Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    133s
  • max time network
    150s
  • resource
    win10v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    crypted[1].bin

  • Sample

    191129-bykghah8ge

  • SHA256

    9a923eb389bf1c51d9a53cc52951dcbc2bd4f2ac2cb810295e201987031a6e57

Score
N/A

Malware Config

Signatures

  • Checks for installed software on the system ⋅ 1 TTPs 1 IoCs
    discovery
  • Drops file in system dir ⋅ 5 IoCs
  • raccoon family
    familyraccoon
  • Suspicious use of WriteProcessMemory ⋅ 3 IoCs
  • Reads Dragon user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Nichrome user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Mustang user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Chedot user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Suspicious use of SetWindowsHookEx ⋅ 1 IoCs
  • Reads Uran user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Epic privacy browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Secure browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads user profile for Thunderbird email client, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Waterfox user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Centbrowser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Qip surf user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads 7star user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Suhba user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Chrome user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Chrome SxS user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Chromium user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Bromium user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Go! user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Firefox user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Accesses Bither wallet, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Rockmelt user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Kometa user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Elements browser user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Tor Browser user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Torch user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Orbitum user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Sputnik user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Superbird user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Runs ping.exe ⋅ 1 TTPs 1 IoCs
    evasionspreading
  • Windows security modification ⋅ 2 TTPs 2 IoCs
    evasiontrojan
  • Checks system information in the registry (likely anti-VM) ⋅ 2 TTPs 2 IoCs
  • ⋅ 4 IoCs
  • Loads dropped DLL ⋅ 1 IoCs
  • Reads Amigo user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Vivaldi user data, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware
  • Reads Pale Moon browser user profile, possible credential harvesting ⋅ 2 TTPs 1 IoCs
    spyware

Processes

  • C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
    Checks for installed software on the system
    Suspicious use of WriteProcessMemory
    Reads Dragon user data, possible credential harvesting
    Reads Nichrome user data, possible credential harvesting
    Reads Mustang user data, possible credential harvesting
    Reads Chedot user data, possible credential harvesting
    Suspicious use of SetWindowsHookEx
    Reads Uran user data, possible credential harvesting
    Reads Epic privacy browser user data, possible credential harvesting
    Reads Secure browser user data, possible credential harvesting
    Reads user profile for Thunderbird email client, possible credential harvesting
    Reads Waterfox user profile, possible credential harvesting
    Reads Centbrowser user data, possible credential harvesting
    Reads Qip surf user data, possible credential harvesting
    Reads 7star user data, possible credential harvesting
    Reads Suhba user data, possible credential harvesting
    Reads Chrome user data, possible credential harvesting
    Reads Chrome SxS user data, possible credential harvesting
    Reads Chromium user data, possible credential harvesting
    Reads Bromium user data, possible credential harvesting
    Reads Go! user data, possible credential harvesting
    Reads Firefox user profile, possible credential harvesting
    Accesses Bither wallet, possible credential harvesting
    Reads Rockmelt user data, possible credential harvesting
    Reads Kometa user data, possible credential harvesting
    Reads Elements browser user data, possible credential harvesting
    Reads Tor Browser user profile, possible credential harvesting
    Reads Torch user data, possible credential harvesting
    Reads Orbitum user data, possible credential harvesting
    Reads Sputnik user data, possible credential harvesting
    Reads Superbird user data, possible credential harvesting
    Loads dropped DLL
    Reads Amigo user data, possible credential harvesting
    Reads Vivaldi user data, possible credential harvesting
    Reads Pale Moon browser user profile, possible credential harvesting
    PID:4964
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    Suspicious use of WriteProcessMemory
    PID:5036
  • C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    PID:5064
  • C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\crypted[1].bin.exe"
    Suspicious use of WriteProcessMemory
    PID:3996
  • C:\Windows\SysWOW64\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    Runs ping.exe
    PID:3972
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    Drops file in system dir
    PID:3700
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
    PID:3128
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
    Checks system information in the registry (likely anti-VM)
    PID:4056
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
    Windows security modification
    PID:4336
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup
    PID:2448

Network

MITRE ATT&CK Matrix

Collection

Command and Control

    Credential Access

    Defense Evasion

    Discovery

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Persistence

                Privilege Escalation

                  Replay Monitor

                  00:00 00:00

                  Downloads