Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07/12/2021, 21:45
Static task
static1
Behavioral task
behavioral1
Sample
c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe
Resource
win10-en-20211014
General
-
Target
c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe
-
Size
342KB
-
MD5
03876c53834c421faa2d84dc36733d72
-
SHA1
f754f920680587190176a6bb9a80e796d82a12fa
-
SHA256
c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947
-
SHA512
70f7603a74eac8c1e9765f24f784f53f47060859e88586dfa5f6ae8da0a923c3416e110cf5a4408b4cddb498de24c56013501915e2b6d25f56c4d69314b5f130
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
f797145799b7b1b77b35d81de942eee0908da519
-
url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar
Extracted
amadey
2.86
185.215.113.35/d2VxjasuwS/index.php
Extracted
raccoon
1.8.3-hotfix
fd4f23250443a724a3d1548e6ab07c481dfc2814
-
url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral1/memory/3544-144-0x0000000000ED0000-0x0000000000F82000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral1/memory/3752-203-0x0000000002510000-0x0000000002550000-memory.dmp BazarLoaderVar5 -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
pid Process 3840 8BA2.exe 3744 8BA2.exe 1116 A18C.exe 1404 A48B.exe 3544 E3E8.exe 1268 F3C7.exe 3064 tkools.exe 3496 1421.exe 3636 5840.exe 808 tkools.exe -
Deletes itself 1 IoCs
pid Process 3020 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 3752 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1404 A48B.exe 3544 E3E8.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2648 set thread context of 772 2648 c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe 68 PID 3840 set thread context of 3744 3840 8BA2.exe 71 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8BA2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8BA2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8BA2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1716 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 772 c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe 772 c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3020 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 772 c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe 3744 8BA2.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeDebugPrivilege 3544 E3E8.exe Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2648 wrote to memory of 772 2648 c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe 68 PID 2648 wrote to memory of 772 2648 c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe 68 PID 2648 wrote to memory of 772 2648 c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe 68 PID 2648 wrote to memory of 772 2648 c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe 68 PID 2648 wrote to memory of 772 2648 c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe 68 PID 2648 wrote to memory of 772 2648 c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe 68 PID 3020 wrote to memory of 3840 3020 Process not Found 70 PID 3020 wrote to memory of 3840 3020 Process not Found 70 PID 3020 wrote to memory of 3840 3020 Process not Found 70 PID 3840 wrote to memory of 3744 3840 8BA2.exe 71 PID 3840 wrote to memory of 3744 3840 8BA2.exe 71 PID 3840 wrote to memory of 3744 3840 8BA2.exe 71 PID 3840 wrote to memory of 3744 3840 8BA2.exe 71 PID 3840 wrote to memory of 3744 3840 8BA2.exe 71 PID 3840 wrote to memory of 3744 3840 8BA2.exe 71 PID 3020 wrote to memory of 1116 3020 Process not Found 72 PID 3020 wrote to memory of 1116 3020 Process not Found 72 PID 3020 wrote to memory of 1116 3020 Process not Found 72 PID 3020 wrote to memory of 1404 3020 Process not Found 73 PID 3020 wrote to memory of 1404 3020 Process not Found 73 PID 3020 wrote to memory of 1404 3020 Process not Found 73 PID 3020 wrote to memory of 3752 3020 Process not Found 76 PID 3020 wrote to memory of 3752 3020 Process not Found 76 PID 3020 wrote to memory of 3544 3020 Process not Found 77 PID 3020 wrote to memory of 3544 3020 Process not Found 77 PID 3020 wrote to memory of 3544 3020 Process not Found 77 PID 3020 wrote to memory of 1268 3020 Process not Found 78 PID 3020 wrote to memory of 1268 3020 Process not Found 78 PID 3020 wrote to memory of 1268 3020 Process not Found 78 PID 1268 wrote to memory of 1696 1268 F3C7.exe 79 PID 1268 wrote to memory of 1696 1268 F3C7.exe 79 PID 1268 wrote to memory of 1696 1268 F3C7.exe 79 PID 1696 wrote to memory of 2152 1696 cmd.exe 81 PID 1696 wrote to memory of 2152 1696 cmd.exe 81 PID 1696 wrote to memory of 2152 1696 cmd.exe 81 PID 1696 wrote to memory of 1908 1696 cmd.exe 82 PID 1696 wrote to memory of 1908 1696 cmd.exe 82 PID 1696 wrote to memory of 1908 1696 cmd.exe 82 PID 1268 wrote to memory of 1956 1268 F3C7.exe 83 PID 1268 wrote to memory of 1956 1268 F3C7.exe 83 PID 1268 wrote to memory of 1956 1268 F3C7.exe 83 PID 1956 wrote to memory of 3588 1956 cmd.exe 85 PID 1956 wrote to memory of 3588 1956 cmd.exe 85 PID 1956 wrote to memory of 3588 1956 cmd.exe 85 PID 1268 wrote to memory of 3156 1268 F3C7.exe 86 PID 1268 wrote to memory of 3156 1268 F3C7.exe 86 PID 1268 wrote to memory of 3156 1268 F3C7.exe 86 PID 3156 wrote to memory of 3932 3156 cmd.exe 88 PID 3156 wrote to memory of 3932 3156 cmd.exe 88 PID 3156 wrote to memory of 3932 3156 cmd.exe 88 PID 3156 wrote to memory of 2216 3156 cmd.exe 89 PID 3156 wrote to memory of 2216 3156 cmd.exe 89 PID 3156 wrote to memory of 2216 3156 cmd.exe 89 PID 1268 wrote to memory of 2480 1268 F3C7.exe 90 PID 1268 wrote to memory of 2480 1268 F3C7.exe 90 PID 1268 wrote to memory of 2480 1268 F3C7.exe 90 PID 1268 wrote to memory of 3064 1268 F3C7.exe 91 PID 1268 wrote to memory of 3064 1268 F3C7.exe 91 PID 1268 wrote to memory of 3064 1268 F3C7.exe 91 PID 3020 wrote to memory of 3496 3020 Process not Found 93 PID 3020 wrote to memory of 3496 3020 Process not Found 93 PID 3020 wrote to memory of 3496 3020 Process not Found 93 PID 2480 wrote to memory of 820 2480 cmd.exe 94 PID 2480 wrote to memory of 820 2480 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe"C:\Users\Admin\AppData\Local\Temp\c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Temp\c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe"C:\Users\Admin\AppData\Local\Temp\c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:772
-
-
C:\Users\Admin\AppData\Local\Temp\8BA2.exeC:\Users\Admin\AppData\Local\Temp\8BA2.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\8BA2.exeC:\Users\Admin\AppData\Local\Temp\8BA2.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3744
-
-
C:\Users\Admin\AppData\Local\Temp\A18C.exeC:\Users\Admin\AppData\Local\Temp\A18C.exe1⤵
- Executes dropped EXE
PID:1116
-
C:\Users\Admin\AppData\Local\Temp\A48B.exeC:\Users\Admin\AppData\Local\Temp\A48B.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1404
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\DFDF.dll1⤵
- Loads dropped DLL
PID:3752
-
C:\Users\Admin\AppData\Local\Temp\E3E8.exeC:\Users\Admin\AppData\Local\Temp\E3E8.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3544
-
C:\Users\Admin\AppData\Local\Temp\F3C7.exeC:\Users\Admin\AppData\Local\Temp\F3C7.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2152
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"3⤵PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E3⤵PID:3588
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3932
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"3⤵PID:2216
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E3⤵PID:820
-
-
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"2⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\3⤵PID:584
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\4⤵PID:2628
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F3⤵
- Creates scheduled task(s)
PID:1716
-
-
-
C:\Users\Admin\AppData\Local\Temp\1421.exeC:\Users\Admin\AppData\Local\Temp\1421.exe1⤵
- Executes dropped EXE
PID:3496
-
C:\Users\Admin\AppData\Local\Temp\5840.exeC:\Users\Admin\AppData\Local\Temp\5840.exe1⤵
- Executes dropped EXE
PID:3636
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exeC:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe1⤵
- Executes dropped EXE
PID:808