Temp\2BD5.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\2F9D.exeC:\Users\Admin\AppData\Local\Temp\2F9D.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\xolwagtw\geommclb.exeC:\Windows\SysWOW64\xolwagtw\geommclb.exe /d"C:\Users\Admin\AppData\Local\Temp\1A17.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\3874.exeC:\Users\Admin\AppData\Local\Temp\3874.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\43AC.exeC:\Users\Admin\AppData\Local\Temp\43AC.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4CF0.exeC:\Users\Admin\AppData\Local\Temp\4CF0.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5A2A.exeC:\Users\Admin\AppData\Local\Temp\5A2A.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\6958.exeC:\Users\Admin\AppData\Local\Temp\6958.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\6958.exe"C:\Users\Admin\AppData\Local\Temp\6958.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39.6MB
-
Filesize
52KB
-
Filesize
39.6MB
-
Filesize
464KB
-
Filesize
4KB
-
Filesize
284KB
-
Filesize
8KB
-
Filesize
36KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
140KB
-
Filesize
312KB
-
Filesize
288KB
-
Filesize
28KB
-
Filesize
576KB
-
Filesize
39.8MB
-
Filesize
124KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
764KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
39.6MB
-
Filesize
964KB
-
Filesize
120KB
-
Filesize
120KB