Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    20-11-2021 09:56

General

  • Target

    2a0ecd6047ac3e929413c9dc65fd9550.exe

  • Size

    278KB

  • MD5

    2a0ecd6047ac3e929413c9dc65fd9550

  • SHA1

    cab43b6a7d163a16b052bde9ad9392fa7fe1809e

  • SHA256

    77a56e7215c37931be8cb84232306667ec719336e2ae38fb75ed30bc39c303b9

  • SHA512

    03ea28406bc08b13d283bbe8510d52ef8ddf5d5773038805c77b24d52fd61d745cd21739fb9780559845a47b9746f8a19b4c1a19d6a470f93dfabcc85c681f96

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

185.159.80.90:38637

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes
  • url4cnc

    http://91.219.236.27/capibar

    http://5.181.156.92/capibar

    http://91.219.236.207/capibar

    http://185.225.19.18/capibar

    http://91.219.237.227/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Creates new service(s) 1 TTPs
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a0ecd6047ac3e929413c9dc65fd9550.exe
    "C:\Users\Admin\AppData\Local\Temp\2a0ecd6047ac3e929413c9dc65fd9550.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\2a0ecd6047ac3e929413c9dc65fd9550.exe
      "C:\Users\Admin\AppData\Local\Temp\2a0ecd6047ac3e929413c9dc65fd9550.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1280
  • C:\Users\Admin\AppData\Local\Temp\CE09.exe
    C:\Users\Admin\AppData\Local\Temp\CE09.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\Temp\CE09.exe
      C:\Users\Admin\AppData\Local\Temp\CE09.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:660
  • C:\Users\Admin\AppData\Local\Temp\DCAA.exe
    C:\Users\Admin\AppData\Local\Temp\DCAA.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nufhbrxj\
      2⤵
        PID:1740
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lvanupod.exe" C:\Windows\SysWOW64\nufhbrxj\
        2⤵
          PID:2040
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nufhbrxj binPath= "C:\Windows\SysWOW64\nufhbrxj\lvanupod.exe /d\"C:\Users\Admin\AppData\Local\Temp\DCAA.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:928
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description nufhbrxj "wifi internet conection"
            2⤵
              PID:1792
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start nufhbrxj
              2⤵
                PID:1944
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1056
              • C:\Users\Admin\AppData\Local\Temp\EBF6.exe
                C:\Users\Admin\AppData\Local\Temp\EBF6.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:832
                • C:\Users\Admin\AppData\Local\Temp\EBF6.exe
                  C:\Users\Admin\AppData\Local\Temp\EBF6.exe
                  2⤵
                  • Executes dropped EXE
                  PID:1960
              • C:\Windows\SysWOW64\nufhbrxj\lvanupod.exe
                C:\Windows\SysWOW64\nufhbrxj\lvanupod.exe /d"C:\Users\Admin\AppData\Local\Temp\DCAA.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:592
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  PID:632
              • C:\Users\Admin\AppData\Local\Temp\448.exe
                C:\Users\Admin\AppData\Local\Temp\448.exe
                1⤵
                • Executes dropped EXE
                PID:1036

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Modify Registry

              1
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              Peripheral Device Discovery

              1
              T1120

              Collection

              Data from Local System

              1
              T1005

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\448.exe
                MD5

                a93ee3be032ac2a200af6f5673ecc492

                SHA1

                a6fb35b4230ae92ae50a2f3a4e7f0ca7341e9f1c

                SHA256

                f106e2efb90c57289bbe57b3be618c063c1bc70f3eaabd2afa73e53c2168a54d

                SHA512

                d4796fda3e4de570d77ffb5dd9efa8172647832e3e2e491d12578d19b9f8de6b876b349f827050f1aa6f6121cf0a5558e4cd4e4c920a33f2f46732b1ca99e321

              • C:\Users\Admin\AppData\Local\Temp\CE09.exe
                MD5

                a9d354f0774af2221abb4ce37f870808

                SHA1

                0815c7b03bd8ddc8c2019d134c1bb7da8418d097

                SHA256

                0349d11964cbf2fb8833a8c0cbbcf17dbb968aaf79cd66c7c374ac9ffcb592f4

                SHA512

                782def04c5c22145c00f4cbb587c267d3cd9a14ce1c44145bba70a1851094879624a316d6c1af5dee49dc3518b8dd0a885b8844b955a27b3c2514890cfe37859

              • C:\Users\Admin\AppData\Local\Temp\CE09.exe
                MD5

                a9d354f0774af2221abb4ce37f870808

                SHA1

                0815c7b03bd8ddc8c2019d134c1bb7da8418d097

                SHA256

                0349d11964cbf2fb8833a8c0cbbcf17dbb968aaf79cd66c7c374ac9ffcb592f4

                SHA512

                782def04c5c22145c00f4cbb587c267d3cd9a14ce1c44145bba70a1851094879624a316d6c1af5dee49dc3518b8dd0a885b8844b955a27b3c2514890cfe37859

              • C:\Users\Admin\AppData\Local\Temp\CE09.exe
                MD5

                a9d354f0774af2221abb4ce37f870808

                SHA1

                0815c7b03bd8ddc8c2019d134c1bb7da8418d097

                SHA256

                0349d11964cbf2fb8833a8c0cbbcf17dbb968aaf79cd66c7c374ac9ffcb592f4

                SHA512

                782def04c5c22145c00f4cbb587c267d3cd9a14ce1c44145bba70a1851094879624a316d6c1af5dee49dc3518b8dd0a885b8844b955a27b3c2514890cfe37859

              • C:\Users\Admin\AppData\Local\Temp\DCAA.exe
                MD5

                df204af89283181b4b009d723821a2de

                SHA1

                a740a57d0f3ada138cc4ab8f72de6f8133b7d249

                SHA256

                c5270981915ac263eedd80948cbaefaeb051f22f7f4f0190af53f2c2c9359598

                SHA512

                6d45dc1b4e00b1160fe98c86cb203fdacdd01d9206351918f6df57d4f0b85a40409dfec606ec3ea12efa1dcc63be8e348ca784ea6d3c4e240dceeec2f8118af0

              • C:\Users\Admin\AppData\Local\Temp\DCAA.exe
                MD5

                df204af89283181b4b009d723821a2de

                SHA1

                a740a57d0f3ada138cc4ab8f72de6f8133b7d249

                SHA256

                c5270981915ac263eedd80948cbaefaeb051f22f7f4f0190af53f2c2c9359598

                SHA512

                6d45dc1b4e00b1160fe98c86cb203fdacdd01d9206351918f6df57d4f0b85a40409dfec606ec3ea12efa1dcc63be8e348ca784ea6d3c4e240dceeec2f8118af0

              • C:\Users\Admin\AppData\Local\Temp\EBF6.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

              • C:\Users\Admin\AppData\Local\Temp\EBF6.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

              • C:\Users\Admin\AppData\Local\Temp\EBF6.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

              • C:\Users\Admin\AppData\Local\Temp\lvanupod.exe
                MD5

                08500c4c52aad89aaae45b1e309d20e0

                SHA1

                16413f8333844aaf698bf8dbab2c72b9bcf6acf4

                SHA256

                38ade785bac7672958ac2c80100e7cb35a484d49ed1f13a3065200671abb9156

                SHA512

                c85b8aa4ce473eb0259e3cbb2567c0e5b0045bc0b1fffc21566d784e574fcece1ee613ceddad0e207d5443031ea4e58a9d287bfdec48f77c3ee24d920c2be4e2

              • C:\Windows\SysWOW64\nufhbrxj\lvanupod.exe
                MD5

                08500c4c52aad89aaae45b1e309d20e0

                SHA1

                16413f8333844aaf698bf8dbab2c72b9bcf6acf4

                SHA256

                38ade785bac7672958ac2c80100e7cb35a484d49ed1f13a3065200671abb9156

                SHA512

                c85b8aa4ce473eb0259e3cbb2567c0e5b0045bc0b1fffc21566d784e574fcece1ee613ceddad0e207d5443031ea4e58a9d287bfdec48f77c3ee24d920c2be4e2

              • \Users\Admin\AppData\Local\Temp\CE09.exe
                MD5

                a9d354f0774af2221abb4ce37f870808

                SHA1

                0815c7b03bd8ddc8c2019d134c1bb7da8418d097

                SHA256

                0349d11964cbf2fb8833a8c0cbbcf17dbb968aaf79cd66c7c374ac9ffcb592f4

                SHA512

                782def04c5c22145c00f4cbb587c267d3cd9a14ce1c44145bba70a1851094879624a316d6c1af5dee49dc3518b8dd0a885b8844b955a27b3c2514890cfe37859

              • \Users\Admin\AppData\Local\Temp\EBF6.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

              • memory/592-109-0x0000000002BEB000-0x0000000002BFC000-memory.dmp
                Filesize

                68KB

              • memory/592-116-0x0000000000400000-0x0000000002B3F000-memory.dmp
                Filesize

                39.2MB

              • memory/632-111-0x00000000000C0000-0x00000000000D5000-memory.dmp
                Filesize

                84KB

              • memory/632-112-0x00000000000C0000-0x00000000000D5000-memory.dmp
                Filesize

                84KB

              • memory/632-113-0x00000000000C9A6B-mapping.dmp
              • memory/660-69-0x0000000000402DD8-mapping.dmp
              • memory/832-86-0x0000000004980000-0x0000000004981000-memory.dmp
                Filesize

                4KB

              • memory/832-77-0x0000000000CB0000-0x0000000000CB1000-memory.dmp
                Filesize

                4KB

              • memory/832-72-0x0000000000000000-mapping.dmp
              • memory/928-87-0x0000000000000000-mapping.dmp
              • memory/1036-96-0x0000000000320000-0x000000000036F000-memory.dmp
                Filesize

                316KB

              • memory/1036-97-0x0000000000370000-0x00000000003FF000-memory.dmp
                Filesize

                572KB

              • memory/1036-93-0x0000000000000000-mapping.dmp
              • memory/1036-107-0x0000000000400000-0x0000000000491000-memory.dmp
                Filesize

                580KB

              • memory/1056-91-0x0000000000000000-mapping.dmp
              • memory/1140-82-0x0000000000400000-0x0000000002B3F000-memory.dmp
                Filesize

                39.2MB

              • memory/1140-81-0x00000000001B0000-0x00000000001C3000-memory.dmp
                Filesize

                76KB

              • memory/1140-63-0x0000000000000000-mapping.dmp
              • memory/1140-75-0x000000000028B000-0x000000000029C000-memory.dmp
                Filesize

                68KB

              • memory/1200-60-0x0000000002970000-0x0000000002986000-memory.dmp
                Filesize

                88KB

              • memory/1200-85-0x0000000003BC0000-0x0000000003BD6000-memory.dmp
                Filesize

                88KB

              • memory/1280-58-0x0000000074F21000-0x0000000074F23000-memory.dmp
                Filesize

                8KB

              • memory/1280-57-0x0000000000402DD8-mapping.dmp
              • memory/1280-56-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB

              • memory/1380-61-0x0000000000000000-mapping.dmp
              • memory/1380-65-0x0000000002C8B000-0x0000000002C9B000-memory.dmp
                Filesize

                64KB

              • memory/1584-55-0x0000000002CDB000-0x0000000002CEC000-memory.dmp
                Filesize

                68KB

              • memory/1584-59-0x0000000000220000-0x0000000000229000-memory.dmp
                Filesize

                36KB

              • memory/1740-80-0x0000000000000000-mapping.dmp
              • memory/1792-88-0x0000000000000000-mapping.dmp
              • memory/1944-90-0x0000000000000000-mapping.dmp
              • memory/1960-101-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

              • memory/1960-105-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

              • memory/1960-103-0x0000000000418EEA-mapping.dmp
              • memory/1960-102-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

              • memory/1960-100-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

              • memory/1960-99-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

              • memory/1960-115-0x0000000000C10000-0x0000000000C11000-memory.dmp
                Filesize

                4KB

              • memory/1960-98-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

              • memory/2040-83-0x0000000000000000-mapping.dmp