Analysis
-
max time kernel
10s -
max time network
181s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
14-08-2021 15:37
General
-
Target
D52860D6BE6EA1EC9F809D6527D46B06.exe
-
Size
8.5MB
-
MD5
d52860d6be6ea1ec9f809d6527d46b06
-
SHA1
9c5a0e6266eca4f86bd38efddc8551e95451158f
-
SHA256
39326cdd0c863e1766ecc3d119ec18fdaa93ef886cfbc887f76784f745df73e4
-
SHA512
64d356059ef696a8297a7e0f28b3108ee1a8bdb68edde0b52667fbff1b46e9daf0c42fdc545795443fbe7fe7db6734935d147f01bb3101f1f0d2fdf2e25a6000
Score
10/10
Malware Config
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
smokeloader
Version
2020
C2
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
7f2d7476ae0c3559a3dfab1f6e354e488b2429a1
Attributes
-
url4cnc
https://t.me/gishsunsetman
rc4.plain
rc4.plain
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 5 IoCs
-
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 5 IoCs
Detects executables packed with VMProtect commercial packer.
-
Loads dropped DLL 40 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
autoit_exe 6 IoCs
AutoIT scripts compiled to PE executables.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 22 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\D52860D6BE6EA1EC9F809D6527D46B06.exe"C:\Users\Admin\AppData\Local\Temp\D52860D6BE6EA1EC9F809D6527D46B06.exe"1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\6784788.exe"C:\Users\Admin\AppData\Roaming\6784788.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\1210102.exe"C:\Users\Admin\AppData\Roaming\1210102.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\1628812.exe"C:\Users\Admin\AppData\Roaming\1628812.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\6479441.exe"C:\Users\Admin\AppData\Roaming\6479441.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Installation.exe"C:\Users\Admin\AppData\Local\Temp\Installation.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\zcFlb7F4RuraHdu7Xpwh2CdQ.exe"C:\Users\Admin\Documents\zcFlb7F4RuraHdu7Xpwh2CdQ.exe"3⤵
-
-
C:\Users\Admin\Documents\CNM0bxPpN3zKWokR4mQqQ8e8.exe"C:\Users\Admin\Documents\CNM0bxPpN3zKWokR4mQqQ8e8.exe"3⤵
-
-
C:\Users\Admin\Documents\ByTQSB3gpWMDmP3CMKv7Hday.exe"C:\Users\Admin\Documents\ByTQSB3gpWMDmP3CMKv7Hday.exe"3⤵
-
-
C:\Users\Admin\Documents\q6X7CxBrY_8uZ1WMSmCY5607.exe"C:\Users\Admin\Documents\q6X7CxBrY_8uZ1WMSmCY5607.exe"3⤵
-
-
C:\Users\Admin\Documents\EHlWWcEyoCFLnzKd7zmvsf6S.exe"C:\Users\Admin\Documents\EHlWWcEyoCFLnzKd7zmvsf6S.exe"3⤵
-
-
C:\Users\Admin\Documents\m_rlDeaTHwE6w_R8VIVYvb4r.exe"C:\Users\Admin\Documents\m_rlDeaTHwE6w_R8VIVYvb4r.exe"3⤵
-
-
C:\Users\Admin\Documents\rSIwj8Dang36R68oHEZHZkOa.exe"C:\Users\Admin\Documents\rSIwj8Dang36R68oHEZHZkOa.exe"3⤵
-
-
C:\Users\Admin\Documents\qCghLljSzNmvCWnldv0XUATk.exe"C:\Users\Admin\Documents\qCghLljSzNmvCWnldv0XUATk.exe"3⤵
-
-
C:\Users\Admin\Documents\CwunTawavwOZaTRIajFoaV3o.exe"C:\Users\Admin\Documents\CwunTawavwOZaTRIajFoaV3o.exe"3⤵
-
-
C:\Users\Admin\Documents\0OzywLgQKYu2t3mjLUYD3uIO.exe"C:\Users\Admin\Documents\0OzywLgQKYu2t3mjLUYD3uIO.exe"3⤵
-
-
C:\Users\Admin\Documents\388zAywCP9sMumF_KNpz9z4p.exe"C:\Users\Admin\Documents\388zAywCP9sMumF_KNpz9z4p.exe"3⤵
-
-
C:\Users\Admin\Documents\7hAt4UwjGNDLPq2fGEHCCTTu.exe"C:\Users\Admin\Documents\7hAt4UwjGNDLPq2fGEHCCTTu.exe"3⤵
-
-
C:\Users\Admin\Documents\ZGN06NAqX2hpWI8_n3FZvtDX.exe"C:\Users\Admin\Documents\ZGN06NAqX2hpWI8_n3FZvtDX.exe"3⤵
-
-
C:\Users\Admin\Documents\s7M2cBZVErqeF05RRSXuCY4t.exe"C:\Users\Admin\Documents\s7M2cBZVErqeF05RRSXuCY4t.exe"3⤵
-
C:\Users\Admin\Documents\s7M2cBZVErqeF05RRSXuCY4t.exe"C:\Users\Admin\Documents\s7M2cBZVErqeF05RRSXuCY4t.exe"4⤵
-
-
-
C:\Users\Admin\Documents\kBjePFBf1Ce1_D0IX1dK8qrd.exe"C:\Users\Admin\Documents\kBjePFBf1Ce1_D0IX1dK8qrd.exe"3⤵
-
-
C:\Users\Admin\Documents\cEJlaRYnRzrE0HdUcVPAlcg0.exe"C:\Users\Admin\Documents\cEJlaRYnRzrE0HdUcVPAlcg0.exe"3⤵
-
-
C:\Users\Admin\Documents\FRy3T45vMF00PsVZfkMpmbxX.exe"C:\Users\Admin\Documents\FRy3T45vMF00PsVZfkMpmbxX.exe"3⤵
-
-
C:\Users\Admin\Documents\Mz6QwgrbfwAhYLcaRbvfCjFm.exe"C:\Users\Admin\Documents\Mz6QwgrbfwAhYLcaRbvfCjFm.exe"3⤵
-
-
C:\Users\Admin\Documents\AaCkOGJPia2MUKGe22dS89IR.exe"C:\Users\Admin\Documents\AaCkOGJPia2MUKGe22dS89IR.exe"3⤵
-
-
C:\Users\Admin\Documents\rWr8DO5MTTFsQrngycbY_ZiC.exe"C:\Users\Admin\Documents\rWr8DO5MTTFsQrngycbY_ZiC.exe"3⤵
-
-
C:\Users\Admin\Documents\R9LZphomN4ayNzzIkNqjSsk7.exe"C:\Users\Admin\Documents\R9LZphomN4ayNzzIkNqjSsk7.exe"3⤵
-
-
C:\Users\Admin\Documents\ySX7jqJD5x5i64QIZEcl9aUW.exe"C:\Users\Admin\Documents\ySX7jqJD5x5i64QIZEcl9aUW.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Complete.exe"C:\Users\Admin\AppData\Local\Temp\Complete.exe"2⤵
-
C:\Users\Admin\Documents\mE7uq4CUvxTj3Gsr5sQQjIsb.exe"C:\Users\Admin\Documents\mE7uq4CUvxTj3Gsr5sQQjIsb.exe"3⤵
-
-
C:\Users\Admin\Documents\LwCZjaXkByIDam5cfKGU2Ry7.exe"C:\Users\Admin\Documents\LwCZjaXkByIDam5cfKGU2Ry7.exe"3⤵
-
-
C:\Users\Admin\Documents\u0F7e3pBMN3PlWDpg64nVmNs.exe"C:\Users\Admin\Documents\u0F7e3pBMN3PlWDpg64nVmNs.exe"3⤵
-
-
C:\Users\Admin\Documents\zLFTEWVN7JFo2DP6suCP4BJ0.exe"C:\Users\Admin\Documents\zLFTEWVN7JFo2DP6suCP4BJ0.exe"3⤵
-
-
C:\Users\Admin\Documents\7255927VD8Ph5Gydz8RtLKZL.exe"C:\Users\Admin\Documents\7255927VD8Ph5Gydz8RtLKZL.exe"3⤵
-
-
C:\Users\Admin\Documents\vPmx5IdVbizxA1FXK_DSBpce.exe"C:\Users\Admin\Documents\vPmx5IdVbizxA1FXK_DSBpce.exe"3⤵
-
-
C:\Users\Admin\Documents\E5C0uQxayvEWt7I9LFc5eXkM.exe"C:\Users\Admin\Documents\E5C0uQxayvEWt7I9LFc5eXkM.exe"3⤵
-
-
C:\Users\Admin\Documents\m15ETEtyvb9Mv3VqYXeKEZ5r.exe"C:\Users\Admin\Documents\m15ETEtyvb9Mv3VqYXeKEZ5r.exe"3⤵
-
-
C:\Users\Admin\Documents\gRahQLQTfCpzuF_j66JJe7R4.exe"C:\Users\Admin\Documents\gRahQLQTfCpzuF_j66JJe7R4.exe"3⤵
-
-
C:\Users\Admin\Documents\cNLRZwg0iHgUGIiQWNqpRNvr.exe"C:\Users\Admin\Documents\cNLRZwg0iHgUGIiQWNqpRNvr.exe"3⤵
-
-
C:\Users\Admin\Documents\vlgN5wJ_KRJuRzzoXxU8VqQa.exe"C:\Users\Admin\Documents\vlgN5wJ_KRJuRzzoXxU8VqQa.exe"3⤵
-
-
C:\Users\Admin\Documents\xl5IGrFKgyMWaxJ2AZgfwxUd.exe"C:\Users\Admin\Documents\xl5IGrFKgyMWaxJ2AZgfwxUd.exe"3⤵
-
-
C:\Users\Admin\Documents\TFXBdmL1R3wO1AqHZTyRT1hz.exe"C:\Users\Admin\Documents\TFXBdmL1R3wO1AqHZTyRT1hz.exe"3⤵
-
-
C:\Users\Admin\Documents\KAU2WfRStHoEBwHWiYDAcmUj.exe"C:\Users\Admin\Documents\KAU2WfRStHoEBwHWiYDAcmUj.exe"3⤵
-
-
C:\Users\Admin\Documents\ERuryQ5jy6KyuwpB0RFEl8gI.exe"C:\Users\Admin\Documents\ERuryQ5jy6KyuwpB0RFEl8gI.exe"3⤵
-
-
C:\Users\Admin\Documents\lCJzDB0Z1qBEG160z0s97L5c.exe"C:\Users\Admin\Documents\lCJzDB0Z1qBEG160z0s97L5c.exe"3⤵
-
-
C:\Users\Admin\Documents\Ux4pQUG92kJ0FmSrDez3WLg6.exe"C:\Users\Admin\Documents\Ux4pQUG92kJ0FmSrDez3WLg6.exe"3⤵
-
-
C:\Users\Admin\Documents\jxSQT5XTITKhi8bLwiosYEym.exe"C:\Users\Admin\Documents\jxSQT5XTITKhi8bLwiosYEym.exe"3⤵
-
-
C:\Users\Admin\Documents\5a7Ds51vRX06Z7YCyurW3hLM.exe"C:\Users\Admin\Documents\5a7Ds51vRX06Z7YCyurW3hLM.exe"3⤵
-
-
C:\Users\Admin\Documents\rFdrRNGu3A1fKSB5pcqZ3MBF.exe"C:\Users\Admin\Documents\rFdrRNGu3A1fKSB5pcqZ3MBF.exe"3⤵
-
-
C:\Users\Admin\Documents\mM7EhAZ4zI6OXU2d7v8tCKrB.exe"C:\Users\Admin\Documents\mM7EhAZ4zI6OXU2d7v8tCKrB.exe"3⤵
-
-
C:\Users\Admin\Documents\Z69zP2nYY2YtI_HoqcdOfILf.exe"C:\Users\Admin\Documents\Z69zP2nYY2YtI_HoqcdOfILf.exe"3⤵
-
-
C:\Users\Admin\Documents\aIbZWLpAKrPyGVDc0zwJTWcs.exe"C:\Users\Admin\Documents\aIbZWLpAKrPyGVDc0zwJTWcs.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\mysetold.exe"C:\Users\Admin\AppData\Local\Temp\mysetold.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\run.exeC:\Users\Public\run.exe3⤵
-
-
C:\Users\Public\run2.exeC:\Users\Public\run2.exe3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1684 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a1⤵
- Executes dropped EXE
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
452KB
-
Filesize
304KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
228KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44.6MB
-
Filesize
9.1MB
-
Filesize
1.2MB
-
Filesize
40.4MB
-
Filesize
36KB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
3.3MB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
452KB
-
Filesize
4KB
-
Filesize
36KB