Analysis
-
max time kernel
152s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 15:41
General
-
Target
b91e19b349426d0bd81de1299ac9e639e8d1d675adc52c2619325bfb4a2836e5.exe
-
Size
256KB
-
MD5
e55480871748ce9135975f7e9b89eaf5
-
SHA1
a3b5dd90fa3f97d39424fde5680b43569c824df8
-
SHA256
b91e19b349426d0bd81de1299ac9e639e8d1d675adc52c2619325bfb4a2836e5
-
SHA512
9f66715282c41cf0555b531332c9997f6a1295ccfdbe6b72620bedab3652c2f0269ac8bc366da5401fc35addb02cb36bc1be25deea5c18c50b43ba8037444255
Malware Config
Extracted
smokeloader
2020
http://honawey7.top/
http://wijibui0.top/
http://hefahei6.top/
http://pipevai4.top/
http://nalirou7.top/
Extracted
tofsee
quadoil.ru
lakeflex.ru
Extracted
raccoon
1.8.2
fbe5e97e7d069407605ee9138022aa82166657e6
-
url4cnc
http://telemirror.top/stevuitreen
http://tgmirror.top/stevuitreen
http://telegatt.top/stevuitreen
http://telegka.top/stevuitreen
http://telegin.top/stevuitreen
https://t.me/stevuitreen
Signatures
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs
-
Nirsoft 3 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b91e19b349426d0bd81de1299ac9e639e8d1d675adc52c2619325bfb4a2836e5.exe"C:\Users\Admin\AppData\Local\Temp\b91e19b349426d0bd81de1299ac9e639e8d1d675adc52c2619325bfb4a2836e5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b91e19b349426d0bd81de1299ac9e639e8d1d675adc52c2619325bfb4a2836e5.exe"C:\Users\Admin\AppData\Local\Temp\b91e19b349426d0bd81de1299ac9e639e8d1d675adc52c2619325bfb4a2836e5.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\4821.exeC:\Users\Admin\AppData\Local\Temp\4821.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4821.exeC:\Users\Admin\AppData\Local\Temp\4821.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\537C.exeC:\Users\Admin\AppData\Local\Temp\537C.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wydozddr\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\yinahcbq.exe" C:\Windows\SysWOW64\wydozddr\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create wydozddr binPath= "C:\Windows\SysWOW64\wydozddr\yinahcbq.exe /d\"C:\Users\Admin\AppData\Local\Temp\537C.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description wydozddr "wifi internet conection"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start wydozddr2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
C:\Users\Admin\AppData\Local\Temp\585F.exeC:\Users\Admin\AppData\Local\Temp\585F.exe1⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5a40ba16-65c8-4960-9a86-80edc401f343\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5a40ba16-65c8-4960-9a86-80edc401f343\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5a40ba16-65c8-4960-9a86-80edc401f343\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5a40ba16-65c8-4960-9a86-80edc401f343\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\5a40ba16-65c8-4960-9a86-80edc401f343\AdvancedRun.exe" /SpecialRun 4101d8 5203⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\585F.exe" -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\585F.exe"C:\Users\Admin\AppData\Local\Temp\585F.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 22482⤵
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5FF1.exeC:\Users\Admin\AppData\Local\Temp\5FF1.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wydozddr\yinahcbq.exeC:\Windows\SysWOW64\wydozddr\yinahcbq.exe /d"C:\Users\Admin\AppData\Local\Temp\537C.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\4821.exeMD5
e55480871748ce9135975f7e9b89eaf5
SHA1a3b5dd90fa3f97d39424fde5680b43569c824df8
SHA256b91e19b349426d0bd81de1299ac9e639e8d1d675adc52c2619325bfb4a2836e5
SHA5129f66715282c41cf0555b531332c9997f6a1295ccfdbe6b72620bedab3652c2f0269ac8bc366da5401fc35addb02cb36bc1be25deea5c18c50b43ba8037444255
-
C:\Users\Admin\AppData\Local\Temp\4821.exeMD5
e55480871748ce9135975f7e9b89eaf5
SHA1a3b5dd90fa3f97d39424fde5680b43569c824df8
SHA256b91e19b349426d0bd81de1299ac9e639e8d1d675adc52c2619325bfb4a2836e5
SHA5129f66715282c41cf0555b531332c9997f6a1295ccfdbe6b72620bedab3652c2f0269ac8bc366da5401fc35addb02cb36bc1be25deea5c18c50b43ba8037444255
-
C:\Users\Admin\AppData\Local\Temp\4821.exeMD5
e55480871748ce9135975f7e9b89eaf5
SHA1a3b5dd90fa3f97d39424fde5680b43569c824df8
SHA256b91e19b349426d0bd81de1299ac9e639e8d1d675adc52c2619325bfb4a2836e5
SHA5129f66715282c41cf0555b531332c9997f6a1295ccfdbe6b72620bedab3652c2f0269ac8bc366da5401fc35addb02cb36bc1be25deea5c18c50b43ba8037444255
-
C:\Users\Admin\AppData\Local\Temp\537C.exeMD5
e67d8910ece6112354ba89ecab14c77d
SHA138bb3e56f6113abdca8eef13a14d751e43a313cb
SHA256851f78fbd7eb6d3b6a6117bb45a5e5549cd0949a51271cf1fb951d6c155a340a
SHA5129957e9a7d86dfd17bcf77c5108b162ba9743ffe228595f7f623c90f9c8ff903df85115a6c9216c2b578d26fa930fc0682dd49a114e1368eb9d464c3a1a51700d
-
C:\Users\Admin\AppData\Local\Temp\537C.exeMD5
e67d8910ece6112354ba89ecab14c77d
SHA138bb3e56f6113abdca8eef13a14d751e43a313cb
SHA256851f78fbd7eb6d3b6a6117bb45a5e5549cd0949a51271cf1fb951d6c155a340a
SHA5129957e9a7d86dfd17bcf77c5108b162ba9743ffe228595f7f623c90f9c8ff903df85115a6c9216c2b578d26fa930fc0682dd49a114e1368eb9d464c3a1a51700d
-
C:\Users\Admin\AppData\Local\Temp\585F.exeMD5
c7e76d26f5a8e5bf57ebe9de6cc6bc13
SHA1545718169d24dd7f1a188e6ceb5097246837b5a0
SHA25683e479b43300d0d042158032a321a8e9853af0436aa691ee9b8dd8b02fe4f13c
SHA51260ec1655ec50b5426111cec13c438c59afcc998c7bc18c56b83c158a705a05d8b66f746b99fa8c3db6786af7d4624a1529f32f4c5c04917dab680bff06d42bed
-
C:\Users\Admin\AppData\Local\Temp\585F.exeMD5
c7e76d26f5a8e5bf57ebe9de6cc6bc13
SHA1545718169d24dd7f1a188e6ceb5097246837b5a0
SHA25683e479b43300d0d042158032a321a8e9853af0436aa691ee9b8dd8b02fe4f13c
SHA51260ec1655ec50b5426111cec13c438c59afcc998c7bc18c56b83c158a705a05d8b66f746b99fa8c3db6786af7d4624a1529f32f4c5c04917dab680bff06d42bed
-
C:\Users\Admin\AppData\Local\Temp\585F.exeMD5
c7e76d26f5a8e5bf57ebe9de6cc6bc13
SHA1545718169d24dd7f1a188e6ceb5097246837b5a0
SHA25683e479b43300d0d042158032a321a8e9853af0436aa691ee9b8dd8b02fe4f13c
SHA51260ec1655ec50b5426111cec13c438c59afcc998c7bc18c56b83c158a705a05d8b66f746b99fa8c3db6786af7d4624a1529f32f4c5c04917dab680bff06d42bed
-
C:\Users\Admin\AppData\Local\Temp\5FF1.exeMD5
4ddce1574ea6e7b9d9d70f9c6f23a1c9
SHA189a9b86f4ffb646bf9856584292a42c5db14da26
SHA256cb3be2979c500241fb4fae88ac0773a56745aa2807ba5c2970370b09d32231f3
SHA5127a5beeac769961e393349ab2330f467edbacebf7b713883539eaf76792cdb978724d763ad1c3d54b4f79da32276ab466f2f844790020ecaf546e0fffaeb1f64d
-
C:\Users\Admin\AppData\Local\Temp\5FF1.exeMD5
4ddce1574ea6e7b9d9d70f9c6f23a1c9
SHA189a9b86f4ffb646bf9856584292a42c5db14da26
SHA256cb3be2979c500241fb4fae88ac0773a56745aa2807ba5c2970370b09d32231f3
SHA5127a5beeac769961e393349ab2330f467edbacebf7b713883539eaf76792cdb978724d763ad1c3d54b4f79da32276ab466f2f844790020ecaf546e0fffaeb1f64d
-
C:\Users\Admin\AppData\Local\Temp\5a40ba16-65c8-4960-9a86-80edc401f343\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\5a40ba16-65c8-4960-9a86-80edc401f343\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\5a40ba16-65c8-4960-9a86-80edc401f343\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\yinahcbq.exeMD5
2f78691447961c59d3d3e89ce1ab8e7d
SHA159e991db56baf5fb87f97627052e8a20cb5075ae
SHA256d08eeb19e32105c3f63f150cbb671b9155af4eb4b9bd9267b79ab510e6db6304
SHA512cc55b82525b245def6d8cdfe00c50f8306aa194d7e18c2bd85523e7b0c7c6813ed7187e30d71bf103da23bff06cb8fa31b13a56dc5bbfb8a6bfa794c96903928
-
C:\Windows\SysWOW64\wydozddr\yinahcbq.exeMD5
2f78691447961c59d3d3e89ce1ab8e7d
SHA159e991db56baf5fb87f97627052e8a20cb5075ae
SHA256d08eeb19e32105c3f63f150cbb671b9155af4eb4b9bd9267b79ab510e6db6304
SHA512cc55b82525b245def6d8cdfe00c50f8306aa194d7e18c2bd85523e7b0c7c6813ed7187e30d71bf103da23bff06cb8fa31b13a56dc5bbfb8a6bfa794c96903928
-
memory/520-141-0x0000000000000000-mapping.dmp
-
memory/856-144-0x0000000000000000-mapping.dmp
-
memory/1200-146-0x0000000000000000-mapping.dmp
-
memory/1200-155-0x00000000033B0000-0x000000000343E000-memory.dmpFilesize
568KB
-
memory/1200-164-0x0000000000400000-0x00000000016FF000-memory.dmpFilesize
19.0MB
-
memory/1200-149-0x0000000001926000-0x0000000001975000-memory.dmpFilesize
316KB
-
memory/1432-150-0x0000000000000000-mapping.dmp
-
memory/1668-151-0x0000000000000000-mapping.dmp
-
memory/1824-189-0x0000000000793000-0x00000000007A1000-memory.dmpFilesize
56KB
-
memory/1824-289-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2204-156-0x0000000000000000-mapping.dmp
-
memory/2472-290-0x0000000000EA0000-0x0000000000EB5000-memory.dmpFilesize
84KB
-
memory/2472-279-0x0000000000EA9A6B-mapping.dmp
-
memory/2736-157-0x0000000000000000-mapping.dmp
-
memory/3028-119-0x0000000000860000-0x0000000000876000-memory.dmpFilesize
88KB
-
memory/3028-167-0x00000000028C0000-0x00000000028D6000-memory.dmpFilesize
88KB
-
memory/3152-129-0x0000000000402E86-mapping.dmp
-
memory/3720-138-0x0000000004470000-0x000000000450E000-memory.dmpFilesize
632KB
-
memory/3720-135-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/3720-140-0x00000000078C0000-0x00000000078C1000-memory.dmpFilesize
4KB
-
memory/3720-139-0x0000000007DC0000-0x0000000007DC1000-memory.dmpFilesize
4KB
-
memory/3720-137-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/3720-132-0x0000000000000000-mapping.dmp
-
memory/4076-116-0x0000000000620000-0x0000000000629000-memory.dmpFilesize
36KB
-
memory/4076-115-0x0000000000759000-0x0000000000762000-memory.dmpFilesize
36KB
-
memory/4132-168-0x00000000042E0000-0x00000000042E1000-memory.dmpFilesize
4KB
-
memory/4132-210-0x000000007EC70000-0x000000007EC71000-memory.dmpFilesize
4KB
-
memory/4132-161-0x00000000042F0000-0x00000000042F1000-memory.dmpFilesize
4KB
-
memory/4132-187-0x0000000007D90000-0x0000000007D91000-memory.dmpFilesize
4KB
-
memory/4132-212-0x00000000042E3000-0x00000000042E4000-memory.dmpFilesize
4KB
-
memory/4132-159-0x0000000004120000-0x0000000004121000-memory.dmpFilesize
4KB
-
memory/4132-158-0x0000000000000000-mapping.dmp
-
memory/4132-184-0x00000000075C0000-0x00000000075C1000-memory.dmpFilesize
4KB
-
memory/4132-169-0x00000000042E2000-0x00000000042E3000-memory.dmpFilesize
4KB
-
memory/4132-211-0x00000000090D0000-0x00000000090D1000-memory.dmpFilesize
4KB
-
memory/4132-163-0x0000000006DD0000-0x0000000006DD1000-memory.dmpFilesize
4KB
-
memory/4132-160-0x0000000004120000-0x0000000004121000-memory.dmpFilesize
4KB
-
memory/4132-209-0x0000000008F00000-0x0000000008F01000-memory.dmpFilesize
4KB
-
memory/4132-204-0x0000000008B70000-0x0000000008B71000-memory.dmpFilesize
4KB
-
memory/4132-197-0x0000000008DD0000-0x0000000008E03000-memory.dmpFilesize
204KB
-
memory/4132-176-0x00000000074E0000-0x00000000074E1000-memory.dmpFilesize
4KB
-
memory/4132-177-0x0000000007400000-0x0000000007401000-memory.dmpFilesize
4KB
-
memory/4132-190-0x0000000004120000-0x0000000004121000-memory.dmpFilesize
4KB
-
memory/4132-179-0x0000000007510000-0x0000000007511000-memory.dmpFilesize
4KB
-
memory/4132-181-0x00000000076F0000-0x00000000076F1000-memory.dmpFilesize
4KB
-
memory/4180-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4180-118-0x0000000000402E86-mapping.dmp
-
memory/4340-124-0x0000000000000000-mapping.dmp
-
memory/4340-153-0x0000000000610000-0x0000000000623000-memory.dmpFilesize
76KB
-
memory/4340-154-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4448-120-0x0000000000000000-mapping.dmp
-
memory/4448-131-0x00000000004C0000-0x000000000056E000-memory.dmpFilesize
696KB
-
memory/4580-175-0x0000000005150000-0x0000000005151000-memory.dmpFilesize
4KB
-
memory/4580-178-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/4580-174-0x00000000058B0000-0x00000000058B1000-memory.dmpFilesize
4KB
-
memory/4580-172-0x0000000002A90000-0x0000000002A91000-memory.dmpFilesize
4KB
-
memory/4580-180-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/4580-165-0x0000000000438F0E-mapping.dmp
-
memory/4580-162-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/4580-182-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/4580-186-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/4600-183-0x0000000000000000-mapping.dmp
-
memory/4720-173-0x0000000000000000-mapping.dmp