Overview

overview

10

Static

static

450de76cc8...in.exe

windows7_x64

10

450de76cc8...in.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    07/04/2021, 11:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    450de76cc856f5cafae331a4f665cbab1edec731c6c3512e796cd82d4683c8f0.bin.exe

  • Size

    388KB

  • MD5

    857ccd0b42e24d10df82a3594bf0b514

  • SHA1

    8cce4d26a66b47029ead46e5730227c193ca8e1b

  • SHA256

    450de76cc856f5cafae331a4f665cbab1edec731c6c3512e796cd82d4683c8f0

  • SHA512

    9c20a3fa74138634bea975b070058f538ee8f1b05e6aaad92982c87c10f9d597e232ed142bd7d56a774e99dc465a4233afa070480d4609c851a646169c4b4ba2

Score
10/10
diamondfoxsmokeloaderbackdoorbotnetdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://petrandu.xyz/

rc4.i32
rc4.i32

Signatures

  • DiamondFox

    DiamondFox is a multipurpose botnet with many capabilities.

    botnetstealerdiamondfox
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • DiamondFox payload 2 IoCs

    Detects DiamondFox payload in file/memory.

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\450de76cc856f5cafae331a4f665cbab1edec731c6c3512e796cd82d4683c8f0.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\450de76cc856f5cafae331a4f665cbab1edec731c6c3512e796cd82d4683c8f0.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
      "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:188
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3644
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" os get caption /FORMAT:List
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2504
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        "wmic" path win32_VideoController get caption /FORMAT:List
        3⤵
          PID:3944
        • C:\Windows\SysWOW64\Wbem\wmic.exe
          "wmic" path win32_NetworkAdapterConfiguration where IPEnabled=1 get IPAddress /FORMAT:List
          3⤵
            PID:2052
          • C:\Windows\SysWOW64\Wbem\wmic.exe
            "wmic" LogicalDisk Where DriveType=4 get VolumeName /FORMAT:List
            3⤵
              PID:1900
            • C:\Windows\SysWOW64\Wbem\wmic.exe
              "wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List
              3⤵
                PID:3652
              • C:\Windows\SysWOW64\Wbem\wmic.exe
                "wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List
                3⤵
                  PID:420
                • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                  "C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"
                  3⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:2812
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe
                    4⤵
                      PID:3892
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\1.log"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1376
                  • C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe
                    /scomma "C:\Users\Admin\AppData\Roaming\EdgeCP\4.log"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:504
                  • C:\Windows\SysWOW64\Wbem\wmic.exe
                    "wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List
                    3⤵
                      PID:200
                    • C:\Windows\SysWOW64\Wbem\wmic.exe
                      "wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List
                      3⤵
                        PID:2428
                      • C:\Windows\SysWOW64\Wbem\wmic.exe
                        "wmic" path win32_PingStatus where address='185.193.88.150' get StatusCode /FORMAT:List
                        3⤵
                          PID:2432
                        • C:\Windows\SysWOW64\Wbem\wmic.exe
                          "wmic" path win32_PingStatus where address='185.193.88.150' get ResponseTime /FORMAT:List
                          3⤵
                            PID:2140
                          • C:\Users\Admin\AppData\Local\Temp\2788DA470974_Update.exe
                            "C:\Users\Admin\AppData\Local\Temp\2788DA470974_Update.exe"
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Checks SCSI registry key(s)
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: MapViewOfSection
                            PID:528

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/0-57-0x0000000000400000-0x0000000000455000-memory.dmp

                              Filesize

                              340KB

                              Download

                            • memory/0-70-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/0-61-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/0-60-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/0-55-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/0-80-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/0-81-0x0000000000400000-0x0000000000422000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/188-14-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/188-13-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/504-38-0x0000000000400000-0x0000000000405000-memory.dmp

                              Filesize

                              20KB

                              Download

                            • memory/504-43-0x0000000000400000-0x0000000000405000-memory.dmp

                              Filesize

                              20KB

                              Download

                            • memory/528-87-0x0000000003380000-0x0000000003381000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/528-89-0x0000000000030000-0x0000000000039000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/528-90-0x0000000000400000-0x0000000000409000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/1376-33-0x0000000000400000-0x000000000047C000-memory.dmp

                              Filesize

                              496KB

                              Download

                            • memory/1376-30-0x0000000000400000-0x000000000047C000-memory.dmp

                              Filesize

                              496KB

                              Download

                            • memory/2092-91-0x0000000000F20000-0x0000000000F35000-memory.dmp

                              Filesize

                              84KB

                              Download

                            • memory/2612-8-0x00000000001C0000-0x00000000001F3000-memory.dmp

                              Filesize

                              204KB

                              Download

                            • memory/2612-9-0x0000000000400000-0x0000000000435000-memory.dmp

                              Filesize

                              212KB

                              Download

                            • memory/2612-3-0x00000000030C0000-0x00000000030C1000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2612-6-0x0000000002BE0000-0x0000000002C40000-memory.dmp

                              Filesize

                              384KB

                              Download

                            • memory/2612-7-0x0000000000400000-0x0000000000857000-memory.dmp

                              Filesize

                              4.3MB

                              Download

                            • memory/2612-2-0x0000000002F70000-0x0000000002F71000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2812-48-0x00000000004D0000-0x0000000000559000-memory.dmp

                              Filesize

                              548KB

                              Download

                            • memory/2812-36-0x0000000000400000-0x000000000047B000-memory.dmp

                              Filesize

                              492KB

                              Download

                            • memory/2812-29-0x0000000000400000-0x0000000002BE9000-memory.dmp

                              Filesize

                              39.9MB

                              Download

                            • memory/2812-34-0x0000000003100000-0x0000000003101000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2812-35-0x0000000003070000-0x00000000030E8000-memory.dmp

                              Filesize

                              480KB

                              Download

                            • memory/2812-26-0x0000000000400000-0x0000000002BE9000-memory.dmp

                              Filesize

                              39.9MB

                              Download

                            • memory/2812-50-0x0000000004980000-0x0000000004981000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2812-52-0x00000000005A0000-0x00000000006E0000-memory.dmp

                              Filesize

                              1.2MB

                              Download

                            • memory/2812-51-0x0000000000400000-0x000000000044D000-memory.dmp

                              Filesize

                              308KB

                              Download

                            • memory/3892-54-0x0000017D3ED60000-0x0000017D3EE29000-memory.dmp

                              Filesize

                              804KB

                              Download

                            • memory/3892-53-0x0000017D3EB20000-0x0000017D3EB21000-memory.dmp

                              Filesize

                              4KB

                              Download