raccoon | acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0

Analysis

max time kernel
150s
max time network
164s
platform
windows10_x64
resource
win10-en-20210920
submitted
24-10-2021 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
Size

335KB
MD5

732a0aa82bb3aa9cb89ccdc9f9eb465c
SHA1

931b61b89a8fda231d9b0ab7486ae83056fe928c
SHA256

acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0
SHA512

e5ef0b27c98befa6b2722aed5a05f5cd14e39dd58bb025489e64608aa15a44de4e9d66c639d6a6f700c2e93fee0c079b450dadcfaf81ae01857c4c9eee37c7cc

Score

10^/10

raccoon redline smokeloader 7ebf9b416b72a203df65383eec899dc689d2c3d7 backdoor discovery evasion infostealer persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://xacokuo8.top/

http://hajezey1.top/

rc4.i32

Extracted

Family

raccoon

Botnet

7ebf9b416b72a203df65383eec899dc689d2c3d7

Attributes

url4cnc
http://telegatt.top/agrybirdsgamerept

http://telegka.top/agrybirdsgamerept

http://telegin.top/agrybirdsgamerept

https://t.me/agrybirdsgamerept

rc4.plain

Signatures

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	1744	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	1744	schtasks.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1264-140-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1264-141-0x0000000000418D06-mapping.dmp	family_redline
behavioral1/memory/1264-153-0x0000000005170000-0x0000000005776000-memory.dmp	family_redline
behavioral1/memory/1480-154-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1480-155-0x0000000000418D2A-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1112 created 2292 1112 WerFault.exe D10B.exe
suricata: ET MALWARE DCRAT Activity (GET)
suricata: ET MALWARE DCRAT Activity (GET)
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 11 IoCs

Processes:

3610.exe3610.exe504F.exe5B9B.exe504F.exe5B9B.exeD10B.exe79C.exeRuntimeBroker.exevurbewsvurbews

pid process

1016 3610.exe
3928 3610.exe
1720 504F.exe
396 5B9B.exe
1264 504F.exe
1480 5B9B.exe
2292 D10B.exe
780 79C.exe
2880 RuntimeBroker.exe
908 vurbews
996 vurbews

description	pid	process	target process
PID 1112 created 2292	1112	WerFault.exe	D10B.exe

pid	process
1016	3610.exe
3928	3610.exe
1720	504F.exe
396	5B9B.exe
1264	504F.exe
1480	5B9B.exe
2292	D10B.exe
780	79C.exe
2880	RuntimeBroker.exe
908	vurbews
996	vurbews

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

79C.exeRuntimeBroker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79C.exe

Deletes itself 1 IoCs

Processes:

pid process

3068

pid	process
3068

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

79C.exeRuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine	79C.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Wine	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

79C.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	79C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\RestartManagerUninstall\\RuntimeBroker.exe\""	79C.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\evr\\RuntimeBroker.exe\""	79C.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

79C.exe

description	ioc	process
File created	C:\Windows\SysWOW64\RestartManagerUninstall\RuntimeBroker.exe	79C.exe
File opened for modification	C:\Windows\SysWOW64\RestartManagerUninstall\RuntimeBroker.exe	79C.exe
File created	C:\Windows\SysWOW64\RestartManagerUninstall\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	79C.exe
File created	C:\Windows\SysWOW64\evr\RuntimeBroker.exe	79C.exe
File created	C:\Windows\SysWOW64\evr\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d	79C.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

79C.exeRuntimeBroker.exe

pid process

780 79C.exe
2880 RuntimeBroker.exe

pid	process
780	79C.exe
2880	RuntimeBroker.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe3610.exe504F.exe5B9B.exevurbews

description	pid	process	target process
PID 1976 set thread context of 4072	1976	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
PID 1016 set thread context of 3928	1016	3610.exe	3610.exe
PID 1720 set thread context of 1264	1720	504F.exe	504F.exe
PID 396 set thread context of 1480	396	5B9B.exe	5B9B.exe
PID 908 set thread context of 996	908	vurbews	vurbews

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1232 1480 WerFault.exe 5B9B.exe
1112 2292 WerFault.exe D10B.exe

pid	pid_target	process	target process
1232	1480	WerFault.exe	5B9B.exe
1112	2292	WerFault.exe	D10B.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe3610.exevurbews

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3610.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vurbews
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vurbews
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3610.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3610.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	vurbews

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1296 schtasks.exe
3636 schtasks.exe
3152 schtasks.exe

pid	process
1296	schtasks.exe
3636	schtasks.exe
3152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe

pid	process
4072	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
4072	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3068
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe3610.exevurbews

pid process

4072 acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
3928 3610.exe
996 vurbews

pid	process
3068

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

WerFault.exe504F.exe79C.exeRuntimeBroker.exeWerFault.exe

description	pid	process
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeRestorePrivilege	1232	WerFault.exe
Token: SeBackupPrivilege	1232	WerFault.exe
Token: SeDebugPrivilege	1232	WerFault.exe
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	1264	504F.exe
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	780	79C.exe
Token: SeDebugPrivilege	2880	RuntimeBroker.exe
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeDebugPrivilege	1112	WerFault.exe
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe3610.exe504F.exe5B9B.exe79C.exevurbews

description	pid	process	target process
PID 1976 wrote to memory of 4072	1976	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
PID 1976 wrote to memory of 4072	1976	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
PID 1976 wrote to memory of 4072	1976	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
PID 1976 wrote to memory of 4072	1976	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
PID 1976 wrote to memory of 4072	1976	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
PID 1976 wrote to memory of 4072	1976	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe	acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
PID 3068 wrote to memory of 1016	3068		3610.exe
PID 3068 wrote to memory of 1016	3068		3610.exe
PID 3068 wrote to memory of 1016	3068		3610.exe
PID 1016 wrote to memory of 3928	1016	3610.exe	3610.exe
PID 1016 wrote to memory of 3928	1016	3610.exe	3610.exe
PID 1016 wrote to memory of 3928	1016	3610.exe	3610.exe
PID 1016 wrote to memory of 3928	1016	3610.exe	3610.exe
PID 1016 wrote to memory of 3928	1016	3610.exe	3610.exe
PID 1016 wrote to memory of 3928	1016	3610.exe	3610.exe
PID 3068 wrote to memory of 1720	3068		504F.exe
PID 3068 wrote to memory of 1720	3068		504F.exe
PID 3068 wrote to memory of 1720	3068		504F.exe
PID 1720 wrote to memory of 1264	1720	504F.exe	504F.exe
PID 1720 wrote to memory of 1264	1720	504F.exe	504F.exe
PID 1720 wrote to memory of 1264	1720	504F.exe	504F.exe
PID 3068 wrote to memory of 396	3068		5B9B.exe
PID 3068 wrote to memory of 396	3068		5B9B.exe
PID 3068 wrote to memory of 396	3068		5B9B.exe
PID 1720 wrote to memory of 1264	1720	504F.exe	504F.exe
PID 1720 wrote to memory of 1264	1720	504F.exe	504F.exe
PID 1720 wrote to memory of 1264	1720	504F.exe	504F.exe
PID 1720 wrote to memory of 1264	1720	504F.exe	504F.exe
PID 1720 wrote to memory of 1264	1720	504F.exe	504F.exe
PID 396 wrote to memory of 1480	396	5B9B.exe	5B9B.exe
PID 396 wrote to memory of 1480	396	5B9B.exe	5B9B.exe
PID 396 wrote to memory of 1480	396	5B9B.exe	5B9B.exe
PID 396 wrote to memory of 1480	396	5B9B.exe	5B9B.exe
PID 396 wrote to memory of 1480	396	5B9B.exe	5B9B.exe
PID 396 wrote to memory of 1480	396	5B9B.exe	5B9B.exe
PID 396 wrote to memory of 1480	396	5B9B.exe	5B9B.exe
PID 396 wrote to memory of 1480	396	5B9B.exe	5B9B.exe
PID 3068 wrote to memory of 2292	3068		D10B.exe
PID 3068 wrote to memory of 2292	3068		D10B.exe
PID 3068 wrote to memory of 2292	3068		D10B.exe
PID 3068 wrote to memory of 780	3068		79C.exe
PID 3068 wrote to memory of 780	3068		79C.exe
PID 3068 wrote to memory of 780	3068		79C.exe
PID 780 wrote to memory of 2880	780	79C.exe	RuntimeBroker.exe
PID 780 wrote to memory of 2880	780	79C.exe	RuntimeBroker.exe
PID 780 wrote to memory of 2880	780	79C.exe	RuntimeBroker.exe
PID 908 wrote to memory of 996	908	vurbews	vurbews
PID 908 wrote to memory of 996	908	vurbews	vurbews
PID 908 wrote to memory of 996	908	vurbews	vurbews
PID 908 wrote to memory of 996	908	vurbews	vurbews
PID 908 wrote to memory of 996	908	vurbews	vurbews
PID 908 wrote to memory of 996	908	vurbews	vurbews

C:\Users\Admin\AppData\Local\Temp\acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
"C:\Users\Admin\AppData\Local\Temp\acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe
"C:\Users\Admin\AppData\Local\Temp\acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4072

C:\Users\Admin\AppData\Local\Temp\3610.exe
C:\Users\Admin\AppData\Local\Temp\3610.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\3610.exe
C:\Users\Admin\AppData\Local\Temp\3610.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3928

C:\Users\Admin\AppData\Local\Temp\504F.exe
C:\Users\Admin\AppData\Local\Temp\504F.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\504F.exe
C:\Users\Admin\AppData\Local\Temp\504F.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Users\Admin\AppData\Local\Temp\5B9B.exe
C:\Users\Admin\AppData\Local\Temp\5B9B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:396

C:\Users\Admin\AppData\Local\Temp\5B9B.exe
C:\Users\Admin\AppData\Local\Temp\5B9B.exe
2⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 160
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Users\Admin\AppData\Local\Temp\D10B.exe
C:\Users\Admin\AppData\Local\Temp\D10B.exe
1⤵
- Executes dropped EXE
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 976
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\79C.exe
C:\Users\Admin\AppData\Local\Temp\79C.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\RestartManagerUninstall\RuntimeBroker.exe
"C:\Windows\System32\RestartManagerUninstall\RuntimeBroker.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\RestartManagerUninstall\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\evr\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Users\Admin\AppData\Roaming\vurbews
C:\Users\Admin\AppData\Roaming\vurbews
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Roaming\vurbews
C:\Users\Admin\AppData\Roaming\vurbews
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\504F.exe.log
MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3610.exe
MD5
732a0aa82bb3aa9cb89ccdc9f9eb465c

SHA1
931b61b89a8fda231d9b0ab7486ae83056fe928c

SHA256
acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0

SHA512
e5ef0b27c98befa6b2722aed5a05f5cd14e39dd58bb025489e64608aa15a44de4e9d66c639d6a6f700c2e93fee0c079b450dadcfaf81ae01857c4c9eee37c7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3610.exe
MD5
732a0aa82bb3aa9cb89ccdc9f9eb465c

SHA1
931b61b89a8fda231d9b0ab7486ae83056fe928c

SHA256
acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0

SHA512
e5ef0b27c98befa6b2722aed5a05f5cd14e39dd58bb025489e64608aa15a44de4e9d66c639d6a6f700c2e93fee0c079b450dadcfaf81ae01857c4c9eee37c7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3610.exe
MD5
732a0aa82bb3aa9cb89ccdc9f9eb465c

SHA1
931b61b89a8fda231d9b0ab7486ae83056fe928c

SHA256
acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0

SHA512
e5ef0b27c98befa6b2722aed5a05f5cd14e39dd58bb025489e64608aa15a44de4e9d66c639d6a6f700c2e93fee0c079b450dadcfaf81ae01857c4c9eee37c7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\504F.exe
MD5
a9cf6b07b6ee36d4986bd67429634417

SHA1
5343ed7b750d6f4b4710380bbd14301936db982e

SHA256
56ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5

SHA512
4e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\504F.exe
MD5
a9cf6b07b6ee36d4986bd67429634417

SHA1
5343ed7b750d6f4b4710380bbd14301936db982e

SHA256
56ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5

SHA512
4e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\504F.exe
MD5
a9cf6b07b6ee36d4986bd67429634417

SHA1
5343ed7b750d6f4b4710380bbd14301936db982e

SHA256
56ea2e765364d6f517e434e8238c96fb0fffef20c8714cf55d41ab98163e66e5

SHA512
4e6a3cbfb3b80abc8f5e23c7142097a180154eec2fa0737378930bba26a14f7601bb8d2d748b2a188cc674656fdfff90d0d5843e23e8c3db8541f5a061fd8af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B9B.exe
MD5
0cafd553a0f55d525a5ec0ec6c2c06bd

SHA1
621e411916749c72cdc4d97f46b843bb758659c1

SHA256
3acca9f2af679c0cba972e71c88871397132c5f389a5beffa7710204b0c81987

SHA512
b56e4a59cc314ba533cb0c2d763482de28320f7f2c8eb73d9209745f61b4e22b041756d5c20775a0afab67f86eb68c1267b76b5da1baffbadc75b6ffeda3fdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B9B.exe
MD5
0cafd553a0f55d525a5ec0ec6c2c06bd

SHA1
621e411916749c72cdc4d97f46b843bb758659c1

SHA256
3acca9f2af679c0cba972e71c88871397132c5f389a5beffa7710204b0c81987

SHA512
b56e4a59cc314ba533cb0c2d763482de28320f7f2c8eb73d9209745f61b4e22b041756d5c20775a0afab67f86eb68c1267b76b5da1baffbadc75b6ffeda3fdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B9B.exe
MD5
0cafd553a0f55d525a5ec0ec6c2c06bd

SHA1
621e411916749c72cdc4d97f46b843bb758659c1

SHA256
3acca9f2af679c0cba972e71c88871397132c5f389a5beffa7710204b0c81987

SHA512
b56e4a59cc314ba533cb0c2d763482de28320f7f2c8eb73d9209745f61b4e22b041756d5c20775a0afab67f86eb68c1267b76b5da1baffbadc75b6ffeda3fdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\79C.exe
MD5
2a3ceb6380456ef63f154316b31b7d35

SHA1
a5eec282a26158b3f09df04680c49432d6769af1

SHA256
7b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618

SHA512
da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\79C.exe
MD5
2a3ceb6380456ef63f154316b31b7d35

SHA1
a5eec282a26158b3f09df04680c49432d6769af1

SHA256
7b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618

SHA512
da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\D10B.exe
MD5
cb9947c3461d8a13746903c458975e27

SHA1
cdfecd39df19a73f5dc23d832b0e28faedae4b9e

SHA256
2ba75d4c5906496be518091435f2f0826c906a6555bb455a1d7dae5d00a9c8d0

SHA512
41bb7024321ebba5400d77586344458a8fd048ac474b27c24d15bbdbf764da068afd83fded55504626d5890880161435ee458364b4b75e8aa8a9b3dc8f596e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\D10B.exe
MD5
cb9947c3461d8a13746903c458975e27

SHA1
cdfecd39df19a73f5dc23d832b0e28faedae4b9e

SHA256
2ba75d4c5906496be518091435f2f0826c906a6555bb455a1d7dae5d00a9c8d0

SHA512
41bb7024321ebba5400d77586344458a8fd048ac474b27c24d15bbdbf764da068afd83fded55504626d5890880161435ee458364b4b75e8aa8a9b3dc8f596e44

Download Submit
C:\Users\Admin\AppData\Roaming\vurbews
MD5
732a0aa82bb3aa9cb89ccdc9f9eb465c

SHA1
931b61b89a8fda231d9b0ab7486ae83056fe928c

SHA256
acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0

SHA512
e5ef0b27c98befa6b2722aed5a05f5cd14e39dd58bb025489e64608aa15a44de4e9d66c639d6a6f700c2e93fee0c079b450dadcfaf81ae01857c4c9eee37c7cc

Download Submit
C:\Users\Admin\AppData\Roaming\vurbews
MD5
732a0aa82bb3aa9cb89ccdc9f9eb465c

SHA1
931b61b89a8fda231d9b0ab7486ae83056fe928c

SHA256
acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0

SHA512
e5ef0b27c98befa6b2722aed5a05f5cd14e39dd58bb025489e64608aa15a44de4e9d66c639d6a6f700c2e93fee0c079b450dadcfaf81ae01857c4c9eee37c7cc

Download Submit
C:\Users\Admin\AppData\Roaming\vurbews
MD5
732a0aa82bb3aa9cb89ccdc9f9eb465c

SHA1
931b61b89a8fda231d9b0ab7486ae83056fe928c

SHA256
acab0f0b6cb2e1b8dee2ec96369a502257ac8f0010f5a879ee4fcb326b3a34b0

SHA512
e5ef0b27c98befa6b2722aed5a05f5cd14e39dd58bb025489e64608aa15a44de4e9d66c639d6a6f700c2e93fee0c079b450dadcfaf81ae01857c4c9eee37c7cc

Download Submit
C:\Windows\SysWOW64\RestartManagerUninstall\RuntimeBroker.exe
MD5
2a3ceb6380456ef63f154316b31b7d35

SHA1
a5eec282a26158b3f09df04680c49432d6769af1

SHA256
7b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618

SHA512
da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4

Download Submit
C:\Windows\SysWOW64\RestartManagerUninstall\RuntimeBroker.exe
MD5
2a3ceb6380456ef63f154316b31b7d35

SHA1
a5eec282a26158b3f09df04680c49432d6769af1

SHA256
7b9dfb3dfcb68ac6107b69145944aa2ec9ba5f4bb9108368831a01926c167618

SHA512
da63e93a420cb0088cc0c4badf6b9ab17d5b217b6bbbe44077213fbeb24675bcfadf8261ea527c7b55dff6b3cf947de0de84a9338d751f70f84005e3054af9d4

Download Submit
memory/396-133-0x0000000000000000-mapping.dmp

Download
memory/396-139-0x0000000003030000-0x0000000003031000-memory.dmp

Filesize
4KB

Download
memory/396-138-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/396-136-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/396-148-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/396-146-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/780-173-0x0000000077A30000-0x0000000077BBE000-memory.dmp

Filesize
1.6MB

Download
memory/780-170-0x0000000000000000-mapping.dmp

Download
memory/780-177-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/780-179-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/780-174-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/908-194-0x00000000012D1000-0x00000000012E2000-memory.dmp

Filesize
68KB

Download
memory/996-196-0x0000000000402E0C-mapping.dmp

Download
memory/1016-123-0x0000000001191000-0x00000000011A2000-memory.dmp

Filesize
68KB

Download
memory/1016-120-0x0000000000000000-mapping.dmp

Download
memory/1264-152-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/1264-147-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/1264-157-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/1264-160-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/1264-162-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/1264-163-0x0000000007360000-0x0000000007361000-memory.dmp

Filesize
4KB

Download
memory/1264-140-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1264-153-0x0000000005170000-0x0000000005776000-memory.dmp

Filesize
6.0MB

Download
memory/1264-151-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/1264-150-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/1264-149-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/1264-141-0x0000000000418D06-mapping.dmp

Download
memory/1480-155-0x0000000000418D2A-mapping.dmp

Download
memory/1480-154-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1720-131-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1720-128-0x0000000000000000-mapping.dmp

Download
memory/1976-118-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2292-164-0x0000000000000000-mapping.dmp

Download
memory/2292-169-0x0000000000400000-0x0000000001063000-memory.dmp

Filesize
12.4MB

Download
memory/2292-168-0x0000000001150000-0x000000000129A000-memory.dmp

Filesize
1.3MB

Download
memory/2880-183-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/2880-187-0x00000000031F0000-0x00000000031F6000-memory.dmp

Filesize
24KB

Download
memory/2880-188-0x0000000077A30000-0x0000000077BBE000-memory.dmp

Filesize
1.6MB

Download
memory/2880-189-0x0000000005F01000-0x0000000005F02000-memory.dmp

Filesize
4KB

Download
memory/2880-180-0x0000000000000000-mapping.dmp

Download
memory/3068-119-0x0000000000CF0000-0x0000000000D06000-memory.dmp

Filesize
88KB

Download
memory/3068-127-0x0000000000DE0000-0x0000000000DF6000-memory.dmp

Filesize
88KB

Download
memory/3068-198-0x0000000002E90000-0x0000000002EA6000-memory.dmp

Filesize
88KB

Download
memory/3928-125-0x0000000000402E0C-mapping.dmp

Download
memory/4072-117-0x0000000000402E0C-mapping.dmp

Download
memory/4072-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download