Overview

overview

10

Static

static

4578012232...3d.exe

windows7_x64

10

4578012232...3d.exe

windows10_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    159s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    30/09/2021, 05:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4578012232277d08b06f0e14f168e33d.exe

  • Size

    240KB

  • MD5

    4578012232277d08b06f0e14f168e33d

  • SHA1

    10e0aa746b01adf481285add400f1c66f7fa0dfa

  • SHA256

    d4bec541272c470bc24653ca13fe85d4011e300b79026b767c6bd3abcb93b637

  • SHA512

    a337b07a6b8365384741f758a512dfa8a51de1b2a687878f7aaeb0c9aef44fd5a11c066de735d114a67a95f0add47cda433bb73005ffa4bfdc54bc57c31512c7

Score
10/10
raccoonredlinesmokeloadertofseexmrig5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4rsecond build backdoordiscoveryevasioninfostealerminerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

r

C2

188.72.208.174:38430

Extracted

Family

raccoon

Botnet

5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4

Attributes
  • url4cnc

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

Second BUILD

C2

asyndenera.xyz:15667

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)

    suricata
  • suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • XMRig Miner Payload 3 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 14 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4578012232277d08b06f0e14f168e33d.exe
    "C:\Users\Admin\AppData\Local\Temp\4578012232277d08b06f0e14f168e33d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Users\Admin\AppData\Local\Temp\4578012232277d08b06f0e14f168e33d.exe
      "C:\Users\Admin\AppData\Local\Temp\4578012232277d08b06f0e14f168e33d.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4080
  • C:\Users\Admin\AppData\Local\Temp\FB0F.exe
    C:\Users\Admin\AppData\Local\Temp\FB0F.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3004
    • C:\Users\Admin\AppData\Local\Temp\FB0F.exe
      C:\Users\Admin\AppData\Local\Temp\FB0F.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:740
  • C:\Users\Admin\AppData\Local\Temp\FEAA.exe
    C:\Users\Admin\AppData\Local\Temp\FEAA.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Users\Admin\AppData\Local\Temp\FEAA.exe
      C:\Users\Admin\AppData\Local\Temp\FEAA.exe
      2⤵
      • Executes dropped EXE
      PID:1732
    • C:\Users\Admin\AppData\Local\Temp\FEAA.exe
      C:\Users\Admin\AppData\Local\Temp\FEAA.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:860
  • C:\Users\Admin\AppData\Local\Temp\B1F.exe
    C:\Users\Admin\AppData\Local\Temp\B1F.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Roaming\B1F.exe
      "C:\Users\Admin\AppData\Roaming\B1F.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Self.bat" "
        3⤵
          PID:3004
          • C:\Windows\SysWOW64\chcp.com
            chcp 1251
            4⤵
              PID:500
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\B1F.exe
            3⤵
              PID:2612
              • C:\Windows\SysWOW64\choice.exe
                choice /C Y /N /D Y /T 0
                4⤵
                  PID:528
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Self.bat" "
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1592
              • C:\Windows\SysWOW64\chcp.com
                chcp 1251
                3⤵
                  PID:2792
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 0 &Del B1F.exe
                2⤵
                  PID:2316
                  • C:\Windows\SysWOW64\choice.exe
                    choice /C Y /N /D Y /T 0
                    3⤵
                      PID:1324
                • C:\Users\Admin\AppData\Local\Temp\1253.exe
                  C:\Users\Admin\AppData\Local\Temp\1253.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:4472
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mdoxguzl\
                    2⤵
                      PID:3728
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ubecddth.exe" C:\Windows\SysWOW64\mdoxguzl\
                      2⤵
                        PID:2404
                      • C:\Windows\SysWOW64\sc.exe
                        "C:\Windows\System32\sc.exe" create mdoxguzl binPath= "C:\Windows\SysWOW64\mdoxguzl\ubecddth.exe /d\"C:\Users\Admin\AppData\Local\Temp\1253.exe\"" type= own start= auto DisplayName= "wifi support"
                        2⤵
                          PID:644
                        • C:\Windows\SysWOW64\sc.exe
                          "C:\Windows\System32\sc.exe" description mdoxguzl "wifi internet conection"
                          2⤵
                            PID:1180
                          • C:\Windows\SysWOW64\sc.exe
                            "C:\Windows\System32\sc.exe" start mdoxguzl
                            2⤵
                              PID:1452
                            • C:\Windows\SysWOW64\netsh.exe
                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                              2⤵
                                PID:3588
                            • C:\Users\Admin\AppData\Local\Temp\1A15.exe
                              C:\Users\Admin\AppData\Local\Temp\1A15.exe
                              1⤵
                              • Executes dropped EXE
                              • Checks BIOS information in registry
                              • Checks whether UAC is enabled
                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4672
                            • C:\Users\Admin\AppData\Local\Temp\26D7.exe
                              C:\Users\Admin\AppData\Local\Temp\26D7.exe
                              1⤵
                              • Executes dropped EXE
                              PID:4160
                              • C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe
                                "C:\Users\Admin\AppData\Local\Temp\InternodesPiets_2021-09-29_21-00.exe"
                                2⤵
                                • Executes dropped EXE
                                PID:3128
                              • C:\Users\Admin\AppData\Local\Temp\Money10k_.exe
                                "C:\Users\Admin\AppData\Local\Temp\Money10k_.exe"
                                2⤵
                                • Executes dropped EXE
                                • Checks BIOS information in registry
                                • Checks whether UAC is enabled
                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                PID:4184
                            • C:\Windows\SysWOW64\mdoxguzl\ubecddth.exe
                              C:\Windows\SysWOW64\mdoxguzl\ubecddth.exe /d"C:\Users\Admin\AppData\Local\Temp\1253.exe"
                              1⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              PID:2020
                              • C:\Windows\SysWOW64\svchost.exe
                                svchost.exe
                                2⤵
                                • Drops file in System32 directory
                                • Suspicious use of SetThreadContext
                                • Modifies data under HKEY_USERS
                                PID:4760
                                • C:\Windows\SysWOW64\svchost.exe
                                  svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                                  3⤵
                                    PID:1316
                              • C:\Users\Admin\AppData\Local\Temp\2DED.exe
                                C:\Users\Admin\AppData\Local\Temp\2DED.exe
                                1⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:5108
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2DED.exe"
                                  2⤵
                                    PID:4532
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /T 10 /NOBREAK
                                      3⤵
                                      • Delays execution with timeout.exe
                                      PID:3480

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/860-199-0x00000000050A0000-0x00000000056A6000-memory.dmp

                                  Filesize

                                  6.0MB

                                  Download

                                • memory/860-188-0x0000000000400000-0x0000000000422000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/1316-249-0x0000000003200000-0x00000000032F1000-memory.dmp

                                  Filesize

                                  964KB

                                  Download

                                • memory/1316-244-0x0000000003200000-0x00000000032F1000-memory.dmp

                                  Filesize

                                  964KB

                                  Download

                                • memory/1544-214-0x0000000006190000-0x00000000061BA000-memory.dmp

                                  Filesize

                                  168KB

                                  Download

                                • memory/1544-210-0x0000000006A70000-0x0000000006A71000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1544-178-0x0000000005170000-0x0000000005171000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1544-212-0x0000000006B60000-0x0000000006B61000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2020-207-0x0000000000400000-0x000000000086C000-memory.dmp

                                  Filesize

                                  4.4MB

                                  Download

                                • memory/3020-146-0x0000000002810000-0x0000000002825000-memory.dmp

                                  Filesize

                                  84KB

                                  Download

                                • memory/3020-118-0x0000000000380000-0x0000000000395000-memory.dmp

                                  Filesize

                                  84KB

                                  Download

                                • memory/3128-255-0x00000000022D0000-0x00000000022EF000-memory.dmp

                                  Filesize

                                  124KB

                                  Download

                                • memory/3128-264-0x0000000004A74000-0x0000000004A76000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/3128-262-0x0000000000400000-0x000000000045D000-memory.dmp

                                  Filesize

                                  372KB

                                  Download

                                • memory/3128-265-0x0000000004A70000-0x0000000004A71000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3128-260-0x0000000000460000-0x00000000005AA000-memory.dmp

                                  Filesize

                                  1.3MB

                                  Download

                                • memory/3128-257-0x0000000002610000-0x000000000262E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/3128-267-0x0000000004A72000-0x0000000004A73000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3128-268-0x0000000004A73000-0x0000000004A74000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3696-117-0x0000000000030000-0x0000000000039000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/3996-137-0x0000000002A60000-0x0000000002A61000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3996-136-0x00000000075C0000-0x0000000007611000-memory.dmp

                                  Filesize

                                  324KB

                                  Download

                                • memory/3996-143-0x0000000005ED0000-0x0000000005ED1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3996-133-0x0000000000960000-0x0000000000961000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3996-144-0x0000000005360000-0x0000000005361000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4080-115-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/4160-184-0x0000000000420000-0x0000000000421000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4184-277-0x0000000005550000-0x0000000005551000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4184-275-0x0000000077A00000-0x0000000077B8E000-memory.dmp

                                  Filesize

                                  1.6MB

                                  Download

                                • memory/4280-135-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4280-138-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4280-131-0x0000000000340000-0x0000000000341000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4280-142-0x0000000005310000-0x0000000005311000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4280-145-0x0000000004E00000-0x0000000004E01000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4472-148-0x0000000000400000-0x000000000086C000-memory.dmp

                                  Filesize

                                  4.4MB

                                  Download

                                • memory/4472-147-0x00000000008B0000-0x00000000008C3000-memory.dmp

                                  Filesize

                                  76KB

                                  Download

                                • memory/4672-177-0x0000000002900000-0x0000000002901000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4672-164-0x0000000005340000-0x0000000005341000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4672-156-0x0000000000040000-0x0000000000041000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4672-159-0x0000000005840000-0x0000000005841000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4672-160-0x00000000052E0000-0x00000000052E1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4672-162-0x0000000005410000-0x0000000005411000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4672-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

                                  Filesize

                                  1.6MB

                                  Download

                                • memory/4672-171-0x0000000005380000-0x0000000005381000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4672-215-0x0000000006980000-0x0000000006981000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4672-216-0x0000000007080000-0x0000000007081000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/4760-203-0x0000000000A80000-0x0000000000A95000-memory.dmp

                                  Filesize

                                  84KB

                                  Download

                                • memory/5108-209-0x00000000009E0000-0x0000000000B2A000-memory.dmp

                                  Filesize

                                  1.3MB

                                  Download

                                • memory/5108-208-0x0000000000400000-0x00000000008AC000-memory.dmp

                                  Filesize

                                  4.7MB

                                  Download