Analysis
-
max time kernel
150s -
max time network
112s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
19-09-2020 00:19
Static task
static1
Behavioral task
behavioral1
Sample
3Z8QHEBk.tmp.exe
Resource
win7
Behavioral task
behavioral2
Sample
3Z8QHEBk.tmp.exe
Resource
win10v200722
General
-
Target
3Z8QHEBk.tmp.exe
-
Size
137KB
-
MD5
0d969fd596743d82839ac89189f47a2b
-
SHA1
2adb5aba20d3af1b9c78856555a08015b0f7df25
-
SHA256
a3c625b0c6de6b9885470ce4e5f55e08e64c82c668cdc1df8d1a81d751f401be
-
SHA512
ac2f7d71e8c547b6c8c12fc00ea9ef27a76daf59fdfe5b42cc32f42cebc85a689e04da239489a59c746300f89e1977f935ae94bd2a0047c27f428832a070068c
Malware Config
Extracted
C:\Users\Admin\AppData\LocalLow\machineinfo.txt
raccoon
Extracted
smokeloader
2020
http://dkajsdjiqwdwnfj.info/
http://2831ujedkdajsdj.info/
http://928eijdksasnfss.info/
https://dkajsdjiqwdwnfj.info/
https://2831ujedkdajsdj.info/
https://928eijdksasnfss.info/
Extracted
zloader
DLLobnova
02.09.2020dll
https://fqnvtmqsywublocpheas.ru/gate.php
https://fqnvtmqsywublocpheas.su/gate.php
https://fqnvtmqsywublocpheas.eu/gate.php
https://fqnvtmqsywuikdjsmasablocpheas.eu/gate.php
https://fqnssvtmqsywufblocpheas.eu/gate.php
https://fqnvtmqsywublfocpheas.eu/gate.php
https://fqnvtmqsyfwublocpheas.eu/gate.php
https://fqnvtmqsywubflocpheas.eu/gate.php
Signatures
-
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.
Processes:
yara_rule raccoon_log_file -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blacklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 28 2612 msiexec.exe 29 2612 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
B3D5.exepid process 2228 B3D5.exe -
Deletes itself 1 IoCs
Processes:
pid process 2996 -
Loads dropped DLL 8 IoCs
Processes:
3Z8QHEBk.tmp.exeregsvr32.exeB3D5.exepid process 3888 3Z8QHEBk.tmp.exe 2448 regsvr32.exe 2228 B3D5.exe 2228 B3D5.exe 2228 B3D5.exe 2228 B3D5.exe 2228 B3D5.exe 2228 B3D5.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Meaw = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Ases\\uqod.dll" msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll js -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 2448 set thread context of 2612 2448 regsvr32.exe msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3Z8QHEBk.tmp.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Z8QHEBk.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Z8QHEBk.tmp.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3Z8QHEBk.tmp.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 204 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2608 IoCs
Processes:
3Z8QHEBk.tmp.exepid process 3888 3Z8QHEBk.tmp.exe 3888 3Z8QHEBk.tmp.exe 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 2996 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3Z8QHEBk.tmp.exepid process 3888 3Z8QHEBk.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 2612 msiexec.exe Token: SeSecurityPrivilege 2612 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
regsvr32.exeB3D5.execmd.exeregsvr32.exedescription pid process target process PID 2996 wrote to memory of 2228 2996 B3D5.exe PID 2996 wrote to memory of 2228 2996 B3D5.exe PID 2996 wrote to memory of 2228 2996 B3D5.exe PID 2996 wrote to memory of 2408 2996 regsvr32.exe PID 2996 wrote to memory of 2408 2996 regsvr32.exe PID 2408 wrote to memory of 2448 2408 regsvr32.exe regsvr32.exe PID 2408 wrote to memory of 2448 2408 regsvr32.exe regsvr32.exe PID 2408 wrote to memory of 2448 2408 regsvr32.exe regsvr32.exe PID 2228 wrote to memory of 972 2228 B3D5.exe cmd.exe PID 2228 wrote to memory of 972 2228 B3D5.exe cmd.exe PID 2228 wrote to memory of 972 2228 B3D5.exe cmd.exe PID 972 wrote to memory of 204 972 cmd.exe timeout.exe PID 972 wrote to memory of 204 972 cmd.exe timeout.exe PID 972 wrote to memory of 204 972 cmd.exe timeout.exe PID 2448 wrote to memory of 2612 2448 regsvr32.exe msiexec.exe PID 2448 wrote to memory of 2612 2448 regsvr32.exe msiexec.exe PID 2448 wrote to memory of 2612 2448 regsvr32.exe msiexec.exe PID 2448 wrote to memory of 2612 2448 regsvr32.exe msiexec.exe PID 2448 wrote to memory of 2612 2448 regsvr32.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3Z8QHEBk.tmp.exe"C:\Users\Admin\AppData\Local\Temp\3Z8QHEBk.tmp.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3888
-
C:\Users\Admin\AppData\Local\Temp\B3D5.exeC:\Users\Admin\AppData\Local\Temp\B3D5.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\B3D5.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:204
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\B5D9.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\B5D9.dll2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:2612