Analysis
-
max time kernel
159s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
04-11-2021 23:26
Static task
static1
Behavioral task
behavioral1
Sample
49c3b146f9734caa1f3ffb3b273238f3.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
49c3b146f9734caa1f3ffb3b273238f3.exe
Resource
win10-en-20211104
General
-
Target
49c3b146f9734caa1f3ffb3b273238f3.exe
-
Size
16KB
-
MD5
49c3b146f9734caa1f3ffb3b273238f3
-
SHA1
c2c3955cd049f3cfcaf1f926e660712850beccc3
-
SHA256
9fcd74ab400531e530fc20dd5cb71635dd8f8aac2deea7d749284d976ea0a629
-
SHA512
bf33e890ba8fe22aa9a1cfa8757867f0d4010522c82dccbb47e16d376ec66566093056757895edf15d98d9f4f9c2a0f1ffcae4eebd9b6bdb8ed5b43eb0ddd001
Malware Config
Extracted
raccoon
a8df9e1d3d24b04502963590a8ed392d88ab1b96
-
url4cnc
http://telegin.top/opticillusionlusy
http://ttmirror.top/opticillusionlusy
http://teletele.top/opticillusionlusy
http://telegalive.top/opticillusionlusy
http://toptelete.top/opticillusionlusy
http://telegraf.top/opticillusionlusy
https://t.me/opticillusionlusy
Signatures
-
BitRAT Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/928-86-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat behavioral1/memory/928-87-0x000000000068A488-mapping.dmp family_bitrat behavioral1/memory/1996-91-0x0000000000BE0000-0x0000000000FA5000-memory.dmp family_bitrat behavioral1/memory/928-92-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
fontdrvhost.exeRuntimeBroker.exeRuntimeBroker.exepid process 956 fontdrvhost.exe 1996 RuntimeBroker.exe 928 RuntimeBroker.exe -
Loads dropped DLL 4 IoCs
Processes:
49c3b146f9734caa1f3ffb3b273238f3.exepid process 320 49c3b146f9734caa1f3ffb3b273238f3.exe 320 49c3b146f9734caa1f3ffb3b273238f3.exe 320 49c3b146f9734caa1f3ffb3b273238f3.exe 320 49c3b146f9734caa1f3ffb3b273238f3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Win32\\WindowsUpdate.exe" RuntimeBroker.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
RuntimeBroker.exepid process 928 RuntimeBroker.exe 928 RuntimeBroker.exe 928 RuntimeBroker.exe 928 RuntimeBroker.exe 928 RuntimeBroker.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RuntimeBroker.exedescription pid process target process PID 1996 set thread context of 928 1996 RuntimeBroker.exe RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1396 powershell.exe 1552 powershell.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
49c3b146f9734caa1f3ffb3b273238f3.exepowershell.exepowershell.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 320 49c3b146f9734caa1f3ffb3b273238f3.exe Token: SeDebugPrivilege 1552 powershell.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 928 RuntimeBroker.exe Token: SeShutdownPrivilege 928 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
RuntimeBroker.exepid process 928 RuntimeBroker.exe 928 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
49c3b146f9734caa1f3ffb3b273238f3.execmd.execmd.exeRuntimeBroker.exedescription pid process target process PID 320 wrote to memory of 1496 320 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 320 wrote to memory of 1496 320 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 320 wrote to memory of 1496 320 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 320 wrote to memory of 1496 320 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 320 wrote to memory of 816 320 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 320 wrote to memory of 816 320 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 320 wrote to memory of 816 320 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 320 wrote to memory of 816 320 49c3b146f9734caa1f3ffb3b273238f3.exe cmd.exe PID 1496 wrote to memory of 1552 1496 cmd.exe powershell.exe PID 1496 wrote to memory of 1552 1496 cmd.exe powershell.exe PID 1496 wrote to memory of 1552 1496 cmd.exe powershell.exe PID 1496 wrote to memory of 1552 1496 cmd.exe powershell.exe PID 816 wrote to memory of 1396 816 cmd.exe powershell.exe PID 816 wrote to memory of 1396 816 cmd.exe powershell.exe PID 816 wrote to memory of 1396 816 cmd.exe powershell.exe PID 816 wrote to memory of 1396 816 cmd.exe powershell.exe PID 320 wrote to memory of 956 320 49c3b146f9734caa1f3ffb3b273238f3.exe fontdrvhost.exe PID 320 wrote to memory of 956 320 49c3b146f9734caa1f3ffb3b273238f3.exe fontdrvhost.exe PID 320 wrote to memory of 956 320 49c3b146f9734caa1f3ffb3b273238f3.exe fontdrvhost.exe PID 320 wrote to memory of 956 320 49c3b146f9734caa1f3ffb3b273238f3.exe fontdrvhost.exe PID 320 wrote to memory of 1996 320 49c3b146f9734caa1f3ffb3b273238f3.exe RuntimeBroker.exe PID 320 wrote to memory of 1996 320 49c3b146f9734caa1f3ffb3b273238f3.exe RuntimeBroker.exe PID 320 wrote to memory of 1996 320 49c3b146f9734caa1f3ffb3b273238f3.exe RuntimeBroker.exe PID 320 wrote to memory of 1996 320 49c3b146f9734caa1f3ffb3b273238f3.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe PID 1996 wrote to memory of 928 1996 RuntimeBroker.exe RuntimeBroker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49c3b146f9734caa1f3ffb3b273238f3.exe"C:\Users\Admin\AppData\Local\Temp\49c3b146f9734caa1f3ffb3b273238f3.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\hosts.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\hosts.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c iex ([io.file]::ReadAllText($env:0))3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"C:\Users\Admin\AppData\Roaming\fontdrvhost.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
da5d9fb816ba3d5ffb77be80223331bc
SHA17e6aecaf322feedf459abf0a24b7f0ecb5de64af
SHA2565c9086eb3cfb5f68b1ff789c8ca28840af21b9b3a797c733a2cb1036c416e8f4
SHA512c5a03a1e5c46717645ed9fbaa553e6454abd7c5e93e968c382a6a4cbb1e67856486eb110bc96b43b238459d1f742068313b7a27e6aadd76fc38950edad69480b
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
C:\Users\Admin\AppData\Roaming\fontdrvhost.exeMD5
4eb5d05f73f6edc4673409b03ee325cf
SHA1f210931bedf25533129b87eee16573e618887d80
SHA2564a0129093fc5f3fb58bfebae5d9ea7fe99e2871ead13f12612606e9e2aed261d
SHA512c3370f853e23527bd22dae9ce6cf39d023d4a9c9b17b23a5cdb717e085f5c3b7160e0756674bf0519cd6717b81e68911e9896488b0c342007e114047b46fd231
-
C:\Users\Admin\hosts.batMD5
633dd29d37554e063e8700af0a882724
SHA12994a70ff1769fdea7f06bbfe58d8d665caca6b8
SHA256dfe6d785e2c1082e1249b081a172c31904d83ea125929e2dca0c41312e9bf2a8
SHA512b25684dab562afd12015058cafc5549b265a7ad38be8d44f3659690b21f723240a1732895dbcf77856973e6e2153a7c0841693a7991b7938a498c602537aa334
-
\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
\Users\Admin\AppData\Roaming\RuntimeBroker.exeMD5
0c547b07b9b62d970cde94b18a34b0f8
SHA1fcb33a1367e12990028abf542ca57eeb4c4c5fb4
SHA256bc1162ab3641fde0dd4b2208c2d8470035aa4f742c1b69ea53ea9cd6f5051171
SHA512b02e6ab09655456c4d298cefd235e5df9ee51b9e72a56d1d5e5c6dffaff1f43810fa4e640e10d0050bc88f0e5738d07659ff4cef74103d0a7b94b367c7c923a1
-
\Users\Admin\AppData\Roaming\fontdrvhost.exeMD5
4eb5d05f73f6edc4673409b03ee325cf
SHA1f210931bedf25533129b87eee16573e618887d80
SHA2564a0129093fc5f3fb58bfebae5d9ea7fe99e2871ead13f12612606e9e2aed261d
SHA512c3370f853e23527bd22dae9ce6cf39d023d4a9c9b17b23a5cdb717e085f5c3b7160e0756674bf0519cd6717b81e68911e9896488b0c342007e114047b46fd231
-
\Users\Admin\AppData\Roaming\fontdrvhost.exeMD5
4eb5d05f73f6edc4673409b03ee325cf
SHA1f210931bedf25533129b87eee16573e618887d80
SHA2564a0129093fc5f3fb58bfebae5d9ea7fe99e2871ead13f12612606e9e2aed261d
SHA512c3370f853e23527bd22dae9ce6cf39d023d4a9c9b17b23a5cdb717e085f5c3b7160e0756674bf0519cd6717b81e68911e9896488b0c342007e114047b46fd231
-
memory/320-69-0x0000000004880000-0x0000000004881000-memory.dmpFilesize
4KB
-
memory/320-55-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/320-57-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/816-59-0x0000000000000000-mapping.dmp
-
memory/928-87-0x000000000068A488-mapping.dmp
-
memory/928-86-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/928-92-0x0000000000400000-0x00000000007CE000-memory.dmpFilesize
3.8MB
-
memory/956-83-0x0000000000320000-0x00000000003AE000-memory.dmpFilesize
568KB
-
memory/956-82-0x00000000002D0000-0x000000000031E000-memory.dmpFilesize
312KB
-
memory/956-75-0x0000000000000000-mapping.dmp
-
memory/956-84-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1396-67-0x00000000023E0000-0x000000000302A000-memory.dmpFilesize
12.3MB
-
memory/1396-72-0x00000000023E0000-0x000000000302A000-memory.dmpFilesize
12.3MB
-
memory/1396-62-0x0000000000000000-mapping.dmp
-
memory/1396-70-0x00000000023E0000-0x000000000302A000-memory.dmpFilesize
12.3MB
-
memory/1496-58-0x0000000000000000-mapping.dmp
-
memory/1552-66-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/1552-68-0x00000000021C1000-0x00000000021C2000-memory.dmpFilesize
4KB
-
memory/1552-61-0x0000000000000000-mapping.dmp
-
memory/1552-71-0x00000000021C2000-0x00000000021C4000-memory.dmpFilesize
8KB
-
memory/1996-79-0x0000000000000000-mapping.dmp
-
memory/1996-91-0x0000000000BE0000-0x0000000000FA5000-memory.dmpFilesize
3.8MB
-
memory/1996-90-0x00000000009F0000-0x0000000000BD4000-memory.dmpFilesize
1.9MB