Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7 -
submitted
19-09-2020 00:19
Static task
static1
Behavioral task
behavioral1
Sample
3Z8QHEBk.tmp.exe
Resource
win7
Behavioral task
behavioral2
Sample
3Z8QHEBk.tmp.exe
Resource
win10v200722
General
-
Target
3Z8QHEBk.tmp.exe
-
Size
137KB
-
MD5
0d969fd596743d82839ac89189f47a2b
-
SHA1
2adb5aba20d3af1b9c78856555a08015b0f7df25
-
SHA256
a3c625b0c6de6b9885470ce4e5f55e08e64c82c668cdc1df8d1a81d751f401be
-
SHA512
ac2f7d71e8c547b6c8c12fc00ea9ef27a76daf59fdfe5b42cc32f42cebc85a689e04da239489a59c746300f89e1977f935ae94bd2a0047c27f428832a070068c
Malware Config
Extracted
C:\Users\Admin\AppData\LocalLow\machineinfo.txt
raccoon
Extracted
smokeloader
2020
http://dkajsdjiqwdwnfj.info/
http://2831ujedkdajsdj.info/
http://928eijdksasnfss.info/
https://dkajsdjiqwdwnfj.info/
https://2831ujedkdajsdj.info/
https://928eijdksasnfss.info/
Extracted
zloader
DLLobnova
02.09.2020dll
https://fqnvtmqsywublocpheas.ru/gate.php
https://fqnvtmqsywublocpheas.su/gate.php
https://fqnvtmqsywublocpheas.eu/gate.php
https://fqnvtmqsywuikdjsmasablocpheas.eu/gate.php
https://fqnssvtmqsywufblocpheas.eu/gate.php
https://fqnvtmqsywublfocpheas.eu/gate.php
https://fqnvtmqsyfwublocpheas.eu/gate.php
https://fqnvtmqsywubflocpheas.eu/gate.php
Signatures
-
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.
Processes:
yara_rule raccoon_log_file -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blacklisted process makes network request 15 IoCs
Processes:
msiexec.exeflow pid process 20 1064 msiexec.exe 21 1064 msiexec.exe 22 1064 msiexec.exe 23 1064 msiexec.exe 24 1064 msiexec.exe 25 1064 msiexec.exe 26 1064 msiexec.exe 27 1064 msiexec.exe 28 1064 msiexec.exe 29 1064 msiexec.exe 30 1064 msiexec.exe 31 1064 msiexec.exe 32 1064 msiexec.exe 33 1064 msiexec.exe 34 1064 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
975F.exepid process 1864 975F.exe -
Deletes itself 1 IoCs
Processes:
pid process 1324 -
Loads dropped DLL 10 IoCs
Processes:
3Z8QHEBk.tmp.exeregsvr32.exe975F.exepid process 1060 3Z8QHEBk.tmp.exe 1964 regsvr32.exe 1864 975F.exe 1864 975F.exe 1864 975F.exe 1864 975F.exe 1864 975F.exe 1864 975F.exe 1864 975F.exe 1864 975F.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meis = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Cexaox\\fukymiyr.dll" msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll js -
Modifies service 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas ipconfig.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs ipconfig.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1964 set thread context of 1064 1964 regsvr32.exe msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3Z8QHEBk.tmp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Z8QHEBk.tmp.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Z8QHEBk.tmp.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Z8QHEBk.tmp.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 688 timeout.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 956 ipconfig.exe -
Processes:
975F.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 975F.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 975F.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 774 IoCs
Processes:
3Z8QHEBk.tmp.exepid process 1060 3Z8QHEBk.tmp.exe 1060 3Z8QHEBk.tmp.exe 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 1324 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3Z8QHEBk.tmp.exepid process 1060 3Z8QHEBk.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1064 msiexec.exe Token: SeSecurityPrivilege 1064 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1324 1324 1324 1324 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1324 1324 1324 1324 -
Suspicious use of WriteProcessMemory 69 IoCs
Processes:
regsvr32.exe975F.execmd.exeregsvr32.exemsiexec.execmd.execmd.exenet.execmd.exedescription pid process target process PID 1324 wrote to memory of 1864 1324 975F.exe PID 1324 wrote to memory of 1864 1324 975F.exe PID 1324 wrote to memory of 1864 1324 975F.exe PID 1324 wrote to memory of 1864 1324 975F.exe PID 1324 wrote to memory of 1880 1324 regsvr32.exe PID 1324 wrote to memory of 1880 1324 regsvr32.exe PID 1324 wrote to memory of 1880 1324 regsvr32.exe PID 1324 wrote to memory of 1880 1324 regsvr32.exe PID 1324 wrote to memory of 1880 1324 regsvr32.exe PID 1880 wrote to memory of 1964 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1964 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1964 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1964 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1964 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1964 1880 regsvr32.exe regsvr32.exe PID 1880 wrote to memory of 1964 1880 regsvr32.exe regsvr32.exe PID 1864 wrote to memory of 580 1864 975F.exe cmd.exe PID 1864 wrote to memory of 580 1864 975F.exe cmd.exe PID 1864 wrote to memory of 580 1864 975F.exe cmd.exe PID 1864 wrote to memory of 580 1864 975F.exe cmd.exe PID 580 wrote to memory of 688 580 cmd.exe timeout.exe PID 580 wrote to memory of 688 580 cmd.exe timeout.exe PID 580 wrote to memory of 688 580 cmd.exe timeout.exe PID 580 wrote to memory of 688 580 cmd.exe timeout.exe PID 1964 wrote to memory of 1064 1964 regsvr32.exe msiexec.exe PID 1964 wrote to memory of 1064 1964 regsvr32.exe msiexec.exe PID 1964 wrote to memory of 1064 1964 regsvr32.exe msiexec.exe PID 1964 wrote to memory of 1064 1964 regsvr32.exe msiexec.exe PID 1964 wrote to memory of 1064 1964 regsvr32.exe msiexec.exe PID 1964 wrote to memory of 1064 1964 regsvr32.exe msiexec.exe PID 1964 wrote to memory of 1064 1964 regsvr32.exe msiexec.exe PID 1964 wrote to memory of 1064 1964 regsvr32.exe msiexec.exe PID 1964 wrote to memory of 1064 1964 regsvr32.exe msiexec.exe PID 1064 wrote to memory of 788 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 788 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 788 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 788 1064 msiexec.exe cmd.exe PID 788 wrote to memory of 956 788 cmd.exe ipconfig.exe PID 788 wrote to memory of 956 788 cmd.exe ipconfig.exe PID 788 wrote to memory of 956 788 cmd.exe ipconfig.exe PID 788 wrote to memory of 956 788 cmd.exe ipconfig.exe PID 1064 wrote to memory of 1400 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 1400 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 1400 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 1400 1064 msiexec.exe cmd.exe PID 1400 wrote to memory of 1320 1400 cmd.exe net.exe PID 1400 wrote to memory of 1320 1400 cmd.exe net.exe PID 1400 wrote to memory of 1320 1400 cmd.exe net.exe PID 1400 wrote to memory of 1320 1400 cmd.exe net.exe PID 1320 wrote to memory of 1332 1320 net.exe net1.exe PID 1320 wrote to memory of 1332 1320 net.exe net1.exe PID 1320 wrote to memory of 1332 1320 net.exe net1.exe PID 1320 wrote to memory of 1332 1320 net.exe net1.exe PID 1064 wrote to memory of 1068 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 1068 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 1068 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 1068 1064 msiexec.exe cmd.exe PID 1068 wrote to memory of 1096 1068 cmd.exe net.exe PID 1068 wrote to memory of 1096 1068 cmd.exe net.exe PID 1068 wrote to memory of 1096 1068 cmd.exe net.exe PID 1068 wrote to memory of 1096 1068 cmd.exe net.exe PID 1064 wrote to memory of 1244 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 1244 1064 msiexec.exe cmd.exe PID 1064 wrote to memory of 1244 1064 msiexec.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3Z8QHEBk.tmp.exe"C:\Users\Admin\AppData\Local\Temp\3Z8QHEBk.tmp.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\975F.exeC:\Users\Admin\AppData\Local\Temp\975F.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\975F.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\982B.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\982B.dll2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /all4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all5⤵
- Modifies service
- Gathers network information
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net config workstation4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet config workstation5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 config workstation6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet view /all5⤵
- Discovers systems in the same network
-
C:\Windows\SysWOW64\cmd.execmd.exe /c net view /all /domain4⤵
-
C:\Windows\SysWOW64\net.exenet view /all /domain5⤵
- Discovers systems in the same network
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\975F.exe
-
C:\Users\Admin\AppData\Local\Temp\975F.exe
-
C:\Users\Admin\AppData\Local\Temp\982B.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\Local\Temp\210A.tmp
-
\Users\Admin\AppData\Local\Temp\982B.dll
-
memory/468-12-0x000007FEF6B70000-0x000007FEF6DEA000-memory.dmpFilesize
2.5MB
-
memory/580-22-0x0000000000000000-mapping.dmp
-
memory/688-23-0x0000000000000000-mapping.dmp
-
memory/788-28-0x0000000000000000-mapping.dmp
-
memory/956-29-0x0000000000000000-mapping.dmp
-
memory/1060-0-0x00000000061AB000-0x00000000061AC000-memory.dmpFilesize
4KB
-
memory/1060-1-0x0000000007820000-0x0000000007831000-memory.dmpFilesize
68KB
-
memory/1064-27-0x0000000000000000-mapping.dmp
-
memory/1064-24-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/1064-25-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1064-26-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/1068-33-0x0000000000000000-mapping.dmp
-
memory/1096-34-0x0000000000000000-mapping.dmp
-
memory/1244-35-0x0000000000000000-mapping.dmp
-
memory/1320-31-0x0000000000000000-mapping.dmp
-
memory/1324-3-0x0000000003C70000-0x0000000003C86000-memory.dmpFilesize
88KB
-
memory/1332-32-0x0000000000000000-mapping.dmp
-
memory/1400-30-0x0000000000000000-mapping.dmp
-
memory/1448-36-0x0000000000000000-mapping.dmp
-
memory/1864-4-0x0000000000000000-mapping.dmp
-
memory/1864-10-0x0000000002948000-0x0000000002959000-memory.dmpFilesize
68KB
-
memory/1864-11-0x0000000002C00000-0x0000000002C11000-memory.dmpFilesize
68KB
-
memory/1880-6-0x0000000000000000-mapping.dmp
-
memory/1964-8-0x0000000000000000-mapping.dmp