Analysis

  • max time kernel
    133s
  • max time network
    150s
  • resource
    win10v191014

General

  • Target

    crypted[1].bin

  • Sample

    191129-bykghah8ge

  • SHA256

    9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

Score
N/A

Malware Config

Signatures

  • Checks for installed software on the system ⋅ 1 TTPs 1 IoCs
  • Drops file in system dir ⋅ 5 IoCs
  • raccoon family
  • Suspicious use of WriteProcessMemory ⋅ 3 IoCs
  • Reads Dragon user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Nichrome user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Mustang user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Chedot user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 1 IoCs
  • Reads Uran user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Epic privacy browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Secure browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads user profile for Thunderbird email client, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Waterfox user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Centbrowser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Qip surf user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads 7star user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Suhba user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Chrome user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Chrome SxS user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Chromium user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Bromium user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Go! user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Firefox user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Accesses Bither wallet, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Rockmelt user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Kometa user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Elements browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Tor Browser user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Torch user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Orbitum user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Sputnik user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Superbird user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Runs ping.exe ⋅ 1 TTPs 1 IoCs
  • Windows security modification ⋅ 2 TTPs 2 IoCs
  • Checks system information in the registry (likely anti-VM) ⋅ 2 TTPs 2 IoCs
  • ⋅ 4 IoCs
  • Loads dropped DLL ⋅ 1 IoCs
  • Reads Amigo user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Vivaldi user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
  • Reads Pale Moon browser user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
    Checks for installed software on the system
    Suspicious use of WriteProcessMemory
    Reads Dragon user data, possible credential harvesting
    Reads Nichrome user data, possible credential harvesting
    Reads Mustang user data, possible credential harvesting
    Reads Chedot user data, possible credential harvesting
    Suspicious use of SetWindowsHookEx
    Reads Uran user data, possible credential harvesting
    Reads Epic privacy browser user data, possible credential harvesting
    Reads Secure browser user data, possible credential harvesting
    Reads user profile for Thunderbird email client, possible credential harvesting
    Reads Waterfox user profile, possible credential harvesting
    Reads Centbrowser user data, possible credential harvesting
    Reads Qip surf user data, possible credential harvesting
    Reads 7star user data, possible credential harvesting
    Reads Suhba user data, possible credential harvesting
    Reads Chrome user data, possible credential harvesting
    Reads Chrome SxS user data, possible credential harvesting
    Reads Chromium user data, possible credential harvesting
    Reads Bromium user data, possible credential harvesting
    Reads Go! user data, possible credential harvesting
    Reads Firefox user profile, possible credential harvesting
    Accesses Bither wallet, possible credential harvesting
    Reads Rockmelt user data, possible credential harvesting
    Reads Kometa user data, possible credential harvesting
    Reads Elements browser user data, possible credential harvesting
    Reads Tor Browser user profile, possible credential harvesting
    Reads Torch user data, possible credential harvesting
    Reads Orbitum user data, possible credential harvesting
    Reads Sputnik user data, possible credential harvesting
    Reads Superbird user data, possible credential harvesting
    Loads dropped DLL
    Reads Amigo user data, possible credential harvesting
    Reads Vivaldi user data, possible credential harvesting
    Reads Pale Moon browser user profile, possible credential harvesting
    PID:4964
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    Suspicious use of WriteProcessMemory
    PID:5036
  • C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    PID:5064
  • C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
    Suspicious use of WriteProcessMemory
    PID:3996
  • C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    Runs ping.exe
    PID:3972
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    Drops file in system dir
    PID:3700
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
    PID:3128
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
    Checks system information in the registry (likely anti-VM)
    PID:4056
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
    Windows security modification
    PID:4336
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup
    PID:2448

Network

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation

                  Replay Monitor

                  00:00 00:00

                  Downloads