Overview
overview
10Static
static
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
4ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
9ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
3ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
8ฺฺฺ�...ฺฺ
windows10_x64
10ฺฺฺ�...ฺฺ
windows10_x64
1ฺฺฺ�...ฺฺ
windows10_x64
1Analysis
-
max time kernel
302s -
max time network
312s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 15:58
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.bin.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral5
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral6
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral7
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral8
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral9
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral10
Sample
HYDRA.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral11
Sample
Keygen.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral12
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral13
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral14
Sample
OnlineInstaller.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral15
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral16
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral17
Sample
VyprVPN.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral18
Sample
WSHSetup[1].exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral19
Sample
api.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral20
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral21
Sample
good.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral22
Sample
infected dot net installer.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral23
Sample
update.exe
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral24
Sample
vir1.xls
Resource
win10v20201028
windows10_x64
Behavioral task
behavioral25
Sample
xNet.dll
Resource
win10v20201028
windows10_x64
General
-
Target
HYDRA.exe
Malware Config
Extracted
smokeloader
2017
http://92.53.105.14/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 1392 created 1512 1392 svchost.exe 81 PID 1392 created 1512 1392 svchost.exe 81 -
Executes dropped EXE 7 IoCs
pid Process 3980 yaya.exe 3768 va.exe 1004 ufx.exe 3644 sant.exe 3052 power.exe 1512 starter.exe 2064 usc.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs va.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ODBC = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\rrwrffrg\\vbaecijr.exe" explorer.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum sant.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 sant.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3740 SCHTASKS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3644 sant.exe 3644 sant.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2064 usc.exe Token: SeTcbPrivilege 1392 svchost.exe Token: SeTcbPrivilege 1392 svchost.exe Token: SeDebugPrivilege 1512 starter.exe Token: SeDebugPrivilege 980 powershell.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 1180 wrote to memory of 3980 1180 HYDRA.exe 74 PID 1180 wrote to memory of 3980 1180 HYDRA.exe 74 PID 1180 wrote to memory of 3980 1180 HYDRA.exe 74 PID 1180 wrote to memory of 3768 1180 HYDRA.exe 76 PID 1180 wrote to memory of 3768 1180 HYDRA.exe 76 PID 1180 wrote to memory of 3768 1180 HYDRA.exe 76 PID 1180 wrote to memory of 1004 1180 HYDRA.exe 77 PID 1180 wrote to memory of 1004 1180 HYDRA.exe 77 PID 1180 wrote to memory of 1004 1180 HYDRA.exe 77 PID 1180 wrote to memory of 3644 1180 HYDRA.exe 78 PID 1180 wrote to memory of 3644 1180 HYDRA.exe 78 PID 1180 wrote to memory of 3644 1180 HYDRA.exe 78 PID 1180 wrote to memory of 3052 1180 HYDRA.exe 79 PID 1180 wrote to memory of 3052 1180 HYDRA.exe 79 PID 1180 wrote to memory of 3052 1180 HYDRA.exe 79 PID 3980 wrote to memory of 1512 3980 yaya.exe 81 PID 3980 wrote to memory of 1512 3980 yaya.exe 81 PID 1004 wrote to memory of 2064 1004 ufx.exe 82 PID 1004 wrote to memory of 2064 1004 ufx.exe 82 PID 1004 wrote to memory of 2064 1004 ufx.exe 82 PID 2064 wrote to memory of 3740 2064 usc.exe 84 PID 2064 wrote to memory of 3740 2064 usc.exe 84 PID 2064 wrote to memory of 3740 2064 usc.exe 84 PID 1512 wrote to memory of 3592 1512 starter.exe 86 PID 1512 wrote to memory of 3592 1512 starter.exe 86 PID 3592 wrote to memory of 904 3592 csc.exe 88 PID 3592 wrote to memory of 904 3592 csc.exe 88 PID 1392 wrote to memory of 1520 1392 svchost.exe 90 PID 1392 wrote to memory of 1520 1392 svchost.exe 90 PID 1392 wrote to memory of 3176 1392 svchost.exe 91 PID 1392 wrote to memory of 3176 1392 svchost.exe 91 PID 3644 wrote to memory of 184 3644 sant.exe 95 PID 3644 wrote to memory of 184 3644 sant.exe 95 PID 3644 wrote to memory of 184 3644 sant.exe 95 PID 3052 wrote to memory of 980 3052 power.exe 96 PID 3052 wrote to memory of 980 3052 power.exe 96 PID 3052 wrote to memory of 980 3052 power.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Roaming\yaya.exeC:\Users\Admin\AppData\Roaming\yaya.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vtcbe0-l.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB56C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB55B.tmp"5⤵PID:904
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:1520
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵PID:3176
-
-
-
-
C:\Users\Admin\AppData\Roaming\va.exeC:\Users\Admin\AppData\Roaming\va.exe2⤵
- Executes dropped EXE
- Drops startup file
PID:3768
-
-
C:\Users\Admin\AppData\Roaming\ufx.exeC:\Users\Admin\AppData\Roaming\ufx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\ProgramData\ucp\usc.exe"C:\ProgramData\ucp\usc.exe" /ucp/usc.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe4⤵
- Creates scheduled task(s)
PID:3740
-
-
-
-
C:\Users\Admin\AppData\Roaming\sant.exeC:\Users\Admin\AppData\Roaming\sant.exe2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Adds Run key to start application
PID:184
-
-
-
C:\Users\Admin\AppData\Roaming\power.exeC:\Users\Admin\AppData\Roaming\power.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:980
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1392