Overview

overview

10

Static

static

4c8981a973...a5.exe

windows7_x64

10

4c8981a973...a5.exe

windows10_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    29-09-2021 18:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c8981a97340a3fda39eed92155fa9a5.exe

  • Size

    222KB

  • MD5

    4c8981a97340a3fda39eed92155fa9a5

  • SHA1

    177e5559c59ee4896a45f43e1601fe91a41cc14d

  • SHA256

    44e29e5cd002e8d4d4f13432847f38fa79a1667b5fdef9b9f316c3501f3bb480

  • SHA512

    89f416c061f90de80f72575adb05560f5a82d6b4e2e48b6bce0f22fdbf43576c4bb3508e56cf6cda2f1431504cea0529855a4f2f60c97be5ae4890d724721752

Score
10/10
gozi_rm3raccoonredlinesmokeloadertofseexmrig5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4second build backdoorbankerdiscoveryevasioninfostealerminerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/
rc4.i32
rc4.i32

Extracted

Family

redline

C2

92.246.89.6:38437

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes
  • url4cnc

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

Second BUILD

C2

asyndenera.xyz:15667

Signatures

  • Gozi RM3

    A heavily modified version of Gozi using RM3 loader.

    bankertrojangozi_rm3
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • XMRig Miner Payload 2 IoCs
    miner
  • Blocklisted process makes network request 2 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 16 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Drops file in Windows directory 11 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 7 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c8981a97340a3fda39eed92155fa9a5.exe
    "C:\Users\Admin\AppData\Local\Temp\4c8981a97340a3fda39eed92155fa9a5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Local\Temp\4c8981a97340a3fda39eed92155fa9a5.exe
      "C:\Users\Admin\AppData\Local\Temp\4c8981a97340a3fda39eed92155fa9a5.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1788
  • C:\Users\Admin\AppData\Local\Temp\4587.exe
    C:\Users\Admin\AppData\Local\Temp\4587.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Users\Admin\AppData\Local\Temp\4587.exe
      C:\Users\Admin\AppData\Local\Temp\4587.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1716
  • C:\Users\Admin\AppData\Local\Temp\4E2F.exe
    C:\Users\Admin\AppData\Local\Temp\4E2F.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Users\Admin\AppData\Local\Temp\4E2F.exe
      C:\Users\Admin\AppData\Local\Temp\4E2F.exe
      2⤵
      • Executes dropped EXE
      PID:1436
  • C:\Users\Admin\AppData\Local\Temp\6BBF.exe
    C:\Users\Admin\AppData\Local\Temp\6BBF.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Users\Admin\AppData\Roaming\6BBF.exe
      "C:\Users\Admin\AppData\Roaming\6BBF.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      PID:1864
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Self.bat" "
        3⤵
          PID:2056
          • C:\Windows\SysWOW64\chcp.com
            chcp 1251
            4⤵
              PID:2100
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\6BBF.exe
            3⤵
              PID:2132
              • C:\Windows\SysWOW64\choice.exe
                choice /C Y /N /D Y /T 0
                4⤵
                  PID:2160
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Self.bat" "
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1296
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                3⤵
                  PID:1704
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del 6BBF.exe
                2⤵
                  PID:568
                  • C:\Windows\SysWOW64\choice.exe
                    choice /C Y /N /D Y /T 0
                    3⤵
                      PID:1600
                • C:\Users\Admin\AppData\Local\Temp\7D4C.exe
                  C:\Users\Admin\AppData\Local\Temp\7D4C.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:1824
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\znxgdssv\
                    2⤵
                      PID:344
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jhwicyjz.exe" C:\Windows\SysWOW64\znxgdssv\
                      2⤵
                        PID:968
                      • C:\Windows\SysWOW64\sc.exe
                        "C:\Windows\System32\sc.exe" create znxgdssv binPath= "C:\Windows\SysWOW64\znxgdssv\jhwicyjz.exe /d\"C:\Users\Admin\AppData\Local\Temp\7D4C.exe\"" type= own start= auto DisplayName= "wifi support"
                        2⤵
                          PID:1204
                        • C:\Windows\SysWOW64\sc.exe
                          "C:\Windows\System32\sc.exe" description znxgdssv "wifi internet conection"
                          2⤵
                            PID:1324
                          • C:\Windows\SysWOW64\sc.exe
                            "C:\Windows\System32\sc.exe" start znxgdssv
                            2⤵
                              PID:1564
                            • C:\Windows\SysWOW64\netsh.exe
                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                              2⤵
                                PID:1348
                            • C:\Windows\SysWOW64\znxgdssv\jhwicyjz.exe
                              C:\Windows\SysWOW64\znxgdssv\jhwicyjz.exe /d"C:\Users\Admin\AppData\Local\Temp\7D4C.exe"
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              PID:1384
                              • C:\Windows\SysWOW64\svchost.exe
                                svchost.exe
                                2⤵
                                • Drops file in System32 directory
                                • Suspicious use of SetThreadContext
                                • Modifies data under HKEY_USERS
                                PID:840
                                • C:\Windows\SysWOW64\svchost.exe
                                  svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                                  3⤵
                                    PID:2320
                              • C:\Users\Admin\AppData\Local\Temp\9D8A.exe
                                C:\Users\Admin\AppData\Local\Temp\9D8A.exe
                                1⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Enumerates connected drives
                                • Modifies system certificate store
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1972
                                • C:\Windows\SysWOW64\msiexec.exe
                                  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management 1.7.3.2\install\97C955F\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\9D8A.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632946539 " AI_EUIMSI=""
                                  2⤵
                                  • Blocklisted process makes network request
                                  • Enumerates connected drives
                                  • Suspicious use of FindShellTrayWindow
                                  PID:1684
                              • C:\Windows\system32\msiexec.exe
                                C:\Windows\system32\msiexec.exe /V
                                1⤵
                                • Blocklisted process makes network request
                                • Enumerates connected drives
                                • Drops file in Windows directory
                                • Suspicious use of AdjustPrivilegeToken
                                PID:584
                                • C:\Windows\syswow64\MsiExec.exe
                                  C:\Windows\syswow64\MsiExec.exe -Embedding C1E1C4815315B2595113200EA7BAA53C C
                                  2⤵
                                  • Loads dropped DLL
                                  PID:1528
                                • C:\Windows\syswow64\MsiExec.exe
                                  C:\Windows\syswow64\MsiExec.exe -Embedding D0A00EC952DFADC047D05EDE171B22A3
                                  2⤵
                                  • Loads dropped DLL
                                  PID:1348
                                • C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe
                                  "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Drops startup file
                                  PID:2116
                              • C:\Users\Admin\AppData\Local\Temp\AAC4.exe
                                C:\Users\Admin\AppData\Local\Temp\AAC4.exe
                                1⤵
                                • Executes dropped EXE
                                PID:1968
                              • C:\Users\Admin\AppData\Local\Temp\C299.exe
                                C:\Users\Admin\AppData\Local\Temp\C299.exe
                                1⤵
                                • Executes dropped EXE
                                PID:944
                                • C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe
                                  "C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2432
                                • C:\Users\Admin\AppData\Local\Temp\Money10k_.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Money10k_.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Checks BIOS information in registry
                                  • Checks whether UAC is enabled
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  • Modifies system certificate store
                                  PID:2452
                              • C:\Windows\system32\taskeng.exe
                                taskeng.exe {28FE6094-B855-4F93-87B4-61F4E2B24F6A} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
                                1⤵
                                  PID:2076
                                  • C:\Users\Admin\AppData\Roaming\biaicjf
                                    C:\Users\Admin\AppData\Roaming\biaicjf
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    PID:1940
                                    • C:\Users\Admin\AppData\Roaming\biaicjf
                                      C:\Users\Admin\AppData\Roaming\biaicjf
                                      3⤵
                                      • Executes dropped EXE
                                      • Checks SCSI registry key(s)
                                      • Suspicious behavior: MapViewOfSection
                                      PID:2104

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/584-136-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/840-128-0x00000000000D0000-0x00000000000E5000-memory.dmp

                                  Filesize

                                  84KB

                                  Download

                                • memory/944-192-0x0000000000110000-0x0000000000111000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1208-225-0x000007FEF55A0000-0x000007FEF56E3000-memory.dmp

                                  Filesize

                                  1.3MB

                                  Download

                                • memory/1208-65-0x0000000003FB0000-0x0000000003FC0000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/1208-226-0x000007FEE6390000-0x000007FEE639A000-memory.dmp

                                  Filesize

                                  40KB

                                  Download

                                • memory/1208-64-0x0000000003E60000-0x0000000003E75000-memory.dmp

                                  Filesize

                                  84KB

                                  Download

                                • memory/1208-81-0x00000000042E0000-0x00000000042F5000-memory.dmp

                                  Filesize

                                  84KB

                                  Download

                                • memory/1208-224-0x0000000003E10000-0x0000000003E25000-memory.dmp

                                  Filesize

                                  84KB

                                  Download

                                • memory/1384-135-0x0000000000400000-0x0000000000448000-memory.dmp

                                  Filesize

                                  288KB

                                  Download

                                • memory/1436-87-0x0000000002260000-0x0000000002261000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1436-85-0x0000000000400000-0x0000000000422000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/1436-82-0x0000000000400000-0x0000000000422000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/1528-94-0x00000000001B0000-0x00000000001B1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1528-91-0x0000000000280000-0x0000000000281000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1528-93-0x0000000000220000-0x0000000000271000-memory.dmp

                                  Filesize

                                  324KB

                                  Download

                                • memory/1528-95-0x0000000004B00000-0x0000000004B01000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1788-60-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/1788-62-0x0000000076641000-0x0000000076643000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1804-63-0x00000000002A0000-0x00000000002A9000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/1824-100-0x00000000003A0000-0x00000000003B3000-memory.dmp

                                  Filesize

                                  76KB

                                  Download

                                • memory/1824-101-0x0000000000400000-0x0000000000448000-memory.dmp

                                  Filesize

                                  288KB

                                  Download

                                • memory/1860-79-0x00000000003A0000-0x00000000003A1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1860-77-0x0000000000B40000-0x0000000000B41000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1864-165-0x0000000004210000-0x000000000423A000-memory.dmp

                                  Filesize

                                  168KB

                                  Download

                                • memory/1864-109-0x00000000008B0000-0x00000000008B1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1864-118-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1968-163-0x0000000000400000-0x0000000000493000-memory.dmp

                                  Filesize

                                  588KB

                                  Download

                                • memory/1968-162-0x0000000000350000-0x00000000003E0000-memory.dmp

                                  Filesize

                                  576KB

                                  Download

                                • memory/2320-199-0x00000000001C0000-0x00000000002B1000-memory.dmp

                                  Filesize

                                  964KB

                                  Download

                                • memory/2432-212-0x00000000001C0000-0x00000000001F0000-memory.dmp

                                  Filesize

                                  192KB

                                  Download

                                • memory/2432-214-0x0000000001E30000-0x0000000001E4F000-memory.dmp

                                  Filesize

                                  124KB

                                  Download

                                • memory/2432-215-0x0000000002280000-0x000000000229E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/2432-217-0x0000000004752000-0x0000000004753000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2432-218-0x0000000004753000-0x0000000004754000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2432-216-0x0000000004751000-0x0000000004752000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2432-219-0x0000000004754000-0x0000000004756000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/2432-213-0x0000000000400000-0x000000000045D000-memory.dmp

                                  Filesize

                                  372KB

                                  Download

                                • memory/2452-211-0x0000000005600000-0x0000000005601000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2452-209-0x0000000000A40000-0x0000000000A41000-memory.dmp

                                  Filesize

                                  4KB

                                  Download