Analysis
-
max time kernel
157s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 18:44
General
-
Target
af8af919173d2af2b99ec479cb6f887b.exe
-
Size
344KB
-
MD5
af8af919173d2af2b99ec479cb6f887b
-
SHA1
8961fbdbbf88256438aea61106f91786ac99a3e7
-
SHA256
ee469f144571531a0b2961a624141b76c6ed18ec2f6d72badb86bd46ad430b44
-
SHA512
c78c2741818ca268183cc150d429f5eac5158732a14738381ecdff41240942c9e3f518d606967481130e178b1662c420b6fdbd028344518f148a5ab80f432bba
Malware Config
Extracted
smokeloader
2020
http://gejajoo7.top/
http://sysaheu9.top/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
Extracted
icedid
1875681804
enticationmetho.ink
Extracted
raccoon
6655b26b014f56ed3e8df973c407aa18e865e396
-
url4cnc
http://telegka.top/kaba4ello
http://telegin.top/kaba4ello
https://t.me/kaba4ello
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\af8af919173d2af2b99ec479cb6f887b.exe"C:\Users\Admin\AppData\Local\Temp\af8af919173d2af2b99ec479cb6f887b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\af8af919173d2af2b99ec479cb6f887b.exe"C:\Users\Admin\AppData\Local\Temp\af8af919173d2af2b99ec479cb6f887b.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F4E6.exeC:\Users\Admin\AppData\Local\Temp\F4E6.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\F71A.exeC:\Users\Admin\AppData\Local\Temp\F71A.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F99B.exeC:\Users\Admin\AppData\Local\Temp\F99B.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FCB9.exeC:\Users\Admin\AppData\Local\Temp\FCB9.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 9362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3EE.exeC:\Users\Admin\AppData\Local\Temp\3EE.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3EE.exeMD5
9527bc2fb20d6c1a43cb4c53bd1253d7
SHA1b67f4071faec387113096ab28e04724c6db79ae9
SHA2566098630ddf7f5011ede5992ded355949baa00f2c763ea58285bc4552adb7a2f7
SHA51251e8019c741fc7d88a2da20e60e407895ea1b2efa2c2c623812288057fc8288f2a4379bda1c8a09aff5b88191953a6c27356ef790e09d3228f6280b2d8c95596
-
C:\Users\Admin\AppData\Local\Temp\3EE.exeMD5
9527bc2fb20d6c1a43cb4c53bd1253d7
SHA1b67f4071faec387113096ab28e04724c6db79ae9
SHA2566098630ddf7f5011ede5992ded355949baa00f2c763ea58285bc4552adb7a2f7
SHA51251e8019c741fc7d88a2da20e60e407895ea1b2efa2c2c623812288057fc8288f2a4379bda1c8a09aff5b88191953a6c27356ef790e09d3228f6280b2d8c95596
-
C:\Users\Admin\AppData\Local\Temp\F4E6.exeMD5
d0c332dd942a7b680063c4eca607f2c4
SHA1d57b7c95c258c968e7e2f5cd39bf52928cd587fd
SHA256756f3dc3ceb0db783e3f1cabd10ee6a3af4688147adde714cdea6f226e5f0024
SHA51270abbdaedfbc7ff4fb06ccd619ad812cb2731e7448d5055a414a609d048fc95067594e2ee74f35284d671b8d618d1914232e20d5cc7d862726a3138c4ec61019
-
C:\Users\Admin\AppData\Local\Temp\F71A.exeMD5
560a826cd29ca6598851fd4943de2523
SHA1e2b9140aeac3c24808b513b17ff68a20581a6aef
SHA2569821a789596a5923634011cbb4df4dc37d2993e81beaa3b8ffc38279ea3b6c14
SHA512e6385f9ceb41ac023d3505b810b97579e45a9ea8f8033b7491b26601dad7d33740e82c0df5ef353f330f676529ec6efe9f7be63215d480d4c43a1ef8a7a2b7e1
-
C:\Users\Admin\AppData\Local\Temp\F71A.exeMD5
560a826cd29ca6598851fd4943de2523
SHA1e2b9140aeac3c24808b513b17ff68a20581a6aef
SHA2569821a789596a5923634011cbb4df4dc37d2993e81beaa3b8ffc38279ea3b6c14
SHA512e6385f9ceb41ac023d3505b810b97579e45a9ea8f8033b7491b26601dad7d33740e82c0df5ef353f330f676529ec6efe9f7be63215d480d4c43a1ef8a7a2b7e1
-
C:\Users\Admin\AppData\Local\Temp\F99B.exeMD5
81fc38de5b6197c4db58eb506037e7cb
SHA1c2258ab3204e6061d548df202c99aa361242d848
SHA2562b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b
SHA5124c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a
-
C:\Users\Admin\AppData\Local\Temp\F99B.exeMD5
81fc38de5b6197c4db58eb506037e7cb
SHA1c2258ab3204e6061d548df202c99aa361242d848
SHA2562b9cba43290c9d4cc2d6a47432ddac5752c63e5ac519c2056ba466580424ed3b
SHA5124c96e9104e55454e741a13be34a7c5a3afb8d0d17c1924d629acbd487975d88d4435fd46b34649defe2d047ff4c84e06c4a0d0176085c7b5ab4d80eed18b0d9a
-
C:\Users\Admin\AppData\Local\Temp\FCB9.exeMD5
aa4e082db04b5f44f47f552223e80cac
SHA1c13cea9a5844ae0efba489c557a1d28e9db33bc7
SHA2562e60c985939f7ced8d26ccc57e8c43bec2c7f639027e31f7d9a61c726ea7fe09
SHA51284dea40f9414d9cc4e2ff24fc7fcc2aab942c9636524529198996244e09cc71a85d40939cda997201ded6e1f396a0d7be4369ca402ac88030ae8869008d09f83
-
C:\Users\Admin\AppData\Local\Temp\FCB9.exeMD5
aa4e082db04b5f44f47f552223e80cac
SHA1c13cea9a5844ae0efba489c557a1d28e9db33bc7
SHA2562e60c985939f7ced8d26ccc57e8c43bec2c7f639027e31f7d9a61c726ea7fe09
SHA51284dea40f9414d9cc4e2ff24fc7fcc2aab942c9636524529198996244e09cc71a85d40939cda997201ded6e1f396a0d7be4369ca402ac88030ae8869008d09f83
-
\Users\Admin\AppData\Local\Temp\1105.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/532-116-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/532-117-0x0000000000402EE8-mapping.dmp
-
memory/612-127-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB
-
memory/612-129-0x0000000000400000-0x0000000000882000-memory.dmpFilesize
4.5MB
-
memory/612-125-0x0000000000A05000-0x0000000000A15000-memory.dmpFilesize
64KB
-
memory/612-122-0x0000000000000000-mapping.dmp
-
memory/876-149-0x0000000000400000-0x00000000008C3000-memory.dmpFilesize
4.8MB
-
memory/876-142-0x0000000000000000-mapping.dmp
-
memory/876-147-0x0000000000DA0000-0x0000000000E2E000-memory.dmpFilesize
568KB
-
memory/876-146-0x0000000000BB5000-0x0000000000C04000-memory.dmpFilesize
316KB
-
memory/1452-148-0x0000000140000000-0x0000000140009000-memory.dmpFilesize
36KB
-
memory/1452-132-0x0000000000000000-mapping.dmp
-
memory/1764-150-0x0000000000000000-mapping.dmp
-
memory/2872-153-0x0000000003350000-0x0000000003366000-memory.dmpFilesize
88KB
-
memory/2872-119-0x0000000001210000-0x0000000001226000-memory.dmpFilesize
88KB
-
memory/3684-138-0x0000000005870000-0x0000000005871000-memory.dmpFilesize
4KB
-
memory/3684-141-0x0000000005980000-0x0000000005981000-memory.dmpFilesize
4KB
-
memory/3684-126-0x0000000077E60000-0x0000000077FEE000-memory.dmpFilesize
1.6MB
-
memory/3684-137-0x0000000005FA0000-0x0000000005FA1000-memory.dmpFilesize
4KB
-
memory/3684-135-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/3684-120-0x0000000000000000-mapping.dmp
-
memory/3684-145-0x0000000005910000-0x0000000005911000-memory.dmpFilesize
4KB
-
memory/3684-139-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/3684-160-0x0000000007A80000-0x0000000007A81000-memory.dmpFilesize
4KB
-
memory/3684-140-0x00000000058D0000-0x00000000058D1000-memory.dmpFilesize
4KB
-
memory/3684-154-0x0000000006AB0000-0x0000000006AB1000-memory.dmpFilesize
4KB
-
memory/3684-155-0x0000000005C50000-0x0000000005C51000-memory.dmpFilesize
4KB
-
memory/3684-156-0x0000000005D70000-0x0000000005D71000-memory.dmpFilesize
4KB
-
memory/3684-157-0x0000000005F10000-0x0000000005F11000-memory.dmpFilesize
4KB
-
memory/3684-158-0x0000000006880000-0x0000000006881000-memory.dmpFilesize
4KB
-
memory/3684-159-0x0000000007380000-0x0000000007381000-memory.dmpFilesize
4KB
-
memory/3712-118-0x0000000000030000-0x0000000000039000-memory.dmpFilesize
36KB