Analysis

  • max time kernel
    995s
  • max time network
    1029s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-11-2020 14:34

Errors

Reason Machine shutdown

General

  • Target

    Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

  • Size

    10MB

  • MD5

    8103aad9a6f5ee1fb4f764fc5782822a

  • SHA1

    4fb4f963243d7cb65394e59de787aebe020b654c

  • SHA256

    4a5da8ebf650091c99c7a9d329ecb87533c337ab9e5642ff0355485ed419ec40

  • SHA512

    e65b7d2bdfda07a2ca22d109d39d98395915ee9ec486c44f358885e03bc3e9f9be0ce81706accbe412243ef8d62b9e364f6b1961cfe4469f3c3892821fccfae8

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/

rc4.i32
rc4.i32

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

rc4.i32
rc4.i32

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Windows security bypass ⋅ 2 TTPs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • AgentTesla Payload ⋅ 2 IoCs
  • XMRig Miner Payload ⋅ 2 IoCs
  • Creates new service(s) ⋅ 1 TTPs
  • Executes dropped EXE ⋅ 49 IoCs
  • Modifies Windows Firewall ⋅ 1 TTPs
  • Sets service image path in registry ⋅ 2 TTPs
  • Suspicious Office macro ⋅ 1 IoCs

    Office document equipped with 4.0 macros.

  • UPX packed file ⋅ 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • VMProtect packed file ⋅ 2 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Checks computer location settings ⋅ 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file ⋅ 1 IoCs
  • Loads dropped DLL ⋅ 21 IoCs
  • Modifies file permissions ⋅ 1 TTPs 1 IoCs
  • Reads data files stored by FTP clients ⋅ 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients ⋅ 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers ⋅ 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting ⋅ 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting ⋅ 2 TTPs
  • Adds Run key to start application ⋅ 2 TTPs 2 IoCs
  • Checks installed software on the system ⋅ 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled ⋅ 1 TTPs 5 IoCs
  • Enumerates connected drives ⋅ 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable ⋅ 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 ⋅ 1 TTPs
  • Looks up external IP address via web service ⋅ 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) ⋅ 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory ⋅ 2 IoCs
  • Modifies service ⋅ 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger ⋅ 1 IoCs
  • Suspicious use of SetThreadContext ⋅ 8 IoCs
  • Drops file in Program Files directory ⋅ 38 IoCs
  • Drops file in Windows directory ⋅ 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Checks SCSI registry key(s) ⋅ 3 TTPs 21 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry ⋅ 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe ⋅ 1 IoCs
  • Kills process with taskkill ⋅ 5 IoCs
  • Modifies Control Panel ⋅ 1 IoCs
  • Modifies Internet Explorer settings ⋅ 1 TTPs 3 IoCs
  • Modifies data under HKEY_USERS ⋅ 5 IoCs