Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
22-09-2020 12:07
Static task
static1
Behavioral task
behavioral1
Sample
4km8TqjC.tmp.exe
Resource
win7
Behavioral task
behavioral2
Sample
4km8TqjC.tmp.exe
Resource
win10v200722
General
-
Target
4km8TqjC.tmp.exe
-
Size
189KB
-
MD5
2888f57e020661ec120a6ad3d7299a48
-
SHA1
97e5a7863375fb937603cc4631ffe4c1cb0a49ef
-
SHA256
a8cbc1707cbf767b2923fd7d77a8ab5b7d7be65af2439afabb41e8715f31c092
-
SHA512
7f8ea966a9b29530c5ec997aebc0583d52c9653f775b60c271452ad6890e58e3a51c77c4b866babdb85372b0994bb2e5a68fabd0fcc4a1a4655c2e9522a93703
Malware Config
Extracted
C:\Users\Admin\AppData\LocalLow\machineinfo.txt
raccoon
Extracted
smokeloader
2020
http://dkajsdjiqwdwnfj.info/
http://2831ujedkdajsdj.info/
http://928eijdksasnfss.info/
https://dkajsdjiqwdwnfj.info/
https://2831ujedkdajsdj.info/
https://928eijdksasnfss.info/
Extracted
zloader
DLLobnova
02.09.2020dll
https://fqnvtmqsywublocpheas.ru/gate.php
https://fqnvtmqsywublocpheas.su/gate.php
https://fqnvtmqsywublocpheas.eu/gate.php
https://fqnvtmqsywuikdjsmasablocpheas.eu/gate.php
https://fqnssvtmqsywufblocpheas.eu/gate.php
https://fqnvtmqsywublfocpheas.eu/gate.php
https://fqnvtmqsyfwublocpheas.eu/gate.php
https://fqnvtmqsywubflocpheas.eu/gate.php
Signatures
-
Raccoon log file 1 IoCs
Detects a log file produced by the Raccoon Stealer.
Processes:
yara_rule raccoon_log_file -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blacklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 29 3424 msiexec.exe 30 3424 msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
DB34.exepid process 1872 DB34.exe -
Deletes itself 1 IoCs
Processes:
pid process 2984 -
Loads dropped DLL 8 IoCs
Processes:
4km8TqjC.tmp.exeregsvr32.exeDB34.exepid process 3908 4km8TqjC.tmp.exe 1612 regsvr32.exe 1872 DB34.exe 1872 DB34.exe 1872 DB34.exe 1872 DB34.exe 1872 DB34.exe 1872 DB34.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kory = "regsvr32.exe /s C:\\Users\\Admin\\AppData\\Roaming\\Goleor\\xeozpe.dll" msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll js -
Suspicious use of SetThreadContext 1 IoCs
Processes:
regsvr32.exedescription pid process target process PID 1612 set thread context of 3424 1612 regsvr32.exe msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
4km8TqjC.tmp.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4km8TqjC.tmp.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4km8TqjC.tmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4km8TqjC.tmp.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2384 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2600 IoCs
Processes:
4km8TqjC.tmp.exepid process 3908 4km8TqjC.tmp.exe 3908 4km8TqjC.tmp.exe 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 2984 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
4km8TqjC.tmp.exepid process 3908 4km8TqjC.tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
msiexec.exedescription pid process Token: SeSecurityPrivilege 3424 msiexec.exe Token: SeSecurityPrivilege 3424 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
regsvr32.exeregsvr32.exeDB34.execmd.exedescription pid process target process PID 2984 wrote to memory of 3948 2984 regsvr32.exe PID 2984 wrote to memory of 3948 2984 regsvr32.exe PID 3948 wrote to memory of 1612 3948 regsvr32.exe regsvr32.exe PID 3948 wrote to memory of 1612 3948 regsvr32.exe regsvr32.exe PID 3948 wrote to memory of 1612 3948 regsvr32.exe regsvr32.exe PID 2984 wrote to memory of 1872 2984 DB34.exe PID 2984 wrote to memory of 1872 2984 DB34.exe PID 2984 wrote to memory of 1872 2984 DB34.exe PID 1612 wrote to memory of 3424 1612 regsvr32.exe msiexec.exe PID 1612 wrote to memory of 3424 1612 regsvr32.exe msiexec.exe PID 1612 wrote to memory of 3424 1612 regsvr32.exe msiexec.exe PID 1612 wrote to memory of 3424 1612 regsvr32.exe msiexec.exe PID 1612 wrote to memory of 3424 1612 regsvr32.exe msiexec.exe PID 1872 wrote to memory of 2992 1872 DB34.exe cmd.exe PID 1872 wrote to memory of 2992 1872 DB34.exe cmd.exe PID 1872 wrote to memory of 2992 1872 DB34.exe cmd.exe PID 2992 wrote to memory of 2384 2992 cmd.exe timeout.exe PID 2992 wrote to memory of 2384 2992 cmd.exe timeout.exe PID 2992 wrote to memory of 2384 2992 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4km8TqjC.tmp.exe"C:\Users\Admin\AppData\Local\Temp\4km8TqjC.tmp.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\DA1A.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\DA1A.dll2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe3⤵
- Blacklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\DB34.exeC:\Users\Admin\AppData\Local\Temp\DB34.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\DB34.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DA1A.dll
-
C:\Users\Admin\AppData\Local\Temp\DB34.exe
-
C:\Users\Admin\AppData\Local\Temp\DB34.exe
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\freebl3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\mozglue.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\nss3.dll
-
\Users\Admin\AppData\LocalLow\3098htrhpen8ifg0\softokn3.dll
-
\Users\Admin\AppData\LocalLow\sqlite3.dll
-
\Users\Admin\AppData\Local\Temp\210A.tmp
-
\Users\Admin\AppData\Local\Temp\DA1A.dll
-
memory/1612-6-0x0000000000000000-mapping.dmp
-
memory/1872-11-0x0000000006236000-0x0000000006237000-memory.dmpFilesize
4KB
-
memory/1872-12-0x0000000007DA0000-0x0000000007DA1000-memory.dmpFilesize
4KB
-
memory/1872-7-0x0000000000000000-mapping.dmp
-
memory/2384-22-0x0000000000000000-mapping.dmp
-
memory/2984-3-0x0000000001190000-0x00000000011A6000-memory.dmpFilesize
88KB
-
memory/2992-21-0x0000000000000000-mapping.dmp
-
memory/3424-19-0x0000000002DD0000-0x0000000002DFB000-memory.dmpFilesize
172KB
-
memory/3424-20-0x0000000000000000-mapping.dmp
-
memory/3908-0-0x0000000006237000-0x0000000006238000-memory.dmpFilesize
4KB
-
memory/3908-1-0x0000000007C20000-0x0000000007C21000-memory.dmpFilesize
4KB
-
memory/3948-4-0x0000000000000000-mapping.dmp