raccoon | f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119

Analysis

max time kernel
151s
max time network
149s
platform
windows10_x64
resource
win10-en-20211104
submitted
14-11-2021 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
Size

219KB
MD5

30650fad211d77137907c9455003f0ba
SHA1

a538a981dc4208bf7c1169d0db757bd2e3915079
SHA256

f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119
SHA512

1f14bf191a41fd06e9853ca5f32853e07681a609056394b30b7566c45055e115b8e7a844b434be02ee873f7abb8008d12772555ef6cd98772d83a0d6c7d462d4

Score

10^/10

raccoon redline smokeloader 675718a5f2ce6d3cacf6cb04a512f5637eae995f ddf183af4241e3172885cf1b2c4c1fb4ee03d05a superstar backdoor discovery evasion infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

Extracted

Family

redline

Botnet

SuperStar

185.215.113.29:36224

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes

url4cnc
http://91.219.236.27/capibar
http://5.181.156.92/capibar
http://91.219.236.207/capibar
http://185.225.19.18/capibar
http://91.219.237.227/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

675718a5f2ce6d3cacf6cb04a512f5637eae995f

Attributes

url4cnc
http://91.219.236.27/agrybirdsgamerept
http://5.181.156.92/agrybirdsgamerept
http://91.219.236.207/agrybirdsgamerept
http://185.225.19.18/agrybirdsgamerept
http://91.219.237.227/agrybirdsgamerept
http://185.163.47.176/agrybirdsgamerept

rc4.plain

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1616-157-0x00000000020E0000-0x00000000020FC000-memory.dmp	family_redline
behavioral1/memory/1616-159-0x0000000002390000-0x00000000023AB000-memory.dmp	family_redline
behavioral1/memory/1612-172-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1612-173-0x0000000000418EEA-mapping.dmp	family_redline
behavioral1/memory/1612-183-0x0000000005430000-0x0000000005A36000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 872 created 3948 872 WerFault.exe 9D2.exe
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

description	pid	process	target process
PID 872 created 3948	872	WerFault.exe	9D2.exe

Executes dropped EXE 17 IoCs

Processes:

F8D8.exeF8D8.exeFD8C.exe9D2.exeFD8C.exeFD8C.exeFD8C.exe2F3D.exeFD8C.exe2F3D.exeFD8C.exe445C.exe65DF.exe7263.exeaetvigsaetvigs637B.exe

pid	process
4428	F8D8.exe
4488	F8D8.exe
3216	FD8C.exe
3948	9D2.exe
3952	FD8C.exe
420	FD8C.exe
1332	FD8C.exe
1524	2F3D.exe
1372	FD8C.exe
1616	2F3D.exe
1612	FD8C.exe
2636	445C.exe
4904	65DF.exe
4964	7263.exe
2816	aetvigs
2548	aetvigs
932	637B.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7263.exe637B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7263.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7263.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	637B.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	637B.exe

Deletes itself 1 IoCs

Processes:

pid process

2060
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2060

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7263.exe	themida
behavioral1/memory/4964-209-0x0000000000B80000-0x0000000000B81000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\637B.exe	themida
behavioral1/memory/932-236-0x0000000000B10000-0x0000000000B11000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7263.exe637B.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7263.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	637B.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

7263.exe637B.exe

pid process

4964 7263.exe
932 637B.exe

pid	process
4964	7263.exe
932	637B.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exeF8D8.exe2F3D.exeFD8C.exeaetvigs

description	pid	process	target process
PID 3656 set thread context of 3940	3656	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
PID 4428 set thread context of 4488	4428	F8D8.exe	F8D8.exe
PID 1524 set thread context of 1616	1524	2F3D.exe	2F3D.exe
PID 3216 set thread context of 1612	3216	FD8C.exe	FD8C.exe
PID 2816 set thread context of 2548	2816	aetvigs	aetvigs

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

872 3948 WerFault.exe 9D2.exe

pid	pid_target	process	target process
872	3948	WerFault.exe	9D2.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

F8D8.exef9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exeaetvigs

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F8D8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F8D8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F8D8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aetvigs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aetvigs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aetvigs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe

pid	process
3940	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
3940	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2060
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exeF8D8.exeaetvigs

pid process

3940 f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
4488 F8D8.exe
2548 aetvigs

pid	process
2060

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

WerFault.exeFD8C.exe7263.exe637B.exe

description	pid	process
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeRestorePrivilege	872	WerFault.exe
Token: SeBackupPrivilege	872	WerFault.exe
Token: SeDebugPrivilege	872	WerFault.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeDebugPrivilege	1612	FD8C.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeDebugPrivilege	4964	7263.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeDebugPrivilege	932	637B.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exeF8D8.exeFD8C.exe2F3D.exeaetvigs

description	pid	process	target process
PID 3656 wrote to memory of 3940	3656	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
PID 3656 wrote to memory of 3940	3656	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
PID 3656 wrote to memory of 3940	3656	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
PID 3656 wrote to memory of 3940	3656	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
PID 3656 wrote to memory of 3940	3656	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
PID 3656 wrote to memory of 3940	3656	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe	f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
PID 2060 wrote to memory of 4428	2060		F8D8.exe
PID 2060 wrote to memory of 4428	2060		F8D8.exe
PID 2060 wrote to memory of 4428	2060		F8D8.exe
PID 4428 wrote to memory of 4488	4428	F8D8.exe	F8D8.exe
PID 4428 wrote to memory of 4488	4428	F8D8.exe	F8D8.exe
PID 4428 wrote to memory of 4488	4428	F8D8.exe	F8D8.exe
PID 4428 wrote to memory of 4488	4428	F8D8.exe	F8D8.exe
PID 4428 wrote to memory of 4488	4428	F8D8.exe	F8D8.exe
PID 4428 wrote to memory of 4488	4428	F8D8.exe	F8D8.exe
PID 2060 wrote to memory of 3216	2060		FD8C.exe
PID 2060 wrote to memory of 3216	2060		FD8C.exe
PID 2060 wrote to memory of 3216	2060		FD8C.exe
PID 3216 wrote to memory of 3952	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 3952	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 3952	3216	FD8C.exe	FD8C.exe
PID 2060 wrote to memory of 3948	2060		9D2.exe
PID 2060 wrote to memory of 3948	2060		9D2.exe
PID 2060 wrote to memory of 3948	2060		9D2.exe
PID 3216 wrote to memory of 420	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 420	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 420	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1332	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1332	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1332	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1372	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1372	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1372	3216	FD8C.exe	FD8C.exe
PID 2060 wrote to memory of 1524	2060		2F3D.exe
PID 2060 wrote to memory of 1524	2060		2F3D.exe
PID 2060 wrote to memory of 1524	2060		2F3D.exe
PID 3216 wrote to memory of 1612	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1612	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1612	3216	FD8C.exe	FD8C.exe
PID 1524 wrote to memory of 1616	1524	2F3D.exe	2F3D.exe
PID 1524 wrote to memory of 1616	1524	2F3D.exe	2F3D.exe
PID 1524 wrote to memory of 1616	1524	2F3D.exe	2F3D.exe
PID 1524 wrote to memory of 1616	1524	2F3D.exe	2F3D.exe
PID 1524 wrote to memory of 1616	1524	2F3D.exe	2F3D.exe
PID 1524 wrote to memory of 1616	1524	2F3D.exe	2F3D.exe
PID 1524 wrote to memory of 1616	1524	2F3D.exe	2F3D.exe
PID 1524 wrote to memory of 1616	1524	2F3D.exe	2F3D.exe
PID 1524 wrote to memory of 1616	1524	2F3D.exe	2F3D.exe
PID 3216 wrote to memory of 1612	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1612	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1612	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1612	3216	FD8C.exe	FD8C.exe
PID 3216 wrote to memory of 1612	3216	FD8C.exe	FD8C.exe
PID 2060 wrote to memory of 2636	2060		445C.exe
PID 2060 wrote to memory of 2636	2060		445C.exe
PID 2060 wrote to memory of 2636	2060		445C.exe
PID 2060 wrote to memory of 4904	2060		65DF.exe
PID 2060 wrote to memory of 4904	2060		65DF.exe
PID 2060 wrote to memory of 4904	2060		65DF.exe
PID 2060 wrote to memory of 4964	2060		7263.exe
PID 2060 wrote to memory of 4964	2060		7263.exe
PID 2060 wrote to memory of 4964	2060		7263.exe
PID 2816 wrote to memory of 2548	2816	aetvigs	aetvigs
PID 2816 wrote to memory of 2548	2816	aetvigs	aetvigs

C:\Users\Admin\AppData\Local\Temp\f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
"C:\Users\Admin\AppData\Local\Temp\f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3656

C:\Users\Admin\AppData\Local\Temp\f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe
"C:\Users\Admin\AppData\Local\Temp\f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3940

C:\Users\Admin\AppData\Local\Temp\F8D8.exe
C:\Users\Admin\AppData\Local\Temp\F8D8.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4428

C:\Users\Admin\AppData\Local\Temp\F8D8.exe
C:\Users\Admin\AppData\Local\Temp\F8D8.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4488

C:\Users\Admin\AppData\Local\Temp\FD8C.exe
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3216

C:\Users\Admin\AppData\Local\Temp\FD8C.exe
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
2⤵
- Executes dropped EXE
PID:3952

C:\Users\Admin\AppData\Local\Temp\FD8C.exe
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
2⤵
- Executes dropped EXE
PID:420

C:\Users\Admin\AppData\Local\Temp\FD8C.exe
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
2⤵
- Executes dropped EXE
PID:1332

C:\Users\Admin\AppData\Local\Temp\FD8C.exe
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
2⤵
- Executes dropped EXE
PID:1372

C:\Users\Admin\AppData\Local\Temp\FD8C.exe
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Users\Admin\AppData\Local\Temp\9D2.exe
C:\Users\Admin\AppData\Local\Temp\9D2.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 480
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Users\Admin\AppData\Local\Temp\2F3D.exe
C:\Users\Admin\AppData\Local\Temp\2F3D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\2F3D.exe
C:\Users\Admin\AppData\Local\Temp\2F3D.exe
2⤵
- Executes dropped EXE
PID:1616

C:\Users\Admin\AppData\Local\Temp\445C.exe
C:\Users\Admin\AppData\Local\Temp\445C.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Users\Admin\AppData\Local\Temp\65DF.exe
C:\Users\Admin\AppData\Local\Temp\65DF.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Users\Admin\AppData\Local\Temp\7263.exe
C:\Users\Admin\AppData\Local\Temp\7263.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Users\Admin\AppData\Roaming\aetvigs
C:\Users\Admin\AppData\Roaming\aetvigs
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Roaming\aetvigs
C:\Users\Admin\AppData\Roaming\aetvigs
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2548

C:\Users\Admin\AppData\Local\Temp\637B.exe
C:\Users\Admin\AppData\Local\Temp\637B.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FD8C.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F3D.exe
MD5
2a1066c51c89ccd48e83e3cbf5e7b915

SHA1
9462700f8565f4caf8cd615ad2269167627102f7

SHA256
9b89a2799561feef80c6940f819894d238bf1140b603451602f7ba999d9118e1

SHA512
f9768a59d20cb5d6aaf86b8f859a5e3eac958010e8b6699d7c92e4e2f350236a29aab552b5babc819ddc4127f96232342a3c14a7e12ac7d5cf9da45e0a537cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F3D.exe
MD5
2a1066c51c89ccd48e83e3cbf5e7b915

SHA1
9462700f8565f4caf8cd615ad2269167627102f7

SHA256
9b89a2799561feef80c6940f819894d238bf1140b603451602f7ba999d9118e1

SHA512
f9768a59d20cb5d6aaf86b8f859a5e3eac958010e8b6699d7c92e4e2f350236a29aab552b5babc819ddc4127f96232342a3c14a7e12ac7d5cf9da45e0a537cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2F3D.exe
MD5
2a1066c51c89ccd48e83e3cbf5e7b915

SHA1
9462700f8565f4caf8cd615ad2269167627102f7

SHA256
9b89a2799561feef80c6940f819894d238bf1140b603451602f7ba999d9118e1

SHA512
f9768a59d20cb5d6aaf86b8f859a5e3eac958010e8b6699d7c92e4e2f350236a29aab552b5babc819ddc4127f96232342a3c14a7e12ac7d5cf9da45e0a537cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\445C.exe
MD5
0f9d1f2e3aaad601bb95a039b0aedcfb

SHA1
141e7b7b2a4a31b2a7e599b2d2064239fcc66707

SHA256
db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5

SHA512
b68708a0aa425a3f90df3c1639aeb2358f34fa5bfb3691d3010cd528cdce99692269b13cda9f05172d8608fc08b7b7ca5449d495290a5e9e81221edfe9d052e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\445C.exe
MD5
0f9d1f2e3aaad601bb95a039b0aedcfb

SHA1
141e7b7b2a4a31b2a7e599b2d2064239fcc66707

SHA256
db4ec306ea32c01cb486566c699b9b88013beb26c2830319785bf5a4ee4735b5

SHA512
b68708a0aa425a3f90df3c1639aeb2358f34fa5bfb3691d3010cd528cdce99692269b13cda9f05172d8608fc08b7b7ca5449d495290a5e9e81221edfe9d052e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\637B.exe
MD5
37a34d4e4c8658425c1d5a97b66501b4

SHA1
a96b2248f464bb5caaab47b5e0b1a031a648b471

SHA256
f9b23456d437aa62affe41f13a2b7c8a4470a9ef8befda98a27cba781cd6d0a9

SHA512
2b5c096bcbdf8352e6c85da77ac1681d00ca599d9d2f581a6dec118d4edba4f65b149317f20f5f88897a0d6de0afb553f70e83225b5458078c24c1f30f93a595

Download Submit
C:\Users\Admin\AppData\Local\Temp\65DF.exe
MD5
b76d8e5f36cb06dcf1d496959a19b6dd

SHA1
180cc85c3b1297456709e26d824cc9c7f6413e80

SHA256
9038fbaa63cd52bdce21f517cd94c6c29aad7fa6fc0d81ee32de6becffd2f272

SHA512
da03100e0c3996ab59bf57806d31be244b29f47eb824d033eead3c7cba0e975aacdc4eec250b2986913a6b3338837323a173c362ac3f214b8897c2306819cdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\65DF.exe
MD5
b76d8e5f36cb06dcf1d496959a19b6dd

SHA1
180cc85c3b1297456709e26d824cc9c7f6413e80

SHA256
9038fbaa63cd52bdce21f517cd94c6c29aad7fa6fc0d81ee32de6becffd2f272

SHA512
da03100e0c3996ab59bf57806d31be244b29f47eb824d033eead3c7cba0e975aacdc4eec250b2986913a6b3338837323a173c362ac3f214b8897c2306819cdf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7263.exe
MD5
2855945a6869f6118a4a0bf2c88fd40b

SHA1
2c26bb2eaa1f4ebc7a9dd8b00cd22388d8abde1a

SHA256
ee2105a3395dc3eb3c83f9c810ab2bb3c33eb9f688fa9702208c1ab1aa9d7f7e

SHA512
ecfc6f528a0b4a1995a59fc6423befdf707516f969c0afe312421f40a3aef94d5cccaf9e5621601edee8f072b46723e02467c89f073d4a1871847ac15e4bd46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D2.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9D2.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8D8.exe
MD5
30650fad211d77137907c9455003f0ba

SHA1
a538a981dc4208bf7c1169d0db757bd2e3915079

SHA256
f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119

SHA512
1f14bf191a41fd06e9853ca5f32853e07681a609056394b30b7566c45055e115b8e7a844b434be02ee873f7abb8008d12772555ef6cd98772d83a0d6c7d462d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8D8.exe
MD5
30650fad211d77137907c9455003f0ba

SHA1
a538a981dc4208bf7c1169d0db757bd2e3915079

SHA256
f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119

SHA512
1f14bf191a41fd06e9853ca5f32853e07681a609056394b30b7566c45055e115b8e7a844b434be02ee873f7abb8008d12772555ef6cd98772d83a0d6c7d462d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8D8.exe
MD5
30650fad211d77137907c9455003f0ba

SHA1
a538a981dc4208bf7c1169d0db757bd2e3915079

SHA256
f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119

SHA512
1f14bf191a41fd06e9853ca5f32853e07681a609056394b30b7566c45055e115b8e7a844b434be02ee873f7abb8008d12772555ef6cd98772d83a0d6c7d462d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD8C.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Roaming\aetvigs
MD5
30650fad211d77137907c9455003f0ba

SHA1
a538a981dc4208bf7c1169d0db757bd2e3915079

SHA256
f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119

SHA512
1f14bf191a41fd06e9853ca5f32853e07681a609056394b30b7566c45055e115b8e7a844b434be02ee873f7abb8008d12772555ef6cd98772d83a0d6c7d462d4

Download Submit
C:\Users\Admin\AppData\Roaming\aetvigs
MD5
30650fad211d77137907c9455003f0ba

SHA1
a538a981dc4208bf7c1169d0db757bd2e3915079

SHA256
f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119

SHA512
1f14bf191a41fd06e9853ca5f32853e07681a609056394b30b7566c45055e115b8e7a844b434be02ee873f7abb8008d12772555ef6cd98772d83a0d6c7d462d4

Download Submit
C:\Users\Admin\AppData\Roaming\aetvigs
MD5
30650fad211d77137907c9455003f0ba

SHA1
a538a981dc4208bf7c1169d0db757bd2e3915079

SHA256
f9a1d3e6aa2f20e47a21aa12c50c68a632c73b254abdc724a16a6f030ec8d119

SHA512
1f14bf191a41fd06e9853ca5f32853e07681a609056394b30b7566c45055e115b8e7a844b434be02ee873f7abb8008d12772555ef6cd98772d83a0d6c7d462d4

Download Submit
memory/932-244-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/932-243-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/932-236-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/932-231-0x0000000000000000-mapping.dmp

Download
memory/1524-150-0x0000000000000000-mapping.dmp

Download
memory/1524-166-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/1524-165-0x0000000000460000-0x00000000005AA000-memory.dmp

Filesize
1.3MB

Download
memory/1612-191-0x00000000064C0000-0x00000000064C1000-memory.dmp

Filesize
4KB

Download
memory/1612-199-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/1612-183-0x0000000005430000-0x0000000005A36000-memory.dmp

Filesize
6.0MB

Download
memory/1612-198-0x0000000006FC0000-0x0000000006FC1000-memory.dmp

Filesize
4KB

Download
memory/1612-173-0x0000000000418EEA-mapping.dmp

Download
memory/1612-172-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1612-188-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/1616-168-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1616-170-0x00000000023C3000-0x00000000023C4000-memory.dmp

Filesize
4KB

Download
memory/1616-162-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/1616-163-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/1616-164-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1616-160-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/1616-159-0x0000000002390000-0x00000000023AB000-memory.dmp

Filesize
108KB

Download
memory/1616-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-169-0x00000000023C2000-0x00000000023C3000-memory.dmp

Filesize
4KB

Download
memory/1616-161-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/1616-157-0x00000000020E0000-0x00000000020FC000-memory.dmp

Filesize
112KB

Download
memory/1616-171-0x00000000023C4000-0x00000000023C6000-memory.dmp

Filesize
8KB

Download
memory/1616-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-155-0x000000000040CD2F-mapping.dmp

Download
memory/2060-122-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/2060-147-0x0000000002440000-0x0000000002456000-memory.dmp

Filesize
88KB

Download
memory/2060-230-0x0000000004C30000-0x0000000004C46000-memory.dmp

Filesize
88KB

Download
memory/2548-228-0x0000000000402DD8-mapping.dmp

Download
memory/2636-192-0x0000000002CE6000-0x0000000002D36000-memory.dmp

Filesize
320KB

Download
memory/2636-184-0x0000000000000000-mapping.dmp

Download
memory/2636-193-0x00000000047B0000-0x000000000483F000-memory.dmp

Filesize
572KB

Download
memory/2636-194-0x0000000000400000-0x0000000002B85000-memory.dmp

Filesize
39.5MB

Download
memory/3216-137-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/3216-136-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/3216-134-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3216-129-0x0000000000000000-mapping.dmp

Download
memory/3216-139-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/3216-138-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/3656-120-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/3656-121-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/3940-118-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3940-119-0x0000000000402DD8-mapping.dmp

Download
memory/3948-140-0x0000000000000000-mapping.dmp

Download
memory/3948-145-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/3948-143-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/3948-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4428-132-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/4428-133-0x0000000000440000-0x00000000004EE000-memory.dmp

Filesize
696KB

Download
memory/4428-123-0x0000000000000000-mapping.dmp

Download
memory/4488-127-0x0000000000402DD8-mapping.dmp

Download
memory/4904-195-0x0000000000000000-mapping.dmp

Download
memory/4904-202-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/4904-201-0x00000000021B0000-0x000000000223F000-memory.dmp

Filesize
572KB

Download
memory/4904-200-0x0000000001FC0000-0x000000000200F000-memory.dmp

Filesize
316KB

Download
memory/4964-222-0x0000000007DC0000-0x0000000007DC1000-memory.dmp

Filesize
4KB

Download
memory/4964-216-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/4964-209-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4964-205-0x0000000077D10000-0x0000000077E9E000-memory.dmp

Filesize
1.6MB

Download
memory/4964-203-0x0000000000000000-mapping.dmp

Download