Analysis
-
max time kernel
133s -
resource
win10v191014 -
submitted
05-12-2019 16:37
Task
task1
Sample
289B.tmp.bin.exe
Resource
win7v191014
0 signatures
General
Malware Config
Signatures
-
Reads Chromium user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Chromium\User Data\ 289B.tmp.bin.exe -
Raccoon
It's the RaccAttack!
-
Reads Dragon user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Comodo\Dragon\User Data\ 289B.tmp.bin.exe -
Processes:
description ioc Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" -
Loads dropped DLL 1 IoCs
Processes:
289B.tmp.bin.exepid process 4940 289B.tmp.bin.exe -
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName -
Reads Amigo user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Amigo\User Data\ 289B.tmp.bin.exe -
Reads Pale Moon browser user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\ 289B.tmp.bin.exe -
Checks for installed software on the system 1 TTPs 27 IoCs
Processes:
description ioc Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC\DisplayName Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743\DisplayName Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SppExtComObj.exe289B.tmp.bin.execmd.exedescription pid process target process PID 5076 wrote to memory of 5104 5076 SppExtComObj.exe SLUI.exe PID 4940 wrote to memory of 3640 4940 289B.tmp.bin.exe cmd.exe PID 3640 wrote to memory of 4448 3640 cmd.exe PING.EXE -
Reads Superbird user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Superbird\User Data\ 289B.tmp.bin.exe -
Reads Torch user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Torch\User Data\ 289B.tmp.bin.exe -
Reads user profile for Thunderbird email client, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Roaming\Thunderbird\Profiles\ 289B.tmp.bin.exe -
Reads Qip surf user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\QIP Surf\User Data\ 289B.tmp.bin.exe -
Reads 7star user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\7Star\7Star\User Data\ 289B.tmp.bin.exe -
Reads Epic privacy browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Epic Privacy Browser\User Data\ 289B.tmp.bin.exe -
Reads Chrome SxS user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Google\Chrome SxS\User Data\ 289B.tmp.bin.exe -
Reads Sputnik user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Sputnik\Sputnik\User Data\ 289B.tmp.bin.exe -
Reads Chedot user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Chedot\User Data\ 289B.tmp.bin.exe -
Reads Rockmelt user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\RockMelt\User Data\ 289B.tmp.bin.exe -
Reads Waterfox user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Roaming\WaterFox\Profiles\ 289B.tmp.bin.exe -
Reads Suhba user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Suhba\User Data\ 289B.tmp.bin.exe -
Reads Orbitum user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Orbitum\User Data\ 289B.tmp.bin.exe -
Reads Nichrome user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Nichrome\User Data\ 289B.tmp.bin.exe -
Reads Mustang user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Rafotech\Mustang\User Data\ 289B.tmp.bin.exe -
Reads Vivaldi user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Vivaldi\User Data\ 289B.tmp.bin.exe -
Drops file in Windows directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe -
Reads Centbrowser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\CentBrowser\User Data\ 289B.tmp.bin.exe -
Reads Tor Browser user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\TorBro\Profile\ 289B.tmp.bin.exe -
Reads Firefox user profile, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ 289B.tmp.bin.exe -
Reads Elements browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Elements Browser\User Data\ 289B.tmp.bin.exe -
Reads Secure browser user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Safer Technologies\Secure Browser\User Data\ 289B.tmp.bin.exe -
Reads Kometa user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Kometa\User Data\ 289B.tmp.bin.exe -
Reads Uran user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\uCozMedia\Uran\User Data\ 289B.tmp.bin.exe -
Reads Chrome user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ 289B.tmp.bin.exe -
Reads Bromium user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Bromium\User Data\ 289B.tmp.bin.exe -
Reads Go! user data, possible credential harvesting 2 TTPs 1 IoCs
Processes:
289B.tmp.bin.exeioc process C:\Users\Admin\AppData\Local\Go!\User Data\ 289B.tmp.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\289B.tmp.bin.exe"C:\Users\Admin\AppData\Local\Temp\289B.tmp.bin.exe"1⤵
- Reads Chromium user data, possible credential harvesting
- Reads Dragon user data, possible credential harvesting
- Loads dropped DLL
- Reads Amigo user data, possible credential harvesting
- Reads Pale Moon browser user profile, possible credential harvesting
- Suspicious use of WriteProcessMemory
- Reads Superbird user data, possible credential harvesting
- Reads Torch user data, possible credential harvesting
- Reads user profile for Thunderbird email client, possible credential harvesting
- Reads Qip surf user data, possible credential harvesting
- Reads 7star user data, possible credential harvesting
- Reads Epic privacy browser user data, possible credential harvesting
- Reads Chrome SxS user data, possible credential harvesting
- Reads Sputnik user data, possible credential harvesting
- Reads Chedot user data, possible credential harvesting
- Reads Rockmelt user data, possible credential harvesting
- Reads Waterfox user profile, possible credential harvesting
- Reads Suhba user data, possible credential harvesting
- Reads Orbitum user data, possible credential harvesting
- Reads Nichrome user data, possible credential harvesting
- Reads Mustang user data, possible credential harvesting
- Reads Vivaldi user data, possible credential harvesting
- Reads Centbrowser user data, possible credential harvesting
- Reads Tor Browser user profile, possible credential harvesting
- Reads Firefox user profile, possible credential harvesting
- Reads Elements browser user data, possible credential harvesting
- Reads Secure browser user data, possible credential harvesting
- Reads Kometa user data, possible credential harvesting
- Reads Uran user data, possible credential harvesting
- Reads Chrome user data, possible credential harvesting
- Reads Bromium user data, possible credential harvesting
- Reads Go! user data, possible credential harvesting
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\289B.tmp.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in Windows directory
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\LocalLow\AdLibs\mozglue.dll
-
\Users\Admin\AppData\LocalLow\AdLibs\nss3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
memory/4940-0-0x0000000000553000-0x0000000000554000-memory.dmpFilesize
4KB
-
memory/4940-1-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB