Analysis
-
max time kernel
161s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
04-04-2024 19:13
General
-
Target
2cdffb841cfd9e2e729de2f02c47f8d1.exe
-
Size
30KB
-
MD5
2cdffb841cfd9e2e729de2f02c47f8d1
-
SHA1
8d4e116bd2cfc57bfbe5f05308020e65f93d592d
-
SHA256
12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb
-
SHA512
8d344d0afba0eca49b4541b75c3e39dde3b75c9503bdddaf435b834699010852a0ada54fa2381c64bb31211dd9cf12eec0394c1f30700521ae849e29a4e7b90f
-
SSDEEP
768:QVKaUWVgbStx+y4+LK2rTMk6vAZ2HtIWVpw5/:QEaP6QxNxTMSYted
Score
10/10
Malware Config
Extracted
Family
smokeloader
Botnet
kev
Extracted
Family
smokeloader
Version
2022
C2
http://atillapro.com/
https://atillapro.com/
rc4.i32
rc4.i32
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe"C:\Users\Admin\AppData\Local\Temp\2cdffb841cfd9e2e729de2f02c47f8d1.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D6DF.exeC:\Users\Admin\AppData\Local\Temp\D6DF.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D6DF.exeFilesize
479KB
MD508e5f1243ad4970745975b27b6e2f9fa
SHA183b1a8939bd4e2ea5677d8742edd1a697edd196b
SHA25605074675b07feb8e7556c5af449f5e677e0fabfb09b135971afbb11743bf3165
SHA512d01f83c4c35e6049544d71037b3d8db29cf177e232839c684e2943899e7e891d0e30d996ddb0af58f760ac34dd8fc6acee7338b52b3fda5f17c892f7498d2280
-
memory/1208-79-0x0000000000070000-0x0000000000079000-memory.dmpFilesize
36KB
-
memory/1208-63-0x0000000000070000-0x0000000000079000-memory.dmpFilesize
36KB
-
memory/1208-61-0x0000000000060000-0x000000000006F000-memory.dmpFilesize
60KB
-
memory/1208-64-0x0000000000060000-0x000000000006F000-memory.dmpFilesize
60KB
-
memory/1360-1-0x0000000002590000-0x00000000025A6000-memory.dmpFilesize
88KB
-
memory/1624-72-0x0000000000070000-0x0000000000077000-memory.dmpFilesize
28KB
-
memory/1624-86-0x0000000000060000-0x000000000006D000-memory.dmpFilesize
52KB
-
memory/1624-74-0x0000000000060000-0x000000000006D000-memory.dmpFilesize
52KB
-
memory/1712-42-0x0000000000090000-0x000000000009A000-memory.dmpFilesize
40KB
-
memory/1712-44-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/1712-40-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/1840-85-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/1840-70-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/1840-71-0x0000000000090000-0x0000000000096000-memory.dmpFilesize
24KB
-
memory/2304-77-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2304-75-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2304-76-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/2304-87-0x0000000000090000-0x0000000000098000-memory.dmpFilesize
32KB
-
memory/2376-36-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/2376-35-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/2416-34-0x0000000000100000-0x000000000016B000-memory.dmpFilesize
428KB
-
memory/2416-21-0x0000000000100000-0x000000000016B000-memory.dmpFilesize
428KB
-
memory/2416-20-0x0000000000100000-0x000000000016B000-memory.dmpFilesize
428KB
-
memory/2416-19-0x0000000000170000-0x00000000001E5000-memory.dmpFilesize
468KB
-
memory/2504-48-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2504-47-0x0000000002E60000-0x0000000003260000-memory.dmpFilesize
4.0MB
-
memory/2504-45-0x0000000076430000-0x0000000076477000-memory.dmpFilesize
284KB
-
memory/2504-41-0x0000000077BB0000-0x0000000077D59000-memory.dmpFilesize
1.7MB
-
memory/2504-39-0x0000000002E60000-0x0000000003260000-memory.dmpFilesize
4.0MB
-
memory/2504-38-0x0000000002E60000-0x0000000003260000-memory.dmpFilesize
4.0MB
-
memory/2504-37-0x0000000002E60000-0x0000000003260000-memory.dmpFilesize
4.0MB
-
memory/2504-18-0x0000000000400000-0x000000000048B000-memory.dmpFilesize
556KB
-
memory/2568-67-0x0000000000060000-0x000000000006F000-memory.dmpFilesize
60KB
-
memory/2568-80-0x0000000000060000-0x000000000006F000-memory.dmpFilesize
60KB
-
memory/2568-65-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/2568-66-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/2676-0-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2676-2-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2704-58-0x0000000076430000-0x0000000076477000-memory.dmpFilesize
284KB
-
memory/2704-62-0x0000000001DB0000-0x00000000021B0000-memory.dmpFilesize
4.0MB
-
memory/2704-54-0x0000000077BB0000-0x0000000077D59000-memory.dmpFilesize
1.7MB
-
memory/2704-51-0x0000000001DB0000-0x00000000021B0000-memory.dmpFilesize
4.0MB
-
memory/2704-59-0x0000000001DB0000-0x00000000021B0000-memory.dmpFilesize
4.0MB
-
memory/2704-50-0x0000000001DB0000-0x00000000021B0000-memory.dmpFilesize
4.0MB
-
memory/2704-46-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2704-60-0x0000000077BB0000-0x0000000077D59000-memory.dmpFilesize
1.7MB
-
memory/2748-53-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2748-57-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2748-55-0x0000000000090000-0x0000000000097000-memory.dmpFilesize
28KB
-
memory/2748-78-0x0000000000090000-0x0000000000097000-memory.dmpFilesize
28KB