Analysis
-
max time kernel
56s -
max time network
54s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
16-04-2021 15:12
Behavioral task
behavioral1
Sample
Sirus.exe
Resource
win10v20210408
Behavioral task
behavioral2
Sample
Sirus.exe
Resource
win10v20210408
General
-
Target
Sirus.exe
-
Size
1.7MB
-
MD5
d3752c9e4466ffa7dcf4b5a065e9c274
-
SHA1
997d4d61d1691862f8aab10b94c9d654f2a65e3e
-
SHA256
f6598f853f981a4bcb58922d3584833086de09b9a7a6f368ca56cda7677f8126
-
SHA512
de0a9708836266b2ac06077ace01bc0d8cac53d94efcdf14e337f0bd29b7f985cf03465a5c6d7df1a8e2065a69bcb33f7f3aa0845a26be67e6a66852ef1a9f23
Malware Config
Extracted
raccoon
1a329a10c40d1d7de968ac01620072546be15062
-
url4cnc
https://tttttt.me/jrrand0mer
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
AcuOiVHVN7.exepid process 2128 AcuOiVHVN7.exe -
Loads dropped DLL 1 IoCs
Processes:
Sirus.exepid process 1984 Sirus.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sirus.exedescription pid process target process PID 856 set thread context of 1984 856 Sirus.exe Sirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Sirus.exepid process 856 Sirus.exe 856 Sirus.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Sirus.exedescription pid process Token: SeDebugPrivilege 856 Sirus.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Sirus.exeSirus.exedescription pid process target process PID 856 wrote to memory of 2172 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 2172 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 2172 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 1984 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 1984 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 1984 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 1984 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 1984 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 1984 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 1984 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 1984 856 Sirus.exe Sirus.exe PID 856 wrote to memory of 1984 856 Sirus.exe Sirus.exe PID 1984 wrote to memory of 2128 1984 Sirus.exe AcuOiVHVN7.exe PID 1984 wrote to memory of 2128 1984 Sirus.exe AcuOiVHVN7.exe PID 1984 wrote to memory of 2128 1984 Sirus.exe AcuOiVHVN7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sirus.exe"C:\Users\Admin\AppData\Local\Temp\Sirus.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Sirus.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Sirus.exe"{path}"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AcuOiVHVN7.exe"C:\Users\Admin\AppData\Local\Temp\AcuOiVHVN7.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AcuOiVHVN7.exeMD5
6ae21549fb8869f8da1acec258c48e0b
SHA1aed533b121fbbb481e598bc3e73cb90556db55f3
SHA25680fff049a91ba68ca61e228c88dd80d16e416ab54fd66c87c5c5ea2e85d44b58
SHA512abd624fb7181436abe539166e4030a6982f3c572bb341105fb237787e7485c5a9e7a289e58b9e2346f37eeeadcb4f82fb816d2aa3a5b4a97082238279d198136
-
C:\Users\Admin\AppData\Local\Temp\AcuOiVHVN7.exeMD5
6ae21549fb8869f8da1acec258c48e0b
SHA1aed533b121fbbb481e598bc3e73cb90556db55f3
SHA25680fff049a91ba68ca61e228c88dd80d16e416ab54fd66c87c5c5ea2e85d44b58
SHA512abd624fb7181436abe539166e4030a6982f3c572bb341105fb237787e7485c5a9e7a289e58b9e2346f37eeeadcb4f82fb816d2aa3a5b4a97082238279d198136
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/856-119-0x0000000005850000-0x0000000005851000-memory.dmpFilesize
4KB
-
memory/856-118-0x00000000058A0000-0x0000000005D9E000-memory.dmpFilesize
5.0MB
-
memory/856-120-0x0000000008ED0000-0x0000000008ED1000-memory.dmpFilesize
4KB
-
memory/856-121-0x0000000005B80000-0x0000000005B85000-memory.dmpFilesize
20KB
-
memory/856-122-0x0000000009230000-0x00000000092E0000-memory.dmpFilesize
704KB
-
memory/856-123-0x000000000B8E0000-0x000000000B971000-memory.dmpFilesize
580KB
-
memory/856-116-0x0000000005DA0000-0x0000000005DA1000-memory.dmpFilesize
4KB
-
memory/856-114-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/856-117-0x00000000057A0000-0x00000000057A1000-memory.dmpFilesize
4KB
-
memory/1984-125-0x000000000043DC5B-mapping.dmp
-
memory/1984-126-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/1984-124-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/2128-128-0x0000000000000000-mapping.dmp
-
memory/2128-131-0x00000000005E0000-0x00000000005E1000-memory.dmpFilesize
4KB
-
memory/2128-138-0x0000000007390000-0x000000000788E000-memory.dmpFilesize
5.0MB