Resubmissions
09-10-2021 06:02
211009-grepnafad7 1008-10-2021 19:47
211008-yhw11segg5 1008-10-2021 19:00
211008-xnq7aaegf2 10Analysis
-
max time kernel
1803s -
max time network
1571s -
platform
windows11_x64 -
resource
win11 -
submitted
09-10-2021 06:02
General
-
Target
211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe
-
Size
166KB
-
MD5
38662eca83bf7fff531b9bdc43f8ed52
-
SHA1
1426c264bd6067cc8f5a76ac10182c380a18eb5b
-
SHA256
211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3
-
SHA512
4cdf5822e696a511bb689bfedad92ad10f3b148045eacd22977daa5b3397ee5e449db4fc31d97b3ac7e459ea3905eadf71ab6bfb91b9ff8d5219edec8278644e
Malware Config
Extracted
smokeloader
2020
http://fazanaharahe10.top/
http://xandelissane20.top/
http://ustiassosale30.top/
http://cytheriata40.top/
http://ggiergionard50.top/
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 35 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 10 IoCs
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv QytAWiKNnUOGkOn/jWRI0w.01⤵
-
C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe"C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe"C:\Users\Admin\AppData\Local\Temp\211f7686f518eb521b7421393ce0b3fac878b2d5c4ee61629b1d4b2a0d3dcdd3.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv dn8LwwbFRkCXo9mq/8woaw.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Users\Admin\AppData\Local\Temp\2FA1.exeC:\Users\Admin\AppData\Local\Temp\2FA1.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 2962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3416 -ip 34161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8A26.exeC:\Users\Admin\AppData\Local\Temp\8A26.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\89B5.exeC:\Users\Admin\AppData\Local\Temp\89B5.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 2402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Local\Temp\8EE6.exeC:\Users\Admin\AppData\Local\Temp\8EE6.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 3042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2204 -ip 22041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4856 -ip 48561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EBEB.exeC:\Users\Admin\AppData\Local\Temp\EBEB.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\961B.exeC:\Users\Admin\AppData\Local\Temp\961B.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 2562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Local\Temp\9EA7.exeC:\Users\Admin\AppData\Local\Temp\9EA7.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\A3E8.exeC:\Users\Admin\AppData\Local\Temp\A3E8.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 3042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1988 -ip 19881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1668 -ip 16681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
4ade9bccd0b2b9447ff9dbb9c3880830
SHA152aef011732da2f9fea1ee555d370a119749ccd0
SHA2562d2164bac6935ba3b38573e69f323ec242b3a259ecb06396964f57e3c93d7c6e
SHA51206103380806a02eb19d3f102d6b69f43f3483dc1db6fa48ca53ec8d077b4a6fa35dbb1fc6c438c51ef45f10765a06d2497b0f8d38ae8ac8049106f1bd99c33e1
-
MD5
4ade9bccd0b2b9447ff9dbb9c3880830
SHA152aef011732da2f9fea1ee555d370a119749ccd0
SHA2562d2164bac6935ba3b38573e69f323ec242b3a259ecb06396964f57e3c93d7c6e
SHA51206103380806a02eb19d3f102d6b69f43f3483dc1db6fa48ca53ec8d077b4a6fa35dbb1fc6c438c51ef45f10765a06d2497b0f8d38ae8ac8049106f1bd99c33e1
-
MD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
MD5
20fe1450230d861579e323ffd7ba5485
SHA1971e83ba0ff1cbbdc9e1ac1ff6cd1c9ae38ce633
SHA2560cbd381e5c415c904ab13ab415f549b5b5711831fd20f46975c83fb4e03fc9e3
SHA512abf22e174d97ffe32dcaa14277e9f658e5e3c2d47c21efd40be2d645cb3639534cc22c73de59c83d0e9485fffe17e9064b40f953de42b8bd9d28da95d2ff753f
-
MD5
dd8a2cdd496f64590ff7d109578bcafb
SHA1af670c9d07a6c173b078208d59ee87a456008e98
SHA2568b0ce7f9bc14bd2a9d418ee89bd05157ebd1c624f5561194947cbc3e0af5debe
SHA512cd5c4d3cb2eff8cfa478ab008e5cdce47ac68da5894374c059df0c4ddb5352cd5930a0bbec71d706a3d00085126fc42eec0991db88f6474e0fdac2a8881fde25
-
MD5
047b7730310a945e1a587c5395c0638a
SHA1685e18a8f11c49fcd2829cd79fb4acdcd254f2fa
SHA2564ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79
SHA512f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120
-
MD5
047b7730310a945e1a587c5395c0638a
SHA1685e18a8f11c49fcd2829cd79fb4acdcd254f2fa
SHA2564ecf8f85d92f0d00fe80c0c8f7140888f8804b4834b94472960067fa54584a79
SHA512f3ad7a1cdb85c051a6fcd0fa415c242bf77bf9ee9ce4f571ecb16d4f28292e0f1ccf6d84ea9db0b71a88ecb0bc3946df6ac77526dfd7f3054f3c68a8ebc49120
-
MD5
25a398ade67d1eb9974db341f4139a5b
SHA10fe163a25dc0c280fd334576605d0b988b8b5396
SHA2567f5b4e168ef2a2cf6e339400752a2e3c12afeecb355fc5507b7db36cb70ec910
SHA512e631adf0b0dbc126000d7662e1a89d2f53dd32e53337df09ce752f4cd9f064a1b6321eb0fdbf9f84776c856680ad555b6cf64d4a09ad9483e4058f7f1f539ca7
-
MD5
25a398ade67d1eb9974db341f4139a5b
SHA10fe163a25dc0c280fd334576605d0b988b8b5396
SHA2567f5b4e168ef2a2cf6e339400752a2e3c12afeecb355fc5507b7db36cb70ec910
SHA512e631adf0b0dbc126000d7662e1a89d2f53dd32e53337df09ce752f4cd9f064a1b6321eb0fdbf9f84776c856680ad555b6cf64d4a09ad9483e4058f7f1f539ca7
-
MD5
f6f63e66d59c509e9c76e930c3d27dd6
SHA1a0f85bbcb4e2b5f01d5c4a9f39055e112ded33d3
SHA256c39d96311181bd623c17bc6fb5c3cdc6b5a28e738b8ecf977368947d06e87710
SHA5123785995ca2d80883f54df3750c9bc95d1b29be940ed1d99ab8a695fdf6e65f3846e5db70153129e9ff5bb1b897690e2bd551a934b5460b726121090cd9753e7f
-
MD5
f1e1e438338d88719b74c70a4d61ce33
SHA1bda4ae57aab1e313e43a9e17ff7e85017ce6dd57
SHA256fc40be3dff950df17341a42e062dec4f496fafe5ffd455aab2656ce53949710b
SHA5126ab179eb58dd61c3e83b8dbb9e42ef86b94de4a8e3c47d431cd4901c6109620e6b89e912b715e4817f9099da622ee19dd39174277b2d3ff28319ddc6e2c536ef
-
MD5
f1e1e438338d88719b74c70a4d61ce33
SHA1bda4ae57aab1e313e43a9e17ff7e85017ce6dd57
SHA256fc40be3dff950df17341a42e062dec4f496fafe5ffd455aab2656ce53949710b
SHA5126ab179eb58dd61c3e83b8dbb9e42ef86b94de4a8e3c47d431cd4901c6109620e6b89e912b715e4817f9099da622ee19dd39174277b2d3ff28319ddc6e2c536ef
-
MD5
57b5f410bba704152ed728ae30b26665
SHA1755da63fac5d2f95d600253a0a94e4d19c62eb96
SHA2562dbeea7c52d13a743dbdbdde06da28d1616ea6b1d765684fd3ec1a8f44040269
SHA512670a23161098b3c990f5c1c07ad86cb3fb14a61a62460f2e016d660331c07353a809ed5da92fa32e0e1d84512d8325fa3ecc896c0c2c10e1e8a6762a34cc416c
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
316KB
-
-
Filesize
568KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
Filesize
152KB
-
Filesize
264KB
-
-
-
Filesize
316KB
-
Filesize
568KB
-
Filesize
88KB
-
Filesize
76KB
-
Filesize
68KB
-
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
16KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
856KB
-
Filesize
496KB
-