Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
29-09-2021 01:34
General
-
Target
9f3df6691f7495516404aa8fd567b4de99567fafc1e1292f0f4bbba55ff24d84.exe
-
Size
180KB
-
MD5
157cdecdff1fe7e806f9f0fb4fa3da9c
-
SHA1
af384f9da0d12a0acd12e61049579a2b06d7236c
-
SHA256
9f3df6691f7495516404aa8fd567b4de99567fafc1e1292f0f4bbba55ff24d84
-
SHA512
13cc521c6247724052593515a5a14ca1d4666c85eb11415d629495d4609e4d3be71b1020d690f612b3b63911cb89d76745bba8fddba16ef1894aeea6f92aadeb
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
777777
C2
193.56.146.60:18243
Extracted
Family
raccoon
Botnet
5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4
Attributes
-
url4cnc
https://t.me/agrybirdsgamerept
rc4.plain
rc4.plain
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 19 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 22 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f3df6691f7495516404aa8fd567b4de99567fafc1e1292f0f4bbba55ff24d84.exe"C:\Users\Admin\AppData\Local\Temp\9f3df6691f7495516404aa8fd567b4de99567fafc1e1292f0f4bbba55ff24d84.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9f3df6691f7495516404aa8fd567b4de99567fafc1e1292f0f4bbba55ff24d84.exe"C:\Users\Admin\AppData\Local\Temp\9f3df6691f7495516404aa8fd567b4de99567fafc1e1292f0f4bbba55ff24d84.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\F41A.exeC:\Users\Admin\AppData\Local\Temp\F41A.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\21.exeC:\Users\Admin\AppData\Local\Temp\21.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0nla34tc\0nla34tc.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CCE.tmp" "c:\Users\Admin\AppData\Local\Temp\0nla34tc\CSC7FFEAEDE1D25447EA55B209E5CBBD61B.TMP"4⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\301.exeC:\Users\Admin\AppData\Local\Temp\301.exe1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\75d20555-0c76-4772-a09c-ac3cd03cdbb3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\75d20555-0c76-4772-a09c-ac3cd03cdbb3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\75d20555-0c76-4772-a09c-ac3cd03cdbb3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\75d20555-0c76-4772-a09c-ac3cd03cdbb3\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\75d20555-0c76-4772-a09c-ac3cd03cdbb3\AdvancedRun.exe" /SpecialRun 4101d8 4163⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\301.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\301.exe"C:\Users\Admin\AppData\Local\Temp\301.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\301.exe"C:\Users\Admin\AppData\Local\Temp\301.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\301.exe"C:\Users\Admin\AppData\Local\Temp\301.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 22522⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\1EE6.exeC:\Users\Admin\AppData\Local\Temp\1EE6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management 1.7.3.2\install\97C955F\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1EE6.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632879085 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 40CBB266DAB32D76F8B6E1D3C43E827D C2⤵
- Loads dropped DLL
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 844270750B78D58114C2D89F21939E4A2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\is-SVM49.tmp\4357.tmp"C:\Users\Admin\AppData\Local\Temp\is-SVM49.tmp\4357.tmp" /SL5="$201FC,4844586,831488,C:\Users\Admin\AppData\Local\Temp\4357.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4357.exe"C:\Users\Admin\AppData\Local\Temp\4357.exe" /VERYSILENT2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-SGBQ9.tmp\4357.tmp"C:\Users\Admin\AppData\Local\Temp\is-SGBQ9.tmp\4357.tmp" /SL5="$301FC,4844586,831488,C:\Users\Admin\AppData\Local\Temp\4357.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Roaming\SketchLib SDK Client\SketchClient.exe"C:\Users\Admin\AppData\Roaming\SketchLib SDK Client\SketchClient.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4357.exeC:\Users\Admin\AppData\Local\Temp\4357.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4C70.exeC:\Users\Admin\AppData\Local\Temp\4C70.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\4C70.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
484KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8.4MB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
576KB
-
Filesize
588KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
864KB
-
Filesize
4KB
-
Filesize
864KB
-
Filesize
4KB
-
Filesize
49.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB