Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7 -
submitted
22-09-2020 12:07
Static task
static1
Behavioral task
behavioral1
Sample
4km8TqjC.tmp.exe
Resource
win7
Behavioral task
behavioral2
Sample
4km8TqjC.tmp.exe
Resource
win10v200722
General
-
Target
4km8TqjC.tmp.exe
-
Size
189KB
-
MD5
2888f57e020661ec120a6ad3d7299a48
-
SHA1
97e5a7863375fb937603cc4631ffe4c1cb0a49ef
-
SHA256
a8cbc1707cbf767b2923fd7d77a8ab5b7d7be65af2439afabb41e8715f31c092
-
SHA512
7f8ea966a9b29530c5ec997aebc0583d52c9653f775b60c271452ad6890e58e3a51c77c4b866babdb85372b0994bb2e5a68fabd0fcc4a1a4655c2e9522a93703
Malware Config
Extracted
C:\Users\Admin\AppData\LocalLow\machineinfo.txt
raccoon
Extracted
smokeloader
2020
http://dkajsdjiqwdwnfj.info/
http://2831ujedkdajsdj.info/
http://928eijdksasnfss.info/
https://dkajsdjiqwdwnfj.info/
https://2831ujedkdajsdj.info/
https://928eijdksasnfss.info/
Extracted
zloader
DLLobnova
02.09.2020dll
https://fqnvtmqsywublocpheas.ru/gate.php
https://fqnvtmqsywublocpheas.su/gate.php
https://fqnvtmqsywublocpheas.eu/gate.php
https://fqnvtmqsywuikdjsmasablocpheas.eu/gate.php
https://fqnssvtmqsywufblocpheas.eu/gate.php
https://fqnvtmqsywublfocpheas.eu/gate.php
https://fqnvtmqsyfwublocpheas.eu/gate.php
https://fqnvtmqsywubflocpheas.eu/gate.php
Signatures
-
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.
Processes:
yara_rule raccoon_log_file -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blacklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 17 1416 msiexec.exe 18 1416 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
D4BE.exepid process 1936 D4BE.exe -
Deletes itself 1 IoCs
Processes:
pid process 1276 -
Loads dropped DLL 10 IoCs
Processes:
4km8TqjC.tmp.exeregsvr32.exeD4BE.exepid process 1124 4km8TqjC.tmp.exe 1908 regsvr32.exe 1936 D4BE.exe 1936 D4BE.exe 1936 D4BE.exe 1936 D4BE.exe 1936 D4BE.exe 1936 D4BE.exe 1936 D4BE.exe 1936 D4BE.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roowwo = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Aciszu\\piwoboty.dll" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll js -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1908 set thread context of 1416 1908 regsvr32.exe msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
4km8TqjC.tmp.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4km8TqjC.tmp.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4km8TqjC.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4km8TqjC.tmp.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1980 timeout.exe -
Processes:
D4BE.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 D4BE.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 D4BE.exe -
Suspicious behavior: EnumeratesProcesses 773 IoCs
Processes:
4km8TqjC.tmp.exepid process 1124 4km8TqjC.tmp.exe 1124 4km8TqjC.tmp.exe 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 1276 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4km8TqjC.tmp.exepid process 1124 4km8TqjC.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 1416 msiexec.exe Token: SeSecurityPrivilege 1416 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1276 1276 1276 1276 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1276 1276 1276 1276 -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
regsvr32.exeD4BE.execmd.exeregsvr32.exedescription pid process target process PID 1276 wrote to memory of 1876 1276 regsvr32.exe PID 1276 wrote to memory of 1876 1276 regsvr32.exe PID 1276 wrote to memory of 1876 1276 regsvr32.exe PID 1276 wrote to memory of 1876 1276 regsvr32.exe PID 1276 wrote to memory of 1876 1276 regsvr32.exe PID 1876 wrote to memory of 1908 1876 regsvr32.exe regsvr32.exe PID 1876 wrote to memory of 1908 1876 regsvr32.exe regsvr32.exe PID 1876 wrote to memory of 1908 1876 regsvr32.exe regsvr32.exe PID 1876 wrote to memory of 1908 1876 regsvr32.exe regsvr32.exe PID 1876 wrote to memory of 1908 1876 regsvr32.exe regsvr32.exe PID 1876 wrote to memory of 1908 1876 regsvr32.exe regsvr32.exe PID 1876 wrote to memory of 1908 1876 regsvr32.exe regsvr32.exe PID 1276 wrote to memory of 1936 1276 D4BE.exe PID 1276 wrote to memory of 1936 1276 D4BE.exe PID 1276 wrote to memory of 1936 1276 D4BE.exe PID 1276 wrote to memory of 1936 1276 D4BE.exe PID 1936 wrote to memory of 1320 1936 D4BE.exe cmd.exe PID 1936 wrote to memory of 1320 1936 D4BE.exe cmd.exe PID 1936 wrote to memory of 1320 1936 D4BE.exe cmd.exe PID 1936 wrote to memory of 1320 1936 D4BE.exe cmd.exe PID 1320 wrote to memory of 1980 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1980 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1980 1320 cmd.exe timeout.exe PID 1320 wrote to memory of 1980 1320 cmd.exe timeout.exe PID 1908 wrote to memory of 1416 1908 regsvr32.exe msiexec.exe PID 1908 wrote to memory of 1416 1908 regsvr32.exe msiexec.exe PID 1908 wrote to memory of 1416 1908 regsvr32.exe msiexec.exe PID 1908 wrote to memory of 1416 1908 regsvr32.exe msiexec.exe PID 1908 wrote to memory of 1416 1908 regsvr32.exe msiexec.exe PID 1908 wrote to memory of 1416 1908 regsvr32.exe msiexec.exe PID 1908 wrote to memory of 1416 1908 regsvr32.exe msiexec.exe PID 1908 wrote to memory of 1416 1908 regsvr32.exe msiexec.exe PID 1908 wrote to memory of 1416 1908 regsvr32.exe msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4km8TqjC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\4km8TqjC.tmp.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\D29B.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\D29B.dll2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D4BE.exeC:\Users\Admin\AppData\Local\Temp\D4BE.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\D4BE.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D29B.dll
-
C:\Users\Admin\AppData\Local\Temp\D4BE.exe
-
C:\Users\Admin\AppData\Local\Temp\D4BE.exe
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\msvcp140.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\vcruntime140.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\Local\Temp\210A.tmp
-
\Users\Admin\AppData\Local\Temp\D29B.dll
-
memory/464-12-0x000007FEF6980000-0x000007FEF6BFA000-memory.dmpFilesize
2.5MB
-
memory/1124-0-0x000000000609B000-0x000000000609C000-memory.dmpFilesize
4KB
-
memory/1124-1-0x00000000079E0000-0x00000000079F1000-memory.dmpFilesize
68KB
-
memory/1276-3-0x0000000003D60000-0x0000000003D76000-memory.dmpFilesize
88KB
-
memory/1320-22-0x0000000000000000-mapping.dmp
-
memory/1416-26-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/1416-24-0x0000000000090000-0x00000000000BB000-memory.dmpFilesize
172KB
-
memory/1416-27-0x0000000000000000-mapping.dmp
-
memory/1416-25-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1876-4-0x0000000000000000-mapping.dmp
-
memory/1908-6-0x0000000000000000-mapping.dmp
-
memory/1936-8-0x0000000000000000-mapping.dmp
-
memory/1936-11-0x0000000007B00000-0x0000000007B11000-memory.dmpFilesize
68KB
-
memory/1936-10-0x000000000618B000-0x000000000618C000-memory.dmpFilesize
4KB
-
memory/1980-23-0x0000000000000000-mapping.dmp