Overview
overview
10Static
static
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
3ฺฺฺà...ฺฺ
windows10_x64
4ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
9ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
3ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
3ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
8ฺฺฺà...ฺฺ
windows10_x64
10ฺฺฺà...ฺฺ
windows10_x64
1ฺฺฺà...ฺฺ
windows10_x64
1Analysis
-
max time kernel
302s -
max time network
312s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 15:58
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral7
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral21
Sample
good.exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
infected dot net installer.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
update.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
vir1.xls
Resource
win10v20201028
Behavioral task
behavioral25
Sample
xNet.dll
Resource
win10v20201028
General
-
Target
HYDRA.exe
Malware Config
Extracted
smokeloader
2017
http://92.53.105.14/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 1392 created 1512 1392 svchost.exe starter.exe PID 1392 created 1512 1392 svchost.exe starter.exe -
Executes dropped EXE 7 IoCs
Processes:
yaya.exeva.exeufx.exesant.exepower.exestarter.exeusc.exepid process 3980 yaya.exe 3768 va.exe 1004 ufx.exe 3644 sant.exe 3052 power.exe 1512 starter.exe 2064 usc.exe -
Drops startup file 1 IoCs
Processes:
va.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs va.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ODBC = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\rrwrffrg\\vbaecijr.exe" explorer.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
sant.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum sant.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 sant.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
sant.exepid process 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe 3644 sant.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
sant.exepid process 3644 sant.exe 3644 sant.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
usc.exesvchost.exestarter.exepowershell.exedescription pid process Token: SeDebugPrivilege 2064 usc.exe Token: SeTcbPrivilege 1392 svchost.exe Token: SeTcbPrivilege 1392 svchost.exe Token: SeDebugPrivilege 1512 starter.exe Token: SeDebugPrivilege 980 powershell.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
HYDRA.exeyaya.exeufx.exeusc.exestarter.execsc.exesvchost.exesant.exepower.exedescription pid process target process PID 1180 wrote to memory of 3980 1180 HYDRA.exe yaya.exe PID 1180 wrote to memory of 3980 1180 HYDRA.exe yaya.exe PID 1180 wrote to memory of 3980 1180 HYDRA.exe yaya.exe PID 1180 wrote to memory of 3768 1180 HYDRA.exe va.exe PID 1180 wrote to memory of 3768 1180 HYDRA.exe va.exe PID 1180 wrote to memory of 3768 1180 HYDRA.exe va.exe PID 1180 wrote to memory of 1004 1180 HYDRA.exe ufx.exe PID 1180 wrote to memory of 1004 1180 HYDRA.exe ufx.exe PID 1180 wrote to memory of 1004 1180 HYDRA.exe ufx.exe PID 1180 wrote to memory of 3644 1180 HYDRA.exe sant.exe PID 1180 wrote to memory of 3644 1180 HYDRA.exe sant.exe PID 1180 wrote to memory of 3644 1180 HYDRA.exe sant.exe PID 1180 wrote to memory of 3052 1180 HYDRA.exe power.exe PID 1180 wrote to memory of 3052 1180 HYDRA.exe power.exe PID 1180 wrote to memory of 3052 1180 HYDRA.exe power.exe PID 3980 wrote to memory of 1512 3980 yaya.exe starter.exe PID 3980 wrote to memory of 1512 3980 yaya.exe starter.exe PID 1004 wrote to memory of 2064 1004 ufx.exe usc.exe PID 1004 wrote to memory of 2064 1004 ufx.exe usc.exe PID 1004 wrote to memory of 2064 1004 ufx.exe usc.exe PID 2064 wrote to memory of 3740 2064 usc.exe SCHTASKS.exe PID 2064 wrote to memory of 3740 2064 usc.exe SCHTASKS.exe PID 2064 wrote to memory of 3740 2064 usc.exe SCHTASKS.exe PID 1512 wrote to memory of 3592 1512 starter.exe csc.exe PID 1512 wrote to memory of 3592 1512 starter.exe csc.exe PID 3592 wrote to memory of 904 3592 csc.exe cvtres.exe PID 3592 wrote to memory of 904 3592 csc.exe cvtres.exe PID 1392 wrote to memory of 1520 1392 svchost.exe cmd.exe PID 1392 wrote to memory of 1520 1392 svchost.exe cmd.exe PID 1392 wrote to memory of 3176 1392 svchost.exe cmd.exe PID 1392 wrote to memory of 3176 1392 svchost.exe cmd.exe PID 3644 wrote to memory of 184 3644 sant.exe explorer.exe PID 3644 wrote to memory of 184 3644 sant.exe explorer.exe PID 3644 wrote to memory of 184 3644 sant.exe explorer.exe PID 3052 wrote to memory of 980 3052 power.exe powershell.exe PID 3052 wrote to memory of 980 3052 power.exe powershell.exe PID 3052 wrote to memory of 980 3052 power.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\yaya.exeC:\Users\Admin\AppData\Roaming\yaya.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vtcbe0-l.cmdline"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB56C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB55B.tmp"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\va.exeC:\Users\Admin\AppData\Roaming\va.exe2⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\ufx.exeC:\Users\Admin\AppData\Roaming\ufx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\ucp\usc.exe"C:\ProgramData\ucp\usc.exe" /ucp/usc.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\sant.exeC:\Users\Admin\AppData\Roaming\sant.exe2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\power.exeC:\Users\Admin\AppData\Roaming\power.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ucp\usc.exe
-
C:\ProgramData\ucp\usc.exe
-
C:\Users\Admin\AppData\Local\Temp\RESB56C.tmp
-
C:\Users\Admin\AppData\Local\Temp\vtcbe0-l.dll
-
C:\Users\Admin\AppData\Local\Temp\vtcbe0-l.pdb
-
C:\Users\Admin\AppData\Roaming\power.exe
-
C:\Users\Admin\AppData\Roaming\power.exe
-
C:\Users\Admin\AppData\Roaming\sant.exe
-
C:\Users\Admin\AppData\Roaming\sant.exe
-
C:\Users\Admin\AppData\Roaming\ufx.exe
-
C:\Users\Admin\AppData\Roaming\ufx.exe
-
C:\Users\Admin\AppData\Roaming\va.exe
-
C:\Users\Admin\AppData\Roaming\va.exe
-
C:\Users\Admin\AppData\Roaming\yaya.exe
-
C:\Users\Admin\AppData\Roaming\yaya.exe
-
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
-
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
-
\??\c:\Users\Admin\AppData\Local\Temp\CSCB55B.tmp
-
\??\c:\Users\Admin\AppData\Local\Temp\vtcbe0-l.0.cs
-
\??\c:\Users\Admin\AppData\Local\Temp\vtcbe0-l.cmdline
-
memory/184-33-0x00000000011F0000-0x000000000162F000-memory.dmpFilesize
4.2MB
-
memory/184-32-0x00000000011F0000-0x000000000162F000-memory.dmpFilesize
4.2MB
-
memory/184-31-0x0000000000000000-mapping.dmp
-
memory/904-26-0x0000000000000000-mapping.dmp
-
memory/980-35-0x0000000071E90000-0x000000007257E000-memory.dmpFilesize
6.9MB
-
memory/980-41-0x0000000008460000-0x0000000008461000-memory.dmpFilesize
4KB
-
memory/980-44-0x0000000008C40000-0x0000000008C41000-memory.dmpFilesize
4KB
-
memory/980-39-0x0000000007B90000-0x0000000007B91000-memory.dmpFilesize
4KB
-
memory/980-43-0x0000000008800000-0x0000000008801000-memory.dmpFilesize
4KB
-
memory/980-45-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/980-40-0x00000000083F0000-0x00000000083F1000-memory.dmpFilesize
4KB
-
memory/980-38-0x0000000007940000-0x0000000007941000-memory.dmpFilesize
4KB
-
memory/980-37-0x0000000007C50000-0x0000000007C51000-memory.dmpFilesize
4KB
-
memory/980-42-0x00000000087B0000-0x00000000087B1000-memory.dmpFilesize
4KB
-
memory/980-34-0x0000000000000000-mapping.dmp
-
memory/980-36-0x0000000004FC0000-0x0000000004FC1000-memory.dmpFilesize
4KB
-
memory/1004-6-0x0000000000000000-mapping.dmp
-
memory/1512-15-0x0000000000000000-mapping.dmp
-
memory/1512-19-0x00007FFC68EA0000-0x00007FFC69840000-memory.dmpFilesize
9.6MB
-
memory/2064-18-0x0000000000000000-mapping.dmp
-
memory/3052-12-0x0000000000000000-mapping.dmp
-
memory/3592-23-0x0000000000000000-mapping.dmp
-
memory/3644-7-0x0000000000000000-mapping.dmp
-
memory/3740-22-0x0000000000000000-mapping.dmp
-
memory/3768-1-0x0000000000000000-mapping.dmp
-
memory/3980-0-0x0000000000000000-mapping.dmp