raccoon | 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a

Analysis

max time kernel
151s
max time network
164s
platform
windows10_x64
resource
win10-en-20210920
submitted
24-10-2021 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
Size

335KB
MD5

1d747430b83501fef39cae62935452cb
SHA1

3f39d8c08b5d559eacdaea84ae67bea27a5692bb
SHA256

4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a
SHA512

56b75a6596c3e140d8923a014479ab8631852b6c8164f1d86857a40a9d424babf3a584bd2a6573aba6a0ae5e102fbd4d371938263a152d56c83c69841be81ab2

Score

10^/10

raccoon redline smokeloader 7ebf9b416b72a203df65383eec899dc689d2c3d7 backdoor discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xacokuo8.top/

http://hajezey1.top/

rc4.i32

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept

http://telegka.top/agrybirdsgamerept

http://telegin.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	2364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	2364	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	2364	schtasks.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/648-141-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/648-142-0x0000000000418D06-mapping.dmp	family_redline
behavioral1/memory/648-152-0x0000000005470000-0x0000000005A76000-memory.dmp	family_redline
behavioral1/memory/1376-153-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1376-154-0x0000000000418D2A-mapping.dmp	family_redline
behavioral1/memory/1376-164-0x0000000004C60000-0x0000000005266000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 588 created 5020 588 WerFault.exe D4C4.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

398A.exe398A.exe53CA.exe5F16.exe53CA.exe5F16.exeD4C4.exe952.exeSppExtComObj.exe

pid process

3164 398A.exe
3784 398A.exe
4052 53CA.exe
808 5F16.exe
648 53CA.exe
1376 5F16.exe
5020 D4C4.exe
1252 952.exe
4144 SppExtComObj.exe

description	pid	process	target process
PID 588 created 5020	588	WerFault.exe	D4C4.exe

pid	process
3164	398A.exe
3784	398A.exe
4052	53CA.exe
808	5F16.exe
648	53CA.exe
1376	5F16.exe
5020	D4C4.exe
1252	952.exe
4144	SppExtComObj.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

952.exeSppExtComObj.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	952.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	952.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SppExtComObj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SppExtComObj.exe

Deletes itself 1 IoCs

Processes:

pid process

3020

pid	process
3020

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

952.exeSppExtComObj.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine	952.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine	SppExtComObj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

952.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\url\\fontdrvhost.exe\""	952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Windows\\System32\\syncutil\\taskhostw.exe\""	952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\WpcWebFilter\\SppExtComObj.exe\""	952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\tpmcompc\\dllhost.exe\""	952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Microsoft Office\\Office16\\dwm.exe\""	952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\odt\\sppsvc.exe\""	952.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

88 ipinfo.io
89 ipinfo.io

flow	ioc
88	ipinfo.io
89	ipinfo.io

Drops file in System32 directory 9 IoCs

Processes:

952.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WpcWebFilter\SppExtComObj.exe	952.exe
File created	C:\Windows\SysWOW64\tpmcompc\dllhost.exe	952.exe
File created	C:\Windows\SysWOW64\tpmcompc\5940a34987c99120d96dace90a3f93f329dcad63	952.exe
File created	C:\Windows\SysWOW64\syncutil\taskhostw.exe	952.exe
File created	C:\Windows\SysWOW64\syncutil\ea9f0e6c9e2dcd4dfacdaf29ba21541fb815a988	952.exe
File opened for modification	C:\Windows\SysWOW64\WpcWebFilter\SppExtComObj.exe	952.exe
File created	C:\Windows\SysWOW64\WpcWebFilter\e1ef82546f0b02b7e974f28047f3788b1128cce1	952.exe
File created	C:\Windows\SysWOW64\url\fontdrvhost.exe	952.exe
File created	C:\Windows\SysWOW64\url\5b884080fd4f94e2695da25c503f9e33b9605b83	952.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

952.exeSppExtComObj.exe

pid process

1252 952.exe
4144 SppExtComObj.exe

pid	process
1252	952.exe
4144	SppExtComObj.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe398A.exe53CA.exe5F16.exe

description	pid	process	target process
PID 4264 set thread context of 4312	4264	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
PID 3164 set thread context of 3784	3164	398A.exe	398A.exe
PID 4052 set thread context of 648	4052	53CA.exe	53CA.exe
PID 808 set thread context of 1376	808	5F16.exe	5F16.exe

Drops file in Program Files directory 2 IoCs

Processes:

952.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\Office16\dwm.exe	952.exe
File created	C:\Program Files\Microsoft Office\Office16\6cb0b6c459d5d3455a3da700e713f2e2529862ff	952.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

588 5020 WerFault.exe D4C4.exe

pid	pid_target	process	target process
588	5020	WerFault.exe	D4C4.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe398A.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	398A.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	398A.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	398A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4432 schtasks.exe
4420 schtasks.exe
4128 schtasks.exe
3568 schtasks.exe
4764 schtasks.exe
4748 schtasks.exe
Modifies registry class 1 IoCs

Processes:

952.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings 952.exe

pid	process
4432	schtasks.exe
4420	schtasks.exe
4128	schtasks.exe
3568	schtasks.exe
4764	schtasks.exe
4748	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings	952.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe

pid	process
4312	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
4312	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3020
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe398A.exe

pid process

4312 4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
3784 398A.exe

pid	process
3020

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

53CA.exe5F16.exe952.exeSppExtComObj.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	648	53CA.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	1376	5F16.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	1252	952.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeDebugPrivilege	4144	SppExtComObj.exe
Token: SeRestorePrivilege	588	WerFault.exe
Token: SeBackupPrivilege	588	WerFault.exe
Token: SeDebugPrivilege	588	WerFault.exe
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe398A.exe53CA.exe5F16.exe952.execmd.exew32tm.exe

description	pid	process	target process
PID 4264 wrote to memory of 4312	4264	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
PID 4264 wrote to memory of 4312	4264	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
PID 4264 wrote to memory of 4312	4264	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
PID 4264 wrote to memory of 4312	4264	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
PID 4264 wrote to memory of 4312	4264	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
PID 4264 wrote to memory of 4312	4264	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe	4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
PID 3020 wrote to memory of 3164	3020		398A.exe
PID 3020 wrote to memory of 3164	3020		398A.exe
PID 3020 wrote to memory of 3164	3020		398A.exe
PID 3164 wrote to memory of 3784	3164	398A.exe	398A.exe
PID 3164 wrote to memory of 3784	3164	398A.exe	398A.exe
PID 3164 wrote to memory of 3784	3164	398A.exe	398A.exe
PID 3164 wrote to memory of 3784	3164	398A.exe	398A.exe
PID 3164 wrote to memory of 3784	3164	398A.exe	398A.exe
PID 3164 wrote to memory of 3784	3164	398A.exe	398A.exe
PID 3020 wrote to memory of 4052	3020		53CA.exe
PID 3020 wrote to memory of 4052	3020		53CA.exe
PID 3020 wrote to memory of 4052	3020		53CA.exe
PID 4052 wrote to memory of 648	4052	53CA.exe	53CA.exe
PID 4052 wrote to memory of 648	4052	53CA.exe	53CA.exe
PID 4052 wrote to memory of 648	4052	53CA.exe	53CA.exe
PID 3020 wrote to memory of 808	3020		5F16.exe
PID 3020 wrote to memory of 808	3020		5F16.exe
PID 3020 wrote to memory of 808	3020		5F16.exe
PID 4052 wrote to memory of 648	4052	53CA.exe	53CA.exe
PID 4052 wrote to memory of 648	4052	53CA.exe	53CA.exe
PID 4052 wrote to memory of 648	4052	53CA.exe	53CA.exe
PID 4052 wrote to memory of 648	4052	53CA.exe	53CA.exe
PID 4052 wrote to memory of 648	4052	53CA.exe	53CA.exe
PID 808 wrote to memory of 1376	808	5F16.exe	5F16.exe
PID 808 wrote to memory of 1376	808	5F16.exe	5F16.exe
PID 808 wrote to memory of 1376	808	5F16.exe	5F16.exe
PID 808 wrote to memory of 1376	808	5F16.exe	5F16.exe
PID 808 wrote to memory of 1376	808	5F16.exe	5F16.exe
PID 808 wrote to memory of 1376	808	5F16.exe	5F16.exe
PID 808 wrote to memory of 1376	808	5F16.exe	5F16.exe
PID 808 wrote to memory of 1376	808	5F16.exe	5F16.exe
PID 3020 wrote to memory of 5020	3020		D4C4.exe
PID 3020 wrote to memory of 5020	3020		D4C4.exe
PID 3020 wrote to memory of 5020	3020		D4C4.exe
PID 3020 wrote to memory of 1252	3020		952.exe
PID 3020 wrote to memory of 1252	3020		952.exe
PID 3020 wrote to memory of 1252	3020		952.exe
PID 1252 wrote to memory of 3420	1252	952.exe	cmd.exe
PID 1252 wrote to memory of 3420	1252	952.exe	cmd.exe
PID 1252 wrote to memory of 3420	1252	952.exe	cmd.exe
PID 3420 wrote to memory of 712	3420	cmd.exe	w32tm.exe
PID 3420 wrote to memory of 712	3420	cmd.exe	w32tm.exe
PID 3420 wrote to memory of 712	3420	cmd.exe	w32tm.exe
PID 712 wrote to memory of 680	712	w32tm.exe	w32tm.exe
PID 712 wrote to memory of 680	712	w32tm.exe	w32tm.exe
PID 3420 wrote to memory of 4144	3420	cmd.exe	SppExtComObj.exe
PID 3420 wrote to memory of 4144	3420	cmd.exe	SppExtComObj.exe
PID 3420 wrote to memory of 4144	3420	cmd.exe	SppExtComObj.exe

C:\Users\Admin\AppData\Local\Temp\4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
"C:\Users\Admin\AppData\Local\Temp\4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4264

C:\Users\Admin\AppData\Local\Temp\4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe
"C:\Users\Admin\AppData\Local\Temp\4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4312

C:\Users\Admin\AppData\Local\Temp\398A.exe
C:\Users\Admin\AppData\Local\Temp\398A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\398A.exe
C:\Users\Admin\AppData\Local\Temp\398A.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3784

C:\Users\Admin\AppData\Local\Temp\53CA.exe
C:\Users\Admin\AppData\Local\Temp\53CA.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\53CA.exe
C:\Users\Admin\AppData\Local\Temp\53CA.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Users\Admin\AppData\Local\Temp\5F16.exe
C:\Users\Admin\AppData\Local\Temp\5F16.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\5F16.exe
C:\Users\Admin\AppData\Local\Temp\5F16.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Users\Admin\AppData\Local\Temp\D4C4.exe
C:\Users\Admin\AppData\Local\Temp\D4C4.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1004
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Users\Admin\AppData\Local\Temp\952.exe
C:\Users\Admin\AppData\Local\Temp\952.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YRTqs5jhyK.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\System32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:680

C:\Windows\SysWOW64\WpcWebFilter\SppExtComObj.exe
"C:\Windows\System32\WpcWebFilter\SppExtComObj.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\WpcWebFilter\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\tpmcompc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\url\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\System32\syncutil\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\53CA.exe.log
MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5F16.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\398A.exe
MD5
1d747430b83501fef39cae62935452cb

SHA1
3f39d8c08b5d559eacdaea84ae67bea27a5692bb

SHA256
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a

SHA512
56b75a6596c3e140d8923a014479ab8631852b6c8164f1d86857a40a9d424babf3a584bd2a6573aba6a0ae5e102fbd4d371938263a152d56c83c69841be81ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\398A.exe
MD5
1d747430b83501fef39cae62935452cb

SHA1
3f39d8c08b5d559eacdaea84ae67bea27a5692bb

SHA256
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a

SHA512
56b75a6596c3e140d8923a014479ab8631852b6c8164f1d86857a40a9d424babf3a584bd2a6573aba6a0ae5e102fbd4d371938263a152d56c83c69841be81ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\398A.exe
MD5
1d747430b83501fef39cae62935452cb

SHA1
3f39d8c08b5d559eacdaea84ae67bea27a5692bb

SHA256
4829a0a68b1c227d50c5bb8409d5de44693ae804711ce9c1df0e0de06e3fdc7a

SHA512
56b75a6596c3e140d8923a014479ab8631852b6c8164f1d86857a40a9d424babf3a584bd2a6573aba6a0ae5e102fbd4d371938263a152d56c83c69841be81ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\53CA.exe
MD5
a9cf6b07b6ee36d4986bd67429634417

SHA1
5343ed7b750d6f4b4710380bbd14301936db982e

SHA256
56ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5

SHA512
4e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\53CA.exe
MD5
a9cf6b07b6ee36d4986bd67429634417

SHA1
5343ed7b750d6f4b4710380bbd14301936db982e

SHA256
56ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5

SHA512
4e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\53CA.exe
MD5
a9cf6b07b6ee36d4986bd67429634417

SHA1
5343ed7b750d6f4b4710380bbd14301936db982e

SHA256
56ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5

SHA512
4e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F16.exe
MD5
0cafd553a0f55d525a5ec0ec6c2c06bd

SHA1
621e411916749c72cdc4d97f46b843bb758659c1

SHA256
3acca9f2af679c0cba972e71c88871397132c5f389a5beffa7710204b0c81987

SHA512
b56e4a59cc314ba533cb0c2d763482de28320f7f2c8eb73d9209745f61b4e22b041756d5c20775a0afab67f86eb68c1267b76b5da1baffbadc75b6ffeda3fdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F16.exe
MD5
0cafd553a0f55d525a5ec0ec6c2c06bd

SHA1
621e411916749c72cdc4d97f46b843bb758659c1

SHA256
3acca9f2af679c0cba972e71c88871397132c5f389a5beffa7710204b0c81987

SHA512
b56e4a59cc314ba533cb0c2d763482de28320f7f2c8eb73d9209745f61b4e22b041756d5c20775a0afab67f86eb68c1267b76b5da1baffbadc75b6ffeda3fdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F16.exe
MD5
0cafd553a0f55d525a5ec0ec6c2c06bd

SHA1
621e411916749c72cdc4d97f46b843bb758659c1

SHA256
3acca9f2af679c0cba972e71c88871397132c5f389a5beffa7710204b0c81987

SHA512
b56e4a59cc314ba533cb0c2d763482de28320f7f2c8eb73d9209745f61b4e22b041756d5c20775a0afab67f86eb68c1267b76b5da1baffbadc75b6ffeda3fdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\952.exe
MD5
2a3ceb6380456ef63f154316b31b7d35

SHA1
a5eec282a26158b3f09df04680c49432d6769af1

SHA256
7b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618

SHA512
da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\952.exe
MD5
2a3ceb6380456ef63f154316b31b7d35

SHA1
a5eec282a26158b3f09df04680c49432d6769af1

SHA256
7b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618

SHA512
da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4C4.exe
MD5
cb9947c3461d8a13746903c458975e27

SHA1
cdfecd39df19a73f5dc23d832b0e28faedae4b9e

SHA256
2ba75d4c5906496be518091435f2f0826c906a6555bb455a1d7dae5d00a9c8d0

SHA512
41bb7024321ebba5400d77586344458a8fd048ac474b27c24d15bbdbf764da068afd83fded55504626d5890880161435ee458364b4b75e8aa8a9b3dc8f596e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\D4C4.exe
MD5
cb9947c3461d8a13746903c458975e27

SHA1
cdfecd39df19a73f5dc23d832b0e28faedae4b9e

SHA256
2ba75d4c5906496be518091435f2f0826c906a6555bb455a1d7dae5d00a9c8d0

SHA512
41bb7024321ebba5400d77586344458a8fd048ac474b27c24d15bbdbf764da068afd83fded55504626d5890880161435ee458364b4b75e8aa8a9b3dc8f596e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\YRTqs5jhyK.bat
MD5
dd335c64bc831465f1fa2baadf7bd4a2

SHA1
9065e9d0b8355ddfc849086f9ca9b94d8bf68833

SHA256
51766dcca2fda7351913ff886d0363349b7c5234b9107dd62a59fb7b0e0025aa

SHA512
a62b94ac747fe2fa31a40d7cfcc60695347103620e83072a2bd77069b269d67cc73d0f21fda52165ec7a9aea39fecc521a7508c3bb176bd5e9e4177b595de8eb

Download Submit
C:\Windows\SysWOW64\WpcWebFilter\SppExtComObj.exe
MD5
2a3ceb6380456ef63f154316b31b7d35

SHA1
a5eec282a26158b3f09df04680c49432d6769af1

SHA256
7b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618

SHA512
da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4

Download Submit
C:\Windows\SysWOW64\WpcWebFilter\SppExtComObj.exe
MD5
2a3ceb6380456ef63f154316b31b7d35

SHA1
a5eec282a26158b3f09df04680c49432d6769af1

SHA256
7b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618

SHA512
da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4

Download Submit
memory/648-169-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/648-152-0x0000000005470000-0x0000000005A76000-memory.dmp

Filesize
6.0MB

Download
memory/648-171-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/648-141-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/648-142-0x0000000000418D06-mapping.dmp

Download
memory/648-166-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/648-146-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/648-170-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/648-148-0x0000000001660000-0x0000000001661000-memory.dmp

Filesize
4KB

Download
memory/648-149-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/648-150-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/648-151-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/680-199-0x0000000000000000-mapping.dmp

Download
memory/712-198-0x0000000000000000-mapping.dmp

Download
memory/808-147-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/808-139-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/808-136-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/808-138-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/808-133-0x0000000000000000-mapping.dmp

Download
memory/808-140-0x00000000052D0000-0x0000000005346000-memory.dmp

Filesize
472KB

Download
memory/1252-195-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/1252-193-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/1252-186-0x0000000000000000-mapping.dmp

Download
memory/1252-189-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/1252-192-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/1376-164-0x0000000004C60000-0x0000000005266000-memory.dmp

Filesize
6.0MB

Download
memory/1376-153-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1376-154-0x0000000000418D2A-mapping.dmp

Download
memory/3020-119-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/3020-127-0x00000000020A0000-0x00000000020B6000-memory.dmp

Filesize
88KB

Download
memory/3164-120-0x0000000000000000-mapping.dmp

Download
memory/3420-196-0x0000000000000000-mapping.dmp

Download
memory/3784-125-0x0000000000402E0C-mapping.dmp

Download
memory/4052-128-0x0000000000000000-mapping.dmp

Download
memory/4052-131-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4144-200-0x0000000000000000-mapping.dmp

Download
memory/4144-208-0x0000000004ED0000-0x0000000004ED6000-memory.dmp

Filesize
24KB

Download
memory/4144-203-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4144-204-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/4144-209-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4264-116-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4312-118-0x0000000000402E0C-mapping.dmp

Download
memory/4312-117-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5020-184-0x0000000001150000-0x000000000129A000-memory.dmp

Filesize
1.3MB

Download
memory/5020-185-0x0000000000400000-0x0000000001063000-memory.dmp

Filesize
12.4MB

Download
memory/5020-180-0x0000000000000000-mapping.dmp

Download