Overview

overview

10

Static

static

e092c290ec...91.exe

windows7_x64

10

e092c290ec...91.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-08-2021 08:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e092c290ecbe05b96a01a8557d202191.exe

  • Size

    180KB

  • MD5

    e092c290ecbe05b96a01a8557d202191

  • SHA1

    81ce24f7af893885025cb184de98da3bee563169

  • SHA256

    7984865f4df4f3569df5096b7a2b6bf03f070a9ef5fb6e46d3365e40e2f92a01

  • SHA512

    8dc9553013af612b8b5099bdeff2eaf021a2369298428460e4a349220c8db912e3a34f45eba9fbd89e9ea96f5d672d0eb9a9373b497130206bc5e3b4de963799

Score
10/10
raccoonsmokeloadercd8dc1031358b1aec55cc6bc447df1018b068607backdoorstealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

cd8dc1031358b1aec55cc6bc447df1018b068607

Attributes
  • url4cnc

    https://telete.in/jagressor_kz

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • Raccoon Stealer Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe
    "C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe
      "C:\Users\Admin\AppData\Local\Temp\e092c290ecbe05b96a01a8557d202191.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1396
  • C:\Users\Admin\AppData\Local\Temp\2403.exe
    C:\Users\Admin\AppData\Local\Temp\2403.exe
    1⤵
    • Executes dropped EXE
    PID:2624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 732
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:1308
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 744
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 748
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:4016
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 880
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3832
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 736
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:852
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:3064
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:496
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:2268
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          1⤵
            PID:2072
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:3916
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:412
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:1544
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:1548
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:2192

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\2403.exe
                      MD5

                      bcb7a8c35da728b75d377c38a80d503c

                      SHA1

                      c21b88f09971bd30ac49daab64e0f669409af60a

                      SHA256

                      e95de24b1497e98be071715371def2978162ebb70ae999ad824ca48800271fc8

                      SHA512

                      501d7ba9560eb731bf429f02f9ebe545db1b619939a92300388319f8760e7f80e53cf6965ed2e7391e894b4fc6ec338804210f827d411a45dc7b984d79bd2257

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\2403.exe
                      MD5

                      bcb7a8c35da728b75d377c38a80d503c

                      SHA1

                      c21b88f09971bd30ac49daab64e0f669409af60a

                      SHA256

                      e95de24b1497e98be071715371def2978162ebb70ae999ad824ca48800271fc8

                      SHA512

                      501d7ba9560eb731bf429f02f9ebe545db1b619939a92300388319f8760e7f80e53cf6965ed2e7391e894b4fc6ec338804210f827d411a45dc7b984d79bd2257

                      Download Submit

                    • memory/412-138-0x0000000000000000-mapping.dmp

                      Download

                    • memory/412-139-0x0000000000EF0000-0x0000000000EF6000-memory.dmp

                      Filesize

                      24KB

                      Download

                    • memory/412-140-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/496-124-0x0000000000000000-mapping.dmp

                      Download

                    • memory/496-128-0x00000000009B0000-0x00000000009BC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/496-127-0x00000000009C0000-0x00000000009C7000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/1396-115-0x0000000000402E1A-mapping.dmp

                      Download

                    • memory/1396-114-0x0000000000400000-0x0000000000409000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/1544-143-0x0000000000870000-0x0000000000879000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/1544-141-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1544-142-0x0000000000880000-0x0000000000884000-memory.dmp

                      Filesize

                      16KB

                      Download

                    • memory/1548-144-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1548-146-0x0000000000C10000-0x0000000000C19000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/1548-145-0x0000000000C20000-0x0000000000C25000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/2072-132-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2072-133-0x0000000000DE0000-0x0000000000DE9000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/2072-134-0x0000000000DD0000-0x0000000000DDF000-memory.dmp

                      Filesize

                      60KB

                      Download

                    • memory/2192-149-0x0000000000620000-0x0000000000629000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/2192-148-0x0000000000630000-0x0000000000635000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/2192-147-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2268-130-0x0000000000780000-0x0000000000787000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/2268-131-0x0000000000770000-0x000000000077B000-memory.dmp

                      Filesize

                      44KB

                      Download

                    • memory/2268-129-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2624-126-0x0000000000400000-0x0000000002CA9000-memory.dmp

                      Filesize

                      40.7MB

                      Download

                    • memory/2624-118-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2624-122-0x0000000004900000-0x0000000004991000-memory.dmp

                      Filesize

                      580KB

                      Download

                    • memory/3016-117-0x00000000012D0000-0x00000000012E6000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/3064-121-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3064-123-0x0000000000400000-0x0000000000474000-memory.dmp

                      Filesize

                      464KB

                      Download

                    • memory/3064-125-0x0000000000190000-0x00000000001FB000-memory.dmp

                      Filesize

                      428KB

                      Download

                    • memory/3128-116-0x00000000001E0000-0x00000000001EA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/3916-137-0x0000000000380000-0x0000000000389000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/3916-136-0x0000000000390000-0x0000000000395000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/3916-135-0x0000000000000000-mapping.dmp

                      Download