Analysis

  • max time kernel
    133s
  • resource
    win10v191014
  • submitted
    05-12-2019 16:37

General

  • Target

    289B.tmp.bin.exe

  • Sample

    191205-2zpm3225me

  • SHA256

    9b99297dd7c5e0e0a418fe6315d9d850013b62b3358444b8a825adeb80dd683c

Malware Config

Signatures

  • Reads Chromium user data, possible credential harvesting 2 TTPs 1 IoCs
  • Raccoon

    It's the RaccAttack!

  • Reads Dragon user data, possible credential harvesting 2 TTPs 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Reads Amigo user data, possible credential harvesting 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Reads Pale Moon browser user profile, possible credential harvesting 2 TTPs 1 IoCs
  • Checks for installed software on the system 1 TTPs 27 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Reads Superbird user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Torch user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads user profile for Thunderbird email client, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Qip surf user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads 7star user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Epic privacy browser user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Chrome SxS user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Sputnik user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Chedot user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Rockmelt user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Waterfox user profile, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Suhba user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Orbitum user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Nichrome user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Mustang user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Vivaldi user data, possible credential harvesting 2 TTPs 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Reads Centbrowser user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Tor Browser user profile, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Firefox user profile, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Elements browser user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Secure browser user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Kometa user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Uran user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Chrome user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Bromium user data, possible credential harvesting 2 TTPs 1 IoCs
  • Reads Go! user data, possible credential harvesting 2 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\289B.tmp.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\289B.tmp.bin.exe"
    1⤵
    • Reads Chromium user data, possible credential harvesting
    • Reads Dragon user data, possible credential harvesting
    • Loads dropped DLL
    • Reads Amigo user data, possible credential harvesting
    • Reads Pale Moon browser user profile, possible credential harvesting
    • Suspicious use of WriteProcessMemory
    • Reads Superbird user data, possible credential harvesting
    • Reads Torch user data, possible credential harvesting
    • Reads user profile for Thunderbird email client, possible credential harvesting
    • Reads Qip surf user data, possible credential harvesting
    • Reads 7star user data, possible credential harvesting
    • Reads Epic privacy browser user data, possible credential harvesting
    • Reads Chrome SxS user data, possible credential harvesting
    • Reads Sputnik user data, possible credential harvesting
    • Reads Chedot user data, possible credential harvesting
    • Reads Rockmelt user data, possible credential harvesting
    • Reads Waterfox user profile, possible credential harvesting
    • Reads Suhba user data, possible credential harvesting
    • Reads Orbitum user data, possible credential harvesting
    • Reads Nichrome user data, possible credential harvesting
    • Reads Mustang user data, possible credential harvesting
    • Reads Vivaldi user data, possible credential harvesting
    • Reads Centbrowser user data, possible credential harvesting
    • Reads Tor Browser user profile, possible credential harvesting
    • Reads Firefox user profile, possible credential harvesting
    • Reads Elements browser user data, possible credential harvesting
    • Reads Secure browser user data, possible credential harvesting
    • Reads Kometa user data, possible credential harvesting
    • Reads Uran user data, possible credential harvesting
    • Reads Chrome user data, possible credential harvesting
    • Reads Bromium user data, possible credential harvesting
    • Reads Go! user data, possible credential harvesting
    PID:4940
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\289B.tmp.bin.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Windows\SysWOW64\PING.EXE
        ping 1.1.1.1 -n 1 -w 3000
        3⤵
        • Runs ping.exe
        PID:4448
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      2⤵
        PID:5104
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Drops file in Windows directory
      PID:4628
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:4748
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
          PID:3972
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:2616
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
            1⤵
              PID:4868

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Defense Evasion

            Disabling Security Tools

            1
            T1089

            Modify Registry

            1
            T1112

            Credential Access

            Credentials in Files

            30
            T1081

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            1
            T1082

            Remote System Discovery

            1
            T1018

            Collection

            Data from Local System

            30
            T1005

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • \Users\Admin\AppData\LocalLow\AdLibs\mozglue.dll
            • \Users\Admin\AppData\LocalLow\AdLibs\nss3.dll
            • \Users\Admin\AppData\LocalLow\sqlite3.dll
            • memory/4940-0-0x0000000000553000-0x0000000000554000-memory.dmp
              Filesize

              4KB

            • memory/4940-1-0x00000000009C0000-0x00000000009C1000-memory.dmp
              Filesize

              4KB