Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
1801s -
max time network
1811s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 10:08
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral8
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
SecurityTaskManager_Setup.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
amtemu.v0.9.2.win-painter_edited.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
default.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral28
Sample
good.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
infected dot net installer.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
oof.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
ou55sg33s_1.exe
Resource
win10v20201028
General
-
Target
HYDRA.exe
Malware Config
Extracted
smokeloader
2017
http://92.53.105.14/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess ⋅ 2 IoCs
Processes:
svchost.exedescription pid process target process PID 628 created 3076 628 svchost.exe starter.exe PID 628 created 3076 628 svchost.exe starter.exe -
Executes dropped EXE ⋅ 10 IoCs
Processes:
yaya.exeva.exeufx.exesant.exepower.exestarter.exeusc.exeusc.exeusc.exeusc.exepid process 3524 yaya.exe 3212 va.exe 3608 ufx.exe 3468 sant.exe 2896 power.exe 3076 starter.exe 3540 usc.exe 3988 usc.exe 2076 usc.exe 3812 usc.exe -
Drops startup file ⋅ 1 IoCs
Processes:
va.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs va.exe -
Adds Run key to start application ⋅ 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Classes = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ahecdbir\\bwwttfrb.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe -
Maps connected drives based on registry ⋅ 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
sant.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum sant.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 sant.exe -
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) ⋅ 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
TTPs:
Processes:
SCHTASKS.exeSCHTASKS.exeSCHTASKS.exeSCHTASKS.exepid process 3152 SCHTASKS.exe 768 SCHTASKS.exe 4012 SCHTASKS.exe 3576 SCHTASKS.exe -
Suspicious behavior: EnumeratesProcesses ⋅ 64 IoCs
Processes:
sant.exepid process 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe 3468 sant.exe -
Suspicious behavior: MapViewOfSection ⋅ 2 IoCs
Processes:
sant.exepid process 3468 sant.exe 3468 sant.exe -
Suspicious use of AdjustPrivilegeToken ⋅ 8 IoCs
Processes:
usc.exesvchost.exestarter.exepowershell.exeusc.exeusc.exeusc.exedescription pid process Token: SeDebugPrivilege 3540 usc.exe Token: SeTcbPrivilege 628 svchost.exe Token: SeTcbPrivilege 628 svchost.exe Token: SeDebugPrivilege 3076 starter.exe Token: SeDebugPrivilege 2800 powershell.exe Token: SeDebugPrivilege 3988 usc.exe Token: SeDebugPrivilege 2076 usc.exe Token: SeDebugPrivilege 3812 usc.exe -
Suspicious use of WriteProcessMemory ⋅ 46 IoCs
Processes:
HYDRA.exeyaya.exeufx.exeusc.exesant.exestarter.execsc.exesvchost.exepower.exeusc.exeusc.exeusc.exedescription pid process target process PID 576 wrote to memory of 3524 576 HYDRA.exe yaya.exe PID 576 wrote to memory of 3524 576 HYDRA.exe yaya.exe PID 576 wrote to memory of 3524 576 HYDRA.exe yaya.exe PID 576 wrote to memory of 3212 576 HYDRA.exe va.exe PID 576 wrote to memory of 3212 576 HYDRA.exe va.exe PID 576 wrote to memory of 3212 576 HYDRA.exe va.exe PID 576 wrote to memory of 3608 576 HYDRA.exe ufx.exe PID 576 wrote to memory of 3608 576 HYDRA.exe ufx.exe PID 576 wrote to memory of 3608 576 HYDRA.exe ufx.exe PID 576 wrote to memory of 3468 576 HYDRA.exe sant.exe PID 576 wrote to memory of 3468 576 HYDRA.exe sant.exe PID 576 wrote to memory of 3468 576 HYDRA.exe sant.exe PID 576 wrote to memory of 2896 576 HYDRA.exe power.exe PID 576 wrote to memory of 2896 576 HYDRA.exe power.exe PID 576 wrote to memory of 2896 576 HYDRA.exe power.exe PID 3524 wrote to memory of 3076 3524 yaya.exe starter.exe PID 3524 wrote to memory of 3076 3524 yaya.exe starter.exe PID 3608 wrote to memory of 3540 3608 ufx.exe usc.exe PID 3608 wrote to memory of 3540 3608 ufx.exe usc.exe PID 3608 wrote to memory of 3540 3608 ufx.exe usc.exe PID 3540 wrote to memory of 3152 3540 usc.exe SCHTASKS.exe PID 3540 wrote to memory of 3152 3540 usc.exe SCHTASKS.exe PID 3540 wrote to memory of 3152 3540 usc.exe SCHTASKS.exe PID 3468 wrote to memory of 416 3468 sant.exe explorer.exe PID 3468 wrote to memory of 416 3468 sant.exe explorer.exe PID 3468 wrote to memory of 416 3468 sant.exe explorer.exe PID 3076 wrote to memory of 492 3076 starter.exe csc.exe PID 3076 wrote to memory of 492 3076 starter.exe csc.exe PID 492 wrote to memory of 3276 492 csc.exe cvtres.exe PID 492 wrote to memory of 3276 492 csc.exe cvtres.exe PID 628 wrote to memory of 3512 628 svchost.exe cmd.exe PID 628 wrote to memory of 3512 628 svchost.exe cmd.exe PID 628 wrote to memory of 3952 628 svchost.exe cmd.exe PID 628 wrote to memory of 3952 628 svchost.exe cmd.exe PID 2896 wrote to memory of 2800 2896 power.exe powershell.exe PID 2896 wrote to memory of 2800 2896 power.exe powershell.exe PID 2896 wrote to memory of 2800 2896 power.exe powershell.exe PID 3988 wrote to memory of 768 3988 usc.exe SCHTASKS.exe PID 3988 wrote to memory of 768 3988 usc.exe SCHTASKS.exe PID 3988 wrote to memory of 768 3988 usc.exe SCHTASKS.exe PID 2076 wrote to memory of 4012 2076 usc.exe SCHTASKS.exe PID 2076 wrote to memory of 4012 2076 usc.exe SCHTASKS.exe PID 2076 wrote to memory of 4012 2076 usc.exe SCHTASKS.exe PID 3812 wrote to memory of 3576 3812 usc.exe SCHTASKS.exe PID 3812 wrote to memory of 3576 3812 usc.exe SCHTASKS.exe PID 3812 wrote to memory of 3576 3812 usc.exe SCHTASKS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HYDRA.exePID:576"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\yaya.exePID:3524C:\Users\Admin\AppData\Roaming\yaya.exeExecutes dropped EXESuspicious use of WriteProcessMemory
-
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exePID:3076"C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"Executes dropped EXESuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exePID:492"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fuyr5mj-.cmdline"Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exePID:3276C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA04.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9F4.tmp"
-
C:\Windows\System32\cmd.exePID:3512"C:\Windows\System32\cmd.exe"
-
C:\Windows\System32\cmd.exePID:3952"C:\Windows\System32\cmd.exe"
-
C:\Users\Admin\AppData\Roaming\va.exePID:3212C:\Users\Admin\AppData\Roaming\va.exeExecutes dropped EXEDrops startup file
-
C:\Users\Admin\AppData\Roaming\ufx.exePID:3608C:\Users\Admin\AppData\Roaming\ufx.exeExecutes dropped EXESuspicious use of WriteProcessMemory
-
C:\ProgramData\ucp\usc.exePID:3540"C:\ProgramData\ucp\usc.exe" /ucp/usc.exeExecutes dropped EXESuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exePID:3152SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exeCreates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\sant.exePID:3468C:\Users\Admin\AppData\Roaming\sant.exeExecutes dropped EXEMaps connected drives based on registrySuspicious behavior: EnumeratesProcessesSuspicious behavior: MapViewOfSectionSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exePID:416explorer.exeAdds Run key to start application
-
C:\Users\Admin\AppData\Roaming\power.exePID:2896C:\Users\Admin\AppData\Roaming\power.exeExecutes dropped EXESuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exePID:2800"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exePID:628c:\windows\system32\svchost.exe -k netsvcs -s seclogonSuspicious use of NtCreateUserProcessOtherParentProcessSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\ProgramData\ucp\usc.exePID:3988C:\ProgramData\ucp\usc.exeExecutes dropped EXESuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exePID:768SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exeCreates scheduled task(s)
-
C:\ProgramData\ucp\usc.exePID:2076C:\ProgramData\ucp\usc.exeExecutes dropped EXESuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exePID:4012SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exeCreates scheduled task(s)
-
C:\ProgramData\ucp\usc.exePID:3812C:\ProgramData\ucp\usc.exeExecutes dropped EXESuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exePID:3576SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exeCreates scheduled task(s)
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
Downloads
-
C:\ProgramData\ucp\usc.exe
-
C:\ProgramData\ucp\usc.exe
-
C:\ProgramData\ucp\usc.exe
-
C:\ProgramData\ucp\usc.exe
-
C:\ProgramData\ucp\usc.exe
-
C:\Users\Admin\AppData\Local\Temp\RESA04.tmp
-
C:\Users\Admin\AppData\Local\Temp\fuyr5mj-.dll
-
C:\Users\Admin\AppData\Local\Temp\fuyr5mj-.pdb
-
C:\Users\Admin\AppData\Roaming\power.exe
-
C:\Users\Admin\AppData\Roaming\power.exe
-
C:\Users\Admin\AppData\Roaming\sant.exe
-
C:\Users\Admin\AppData\Roaming\sant.exe
-
C:\Users\Admin\AppData\Roaming\ufx.exe
-
C:\Users\Admin\AppData\Roaming\ufx.exe
-
C:\Users\Admin\AppData\Roaming\va.exe
-
C:\Users\Admin\AppData\Roaming\va.exe
-
C:\Users\Admin\AppData\Roaming\yaya.exe
-
C:\Users\Admin\AppData\Roaming\yaya.exe
-
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
-
C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
-
\??\c:\Users\Admin\AppData\Local\Temp\CSC9F4.tmp
-
\??\c:\Users\Admin\AppData\Local\Temp\fuyr5mj-.0.cs
-
\??\c:\Users\Admin\AppData\Local\Temp\fuyr5mj-.cmdline
-
memory/416-25-0x0000000000C30000-0x000000000106F000-memory.dmp
-
memory/416-24-0x0000000000C30000-0x000000000106F000-memory.dmp
-
memory/416-23-0x0000000000000000-mapping.dmp
-
memory/492-26-0x0000000000000000-mapping.dmp
-
memory/768-47-0x0000000000000000-mapping.dmp
-
memory/2800-45-0x00000000094E0000-0x00000000094E1000-memory.dmp
-
memory/2800-39-0x0000000007CD0000-0x0000000007CD1000-memory.dmp
-
memory/2800-44-0x0000000008800000-0x0000000008801000-memory.dmp
-
memory/2800-43-0x0000000008850000-0x0000000008851000-memory.dmp
-
memory/2800-42-0x00000000083D0000-0x00000000083D1000-memory.dmp
-
memory/2800-41-0x0000000008020000-0x0000000008021000-memory.dmp
-
memory/2800-34-0x0000000000000000-mapping.dmp
-
memory/2800-35-0x0000000071810000-0x0000000071EFE000-memory.dmp
-
memory/2800-36-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
-
memory/2800-37-0x0000000007630000-0x0000000007631000-memory.dmp
-
memory/2800-38-0x0000000007E70000-0x0000000007E71000-memory.dmp
-
memory/2800-40-0x0000000007F10000-0x0000000007F11000-memory.dmp
-
memory/2896-12-0x0000000000000000-mapping.dmp
-
memory/3076-15-0x0000000000000000-mapping.dmp
-
memory/3076-22-0x00007FFE9A360000-0x00007FFE9AD00000-memory.dmp
-
memory/3152-21-0x0000000000000000-mapping.dmp
-
memory/3212-3-0x0000000000000000-mapping.dmp
-
memory/3276-29-0x0000000000000000-mapping.dmp
-
memory/3468-9-0x0000000000000000-mapping.dmp
-
memory/3524-0-0x0000000000000000-mapping.dmp
-
memory/3540-18-0x0000000000000000-mapping.dmp
-
memory/3576-51-0x0000000000000000-mapping.dmp
-
memory/3608-6-0x0000000000000000-mapping.dmp
-
memory/4012-49-0x0000000000000000-mapping.dmp