raccoon | 46fc72077df7ddc1d3e744d3ebf8e48fb1814e242694970c1c5c3481b696a4b1

Target

2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
Size

179KB
MD5

2a0c06cec3ab6b1f26e0f6574f25f0cc
SHA1

048a78112e33d2c9baf547b9481b0d9a6afefc30
SHA256

46fc72077df7ddc1d3e744d3ebf8e48fb1814e242694970c1c5c3481b696a4b1
SHA512

bcca037c7a126f60e118e67b9e5910271caed2af17b012055bbf8aac27c328713f25fea7a3d9ce6605de5a3c5125951711ef21eaa9a621d982833571864c93cc

Score

10^/10

raccoon smokeloader 471c70de3b4f9e4d493e418d1f60a90659057de0 backdoor discovery spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Extracted

Family

raccoon

Botnet

471c70de3b4f9e4d493e418d1f60a90659057de0

Attributes

url4cnc
https://telete.in/p1rosto100xx

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

Raccoon Stealer Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5000-172-0x00000000049B0000-0x0000000004A41000-memory.dmp	family_raccoon
behavioral1/memory/4272-206-0x0000000000000000-mapping.dmp	family_raccoon
behavioral1/memory/4272-207-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral1/memory/4272-209-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 4668 created 4908	4668	WerFault.exe	1C78.exe
PID 4412 created 5000	4412	WerFault.exe	2341.exe
PID 3188 created 4620	3188	WerFault.exe	1EBB.exe
PID 4108 created 504	4108	WerFault.exe	explorer.exe

Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

17E3.exe1C78.exe1EBB.exe1FC5.exe2341.exe1FC5.exe

pid process

4828 17E3.exe
4908 1C78.exe
4620 1EBB.exe
4628 1FC5.exe
5000 2341.exe
4272 1FC5.exe
Loads dropped DLL 3 IoCs

Processes:

1FC5.exe

pid process

4272 1FC5.exe
4272 1FC5.exe
4272 1FC5.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4828	17E3.exe
4908	1C78.exe
4620	1EBB.exe
4628	1FC5.exe
5000	2341.exe
4272	1FC5.exe

pid	process
4272	1FC5.exe
4272	1FC5.exe
4272	1FC5.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2a0c06cec3ab6b1f26e0f6574f25f0cc.exe1FC5.exe

description	pid	process	target process
PID 3832 set thread context of 3804	3832	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 4628 set thread context of 4272	4628	1FC5.exe	1FC5.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1248	4908	WerFault.exe	1C78.exe
4836	5000	WerFault.exe	2341.exe
1096	4620	WerFault.exe	1EBB.exe
4904	504	WerFault.exe	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2a0c06cec3ab6b1f26e0f6574f25f0cc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4664 timeout.exe

pid	process
4664	timeout.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe

Modifies registry class 4 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2a0c06cec3ab6b1f26e0f6574f25f0cc.exe

pid	process
3804	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
3804	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3192
Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

2a0c06cec3ab6b1f26e0f6574f25f0cc.exe

pid process

3804 2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192

pid	process
3192

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

WerFault.exe1FC5.exe

description	pid	process
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeRestorePrivilege	1248	WerFault.exe
Token: SeBackupPrivilege	1248	WerFault.exe
Token: SeBackupPrivilege	1248	WerFault.exe
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeDebugPrivilege	4628	1FC5.exe
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

17E3.exe

pid process

4828 17E3.exe

pid	process
4828	17E3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2a0c06cec3ab6b1f26e0f6574f25f0cc.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe1FC5.exe

description	pid	process	target process
PID 3832 wrote to memory of 3804	3832	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 3832 wrote to memory of 3804	3832	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 3832 wrote to memory of 3804	3832	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 3832 wrote to memory of 3804	3832	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 3832 wrote to memory of 3804	3832	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 3832 wrote to memory of 3804	3832	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe	2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
PID 3192 wrote to memory of 4828	3192		17E3.exe
PID 3192 wrote to memory of 4828	3192		17E3.exe
PID 3192 wrote to memory of 4828	3192		17E3.exe
PID 3192 wrote to memory of 4908	3192		1C78.exe
PID 3192 wrote to memory of 4908	3192		1C78.exe
PID 3192 wrote to memory of 4908	3192		1C78.exe
PID 3192 wrote to memory of 4620	3192		1EBB.exe
PID 3192 wrote to memory of 4620	3192		1EBB.exe
PID 3192 wrote to memory of 4620	3192		1EBB.exe
PID 3192 wrote to memory of 4628	3192		1FC5.exe
PID 3192 wrote to memory of 4628	3192		1FC5.exe
PID 3192 wrote to memory of 4628	3192		1FC5.exe
PID 4668 wrote to memory of 4908	4668	WerFault.exe	1C78.exe
PID 4668 wrote to memory of 4908	4668	WerFault.exe	1C78.exe
PID 3192 wrote to memory of 5000	3192		2341.exe
PID 3192 wrote to memory of 5000	3192		2341.exe
PID 3192 wrote to memory of 5000	3192		2341.exe
PID 4412 wrote to memory of 5000	4412	WerFault.exe	2341.exe
PID 4412 wrote to memory of 5000	4412	WerFault.exe	2341.exe
PID 3192 wrote to memory of 504	3192		explorer.exe
PID 3192 wrote to memory of 504	3192		explorer.exe
PID 3192 wrote to memory of 504	3192		explorer.exe
PID 3192 wrote to memory of 504	3192		explorer.exe
PID 3188 wrote to memory of 4620	3188	WerFault.exe	1EBB.exe
PID 3188 wrote to memory of 4620	3188	WerFault.exe	1EBB.exe
PID 3192 wrote to memory of 1272	3192		explorer.exe
PID 3192 wrote to memory of 1272	3192		explorer.exe
PID 3192 wrote to memory of 1272	3192		explorer.exe
PID 3192 wrote to memory of 2476	3192		explorer.exe
PID 3192 wrote to memory of 2476	3192		explorer.exe
PID 3192 wrote to memory of 2476	3192		explorer.exe
PID 3192 wrote to memory of 2476	3192		explorer.exe
PID 3192 wrote to memory of 3124	3192		explorer.exe
PID 3192 wrote to memory of 3124	3192		explorer.exe
PID 3192 wrote to memory of 3124	3192		explorer.exe
PID 3192 wrote to memory of 2888	3192		explorer.exe
PID 3192 wrote to memory of 2888	3192		explorer.exe
PID 3192 wrote to memory of 2888	3192		explorer.exe
PID 3192 wrote to memory of 2888	3192		explorer.exe
PID 4108 wrote to memory of 504	4108	WerFault.exe	explorer.exe
PID 4108 wrote to memory of 504	4108	WerFault.exe	explorer.exe
PID 3192 wrote to memory of 4468	3192		explorer.exe
PID 3192 wrote to memory of 4468	3192		explorer.exe
PID 3192 wrote to memory of 4468	3192		explorer.exe
PID 3192 wrote to memory of 5100	3192		explorer.exe
PID 3192 wrote to memory of 5100	3192		explorer.exe
PID 3192 wrote to memory of 5100	3192		explorer.exe
PID 3192 wrote to memory of 5100	3192		explorer.exe
PID 3192 wrote to memory of 3772	3192		explorer.exe
PID 3192 wrote to memory of 3772	3192		explorer.exe
PID 3192 wrote to memory of 3772	3192		explorer.exe
PID 3192 wrote to memory of 3784	3192		explorer.exe
PID 3192 wrote to memory of 3784	3192		explorer.exe
PID 3192 wrote to memory of 3784	3192		explorer.exe
PID 3192 wrote to memory of 3784	3192		explorer.exe
PID 4628 wrote to memory of 4272	4628	1FC5.exe	1FC5.exe
PID 4628 wrote to memory of 4272	4628	1FC5.exe	1FC5.exe
PID 4628 wrote to memory of 4272	4628	1FC5.exe	1FC5.exe

C:\Users\Admin\AppData\Local\Temp\2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
"C:\Users\Admin\AppData\Local\Temp\2a0c06cec3ab6b1f26e0f6574f25f0cc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3832

C:\Users\Admin\AppData\Local\Temp\2a0c06cec3ab6b1f26e0f6574f25f0cc.exe
"C:\Users\Admin\AppData\Local\Temp\2a0c06cec3ab6b1f26e0f6574f25f0cc.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3804

C:\Users\Admin\AppData\Local\Temp\17E3.exe
C:\Users\Admin\AppData\Local\Temp\17E3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Users\Admin\AppData\Local\Temp\1C78.exe
C:\Users\Admin\AppData\Local\Temp\1C78.exe
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 276
2⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Users\Admin\AppData\Local\Temp\1EBB.exe
C:\Users\Admin\AppData\Local\Temp\1EBB.exe
1⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 236
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4908 -ip 4908
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Local\Temp\1FC5.exe
C:\Users\Admin\AppData\Local\Temp\1FC5.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\1FC5.exe
C:\Users\Admin\AppData\Local\Temp\1FC5.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4272

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1FC5.exe"
3⤵
PID:3892

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4664

C:\Users\Admin\AppData\Local\Temp\2341.exe
C:\Users\Admin\AppData\Local\Temp\2341.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 276
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5000 -ip 5000
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 504 -s 884
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4620 -ip 4620
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1272

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2476

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3124

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 504 -ip 504
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4468

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5100

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3772

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\sqlite3.dll
MD5
f964811b68f9f1487c2b41e1aef576ce

SHA1
b423959793f14b1416bc3b7051bed58a1034025f

SHA256
83bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7

SHA512
565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4

Download Submit
C:\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\mozglue.dll
MD5
eae9273f8cdcf9321c6c37c244773139

SHA1
8378e2a2f3635574c106eea8419b5eb00b8489b0

SHA256
a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc

SHA512
06e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097

Download Submit
C:\Users\Admin\AppData\LocalLow\wG3cB0qZ3rM5x\nss3.dll
MD5
02cc7b8ee30056d5912de54f1bdfc219

SHA1
a6923da95705fb81e368ae48f93d28522ef552fb

SHA256
1989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5

SHA512
0d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\17E3.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\17E3.exe
MD5
a69e12607d01237460808fa1709e5e86

SHA1
4a12f82aee1c90e70cdf6be863ce1a749c8ae411

SHA256
188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc

SHA512
7533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C78.exe
MD5
19669c1bf02201d9e1f99f7e930d43e2

SHA1
2a701b5c25bb66a5dcfce1a1c8ae728c0d6f1ff8

SHA256
74d6c9fd6fe587302c02f1b17cd8d263ba63baf637547d0ef993aa9afa3230f2

SHA512
07f4f0af0e1153a5c6d3b7cfc6fb9580c649c52f34443f0816a52fdca763eec23eb7ccf3d0e9e0f2badfd20006bc6c2f201cb3d512df33bb18b5e63b3073d65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1C78.exe
MD5
19669c1bf02201d9e1f99f7e930d43e2

SHA1
2a701b5c25bb66a5dcfce1a1c8ae728c0d6f1ff8

SHA256
74d6c9fd6fe587302c02f1b17cd8d263ba63baf637547d0ef993aa9afa3230f2

SHA512
07f4f0af0e1153a5c6d3b7cfc6fb9580c649c52f34443f0816a52fdca763eec23eb7ccf3d0e9e0f2badfd20006bc6c2f201cb3d512df33bb18b5e63b3073d65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EBB.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\1EBB.exe
MD5
b19ac380411ed5d8b5a7e7e0c1da61a6

SHA1
9665c20336a5ce437bbf7b564370bfa43e99954c

SHA256
aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619

SHA512
73b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FC5.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FC5.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\1FC5.exe
MD5
5707ddada5b7ea6bef434cd294fa12e1

SHA1
45bb285a597b30e100ed4b15d96a29d718697e5e

SHA256
85205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c

SHA512
91cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\2341.exe
MD5
c25b6682d6bd2dd6086223d4f7c9a322

SHA1
0df9d75090cb72412c7b9116a2cdfe7786605b7a

SHA256
253da36045abbbf91fa0afb5c336cef0a15950052d73adffcc0d3a015eee9db3

SHA512
b38608be0d545fc9fb6917c7bbbe645c86e382ea04532a00cf492cf65f2fb0156791be88f1afdfb6b80bdad4d47c76e5ef2b2bcfcf66ddaaaf79d00bd577fcf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2341.exe
MD5
c25b6682d6bd2dd6086223d4f7c9a322

SHA1
0df9d75090cb72412c7b9116a2cdfe7786605b7a

SHA256
253da36045abbbf91fa0afb5c336cef0a15950052d73adffcc0d3a015eee9db3

SHA512
b38608be0d545fc9fb6917c7bbbe645c86e382ea04532a00cf492cf65f2fb0156791be88f1afdfb6b80bdad4d47c76e5ef2b2bcfcf66ddaaaf79d00bd577fcf6

Download Submit
memory/504-178-0x0000000000520000-0x000000000058B000-memory.dmp

Filesize
428KB

Download
memory/504-177-0x0000000000800000-0x0000000000874000-memory.dmp

Filesize
464KB

Download
memory/504-171-0x0000000000000000-mapping.dmp

Download
memory/864-216-0x0000023B83260000-0x0000023B83270000-memory.dmp

Filesize
64KB

Download
memory/864-215-0x0000023B82960000-0x0000023B82970000-memory.dmp

Filesize
64KB

Download
memory/864-236-0x0000023B85B20000-0x0000023B85B24000-memory.dmp

Filesize
16KB

Download
memory/864-241-0x0000023B83530000-0x0000023B83531000-memory.dmp

Filesize
4KB

Download
memory/864-237-0x0000023B85AE0000-0x0000023B85AE1000-memory.dmp

Filesize
4KB

Download
memory/864-238-0x0000023B835E0000-0x0000023B835E4000-memory.dmp

Filesize
16KB

Download
memory/864-217-0x0000023B835B0000-0x0000023B835B4000-memory.dmp

Filesize
16KB

Download
memory/864-240-0x0000023B835D0000-0x0000023B835D4000-memory.dmp

Filesize
16KB

Download
memory/864-239-0x0000023B835D0000-0x0000023B835D1000-memory.dmp

Filesize
4KB

Download
memory/1272-183-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

Filesize
48KB

Download
memory/1272-174-0x0000000000000000-mapping.dmp

Download
memory/1272-182-0x0000000000FB0000-0x0000000000FB7000-memory.dmp

Filesize
28KB

Download
memory/2476-184-0x0000000000D80000-0x0000000000D87000-memory.dmp

Filesize
28KB

Download
memory/2476-181-0x0000000000000000-mapping.dmp

Download
memory/2476-185-0x0000000000D70000-0x0000000000D7B000-memory.dmp

Filesize
44KB

Download
memory/2888-191-0x00000000003C0000-0x00000000003C9000-memory.dmp

Filesize
36KB

Download
memory/2888-190-0x00000000003D0000-0x00000000003D5000-memory.dmp

Filesize
20KB

Download
memory/2888-189-0x0000000000000000-mapping.dmp

Download
memory/3124-188-0x00000000003D0000-0x00000000003DF000-memory.dmp

Filesize
60KB

Download
memory/3124-186-0x0000000000000000-mapping.dmp

Download
memory/3124-187-0x00000000003E0000-0x00000000003E9000-memory.dmp

Filesize
36KB

Download
memory/3192-149-0x00000000076A0000-0x00000000076B6000-memory.dmp

Filesize
88KB

Download
memory/3192-220-0x0000000005860000-0x00000000058E0000-memory.dmp

Filesize
512KB

Download
memory/3192-228-0x0000000008480000-0x0000000008500000-memory.dmp

Filesize
512KB

Download
memory/3772-199-0x0000000000000000-mapping.dmp

Download
memory/3772-201-0x0000000000910000-0x0000000000919000-memory.dmp

Filesize
36KB

Download
memory/3772-200-0x0000000000920000-0x0000000000925000-memory.dmp

Filesize
20KB

Download
memory/3784-204-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

Filesize
36KB

Download
memory/3784-202-0x0000000000000000-mapping.dmp

Download
memory/3784-203-0x0000000000AB0000-0x0000000000AB5000-memory.dmp

Filesize
20KB

Download
memory/3804-146-0x0000000000000000-mapping.dmp

Download
memory/3804-147-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3832-148-0x0000000004A70000-0x0000000004A7A000-memory.dmp

Filesize
40KB

Download
memory/3892-213-0x0000000000000000-mapping.dmp

Download
memory/4272-207-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4272-209-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4272-206-0x0000000000000000-mapping.dmp

Download
memory/4468-193-0x0000000000390000-0x0000000000396000-memory.dmp

Filesize
24KB

Download
memory/4468-192-0x0000000000000000-mapping.dmp

Download
memory/4468-194-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/4620-158-0x0000000000000000-mapping.dmp

Download
memory/4620-175-0x00000000032D0000-0x0000000003513000-memory.dmp

Filesize
2.3MB

Download
memory/4628-176-0x0000000005880000-0x0000000005E26000-memory.dmp

Filesize
5.6MB

Download
memory/4628-162-0x0000000000000000-mapping.dmp

Download
memory/4628-195-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/4628-180-0x00000000063E0000-0x00000000063E1000-memory.dmp

Filesize
4KB

Download
memory/4628-179-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/4628-173-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/4628-205-0x0000000005AD0000-0x0000000005AF1000-memory.dmp

Filesize
132KB

Download
memory/4628-168-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/4628-165-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4664-214-0x0000000000000000-mapping.dmp

Download
memory/4828-150-0x0000000000000000-mapping.dmp

Download
memory/4908-155-0x0000000000000000-mapping.dmp

Download
memory/4908-161-0x0000000004980000-0x00000000049BB000-memory.dmp

Filesize
236KB

Download
memory/5000-172-0x00000000049B0000-0x0000000004A41000-memory.dmp

Filesize
580KB

Download
memory/5000-167-0x0000000000000000-mapping.dmp

Download
memory/5100-197-0x0000000003440000-0x0000000003444000-memory.dmp

Filesize
16KB

Download
memory/5100-196-0x0000000000000000-mapping.dmp

Download
memory/5100-198-0x0000000003430000-0x0000000003439000-memory.dmp

Filesize
36KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads