Overview

overview

10

Static

static

7687054ef7...54.exe

windows7_x64

10

7687054ef7...54.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    100s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29-09-2021 16:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7687054ef76c0842a827c7249c7c5454.exe

  • Size

    221KB

  • MD5

    7687054ef76c0842a827c7249c7c5454

  • SHA1

    da4177807371fa64acc17dfdd0fa0b6d6c39a8b7

  • SHA256

    f085d79b0b46ad9eda7f2191e2e668314553251ab5d0f4936f84cd2c1afa2564

  • SHA512

    2e32bfffb654c0372fc190f859152bd60136cbeb182a6f64f7f12ae46641f2b1fc498c87dd3513d015fcf9f6187ec6287cfe37660b42b474562137605452773a

Score
10/10
raccoonredlinesmokeloader5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d45k superstarspectrumbackdoordiscoveryinfostealerspywarestealersuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes
  • url4cnc

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

5k superstar

C2

narlelalik.xyz:12509

Extracted

Family

redline

Botnet

Spectrum

C2

190.2.145.73:16827

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • suricata: ET MALWARE Amadey CnC Check-In

    suricata: ET MALWARE Amadey CnC Check-In

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 18 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7687054ef76c0842a827c7249c7c5454.exe
    "C:\Users\Admin\AppData\Local\Temp\7687054ef76c0842a827c7249c7c5454.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\7687054ef76c0842a827c7249c7c5454.exe
      "C:\Users\Admin\AppData\Local\Temp\7687054ef76c0842a827c7249c7c5454.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:380
  • C:\Users\Admin\AppData\Local\Temp\C6B6.exe
    C:\Users\Admin\AppData\Local\Temp\C6B6.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management 1.7.3.2\install\97C955F\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\C6B6.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632939643 " AI_EUIMSI=""
      2⤵
      • Enumerates connected drives
      • Suspicious use of FindShellTrayWindow
      PID:628
  • C:\Users\Admin\AppData\Local\Temp\D2AD.exe
    C:\Users\Admin\AppData\Local\Temp\D2AD.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\D2AD.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4304
      • C:\Windows\SysWOW64\timeout.exe
        timeout /T 10 /NOBREAK
        3⤵
        • Delays execution with timeout.exe
        PID:4344
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ACB4CDC304F65041CBFDCA8BA60AC1D5 C
      2⤵
      • Loads dropped DLL
      PID:1864
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 31690DCBD10723ADA13A69D51F14FD24
      2⤵
      • Loads dropped DLL
      PID:1144
    • C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe
      "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Loads dropped DLL
      PID:4232
  • C:\Users\Admin\AppData\Local\Temp\DB69.exe
    C:\Users\Admin\AppData\Local\Temp\DB69.exe
    1⤵
    • Executes dropped EXE
    PID:3164
  • C:\Users\Admin\AppData\Local\Temp\E6D4.exe
    C:\Users\Admin\AppData\Local\Temp\E6D4.exe
    1⤵
    • Executes dropped EXE
    PID:732

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/380-115-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/732-236-0x00000000075C0000-0x00000000075C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/732-176-0x0000000000770000-0x000000000078F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/732-222-0x0000000004BE2000-0x0000000004BE3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/732-224-0x0000000004BE4000-0x0000000004BE6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/732-235-0x0000000007120000-0x0000000007121000-memory.dmp

    Filesize

    4KB

    Download

  • memory/732-223-0x0000000004BE3000-0x0000000004BE4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/732-178-0x0000000002370000-0x000000000238E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/732-230-0x0000000006930000-0x0000000006931000-memory.dmp

    Filesize

    4KB

    Download

  • memory/732-219-0x0000000000460000-0x00000000005AA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/732-242-0x0000000007790000-0x0000000007791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/732-220-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/732-221-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/992-114-0x0000000000570000-0x00000000006BA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1808-142-0x00000000020C0000-0x0000000002150000-memory.dmp

    Filesize

    576KB

    Download

  • memory/1808-143-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

    Download

  • memory/3020-117-0x0000000000DA0000-0x0000000000DB5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/3164-164-0x0000000004B40000-0x0000000004B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-173-0x00000000025D0000-0x00000000025D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-165-0x0000000004B43000-0x0000000004B44000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-162-0x00000000022B0000-0x00000000022CF000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3164-218-0x0000000004B44000-0x0000000004B46000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3164-166-0x0000000004B42000-0x0000000004B43000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-153-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/3164-167-0x0000000004B50000-0x0000000004B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-171-0x0000000002420000-0x000000000243E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3164-225-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-174-0x0000000005660000-0x0000000005661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-240-0x0000000005D70000-0x0000000005D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-238-0x0000000007530000-0x0000000007531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-172-0x0000000005050000-0x0000000005051000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-232-0x0000000006B00000-0x0000000006B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3164-152-0x00000000005B0000-0x00000000005E0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3164-187-0x0000000004A70000-0x0000000004A71000-memory.dmp

    Filesize

    4KB

    Download