Analysis
-
max time kernel
132s -
resource
win10v191014 -
submitted
02-12-2019 23:11
Task
task1
Sample
payload.bin.exe
Resource
win7v191014
0 signatures
General
Malware Config
Signatures
-
Reads Pale Moon browser user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ payload.bin.exe -
Reads Bromium user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Bromium\User Data\ payload.bin.exe -
Reads Torch user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Torch\User Data\ payload.bin.exe -
Reads Kometa user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Kometa\User Data\ payload.bin.exe -
Reads Chrome SxS user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ payload.bin.exe -
Loads dropped DLL 1 IoCs
Processes:
payload.bin.exepid process 4992 payload.bin.exe -
Raccoon
It's the RaccAttack!
-
Reads Suhba user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Suhba\User Data\ payload.bin.exe -
Reads Orbitum user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Orbitum\User Data\ payload.bin.exe -
Reads 7star user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ payload.bin.exe -
Reads Amigo user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Amigo\User Data\ payload.bin.exe -
Reads user profile for Thunderbird email client, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ payload.bin.exe -
Reads Uran user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ payload.bin.exe -
Reads Waterfox user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ payload.bin.exe -
Reads Dragon user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ payload.bin.exe -
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" -
Reads Go! user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Go!\User Data\ payload.bin.exe -
Reads Superbird user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Superbird\User Data\ payload.bin.exe -
Reads Elements browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Elements Browser\User Data\ payload.bin.exe -
Reads Sputnik user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ payload.bin.exe -
Checks for installed software on the system 1 TTPs 27 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName -
Reads Chrome user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ payload.bin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SppExtComObj.exepayload.bin.execmd.exedescription pid process target process PID 1692 wrote to memory of 68 1692 SppExtComObj.exe SLUI.exe PID 4992 wrote to memory of 4768 4992 payload.bin.exe cmd.exe PID 4768 wrote to memory of 3964 4768 cmd.exe PING.EXE -
Reads Epic privacy browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ payload.bin.exe -
Reads Tor Browser user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\TorBro\Profile\ payload.bin.exe -
Reads Firefox user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ payload.bin.exe -
Reads Secure browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ payload.bin.exe -
Reads Rockmelt user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\RockMelt\User Data\ payload.bin.exe -
Reads Chromium user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Chromium\User Data\ payload.bin.exe -
Reads Centbrowser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\CentBrowser\User Data\ payload.bin.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Reads Nichrome user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Nichrome\User Data\ payload.bin.exe -
Reads Mustang user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ payload.bin.exe -
Reads Chedot user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Chedot\User Data\ payload.bin.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Reads Qip surf user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\QIP Surf\User Data\ payload.bin.exe -
Reads Vivaldi user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
payload.bin.exeioc process C:\Users\Admin\AppData\Local\Vivaldi\User Data\ payload.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"1⤵
- Reads Pale Moon browser user profile, possible credential harvesting
- Reads Bromium user data, possible credential harvesting
- Reads Torch user data, possible credential harvesting
- Reads Kometa user data, possible credential harvesting
- Reads Chrome SxS user data, possible credential harvesting
- Loads dropped DLL
- Reads Suhba user data, possible credential harvesting
- Reads Orbitum user data, possible credential harvesting
- Reads 7star user data, possible credential harvesting
- Reads Amigo user data, possible credential harvesting
- Reads user profile for Thunderbird email client, possible credential harvesting
- Reads Uran user data, possible credential harvesting
- Reads Waterfox user profile, possible credential harvesting
- Reads Dragon user data, possible credential harvesting
- Reads Go! user data, possible credential harvesting
- Reads Superbird user data, possible credential harvesting
- Reads Elements browser user data, possible credential harvesting
- Reads Sputnik user data, possible credential harvesting
- Reads Chrome user data, possible credential harvesting
- Suspicious use of WriteProcessMemory
- Reads Epic privacy browser user data, possible credential harvesting
- Reads Tor Browser user profile, possible credential harvesting
- Reads Firefox user profile, possible credential harvesting
- Reads Secure browser user data, possible credential harvesting
- Reads Rockmelt user data, possible credential harvesting
- Reads Chromium user data, possible credential harvesting
- Reads Centbrowser user data, possible credential harvesting
- Reads Nichrome user data, possible credential harvesting
- Reads Mustang user data, possible credential harvesting
- Reads Chedot user data, possible credential harvesting
- Reads Qip surf user data, possible credential harvesting
- Reads Vivaldi user data, possible credential harvesting
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\AdLibs\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\AdLibs\nss3.dll
-
\Users\Admin\AppData\Local\Temp\sqlite3.dll
-
memory/4992-0-0x00000000006A9000-0x00000000006AA000-memory.dmpFilesize
4KB
-
memory/4992-1-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/4992-2-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB