Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    07/12/2021, 21:45

General

  • Target

    c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe

  • Size

    342KB

  • MD5

    03876c53834c421faa2d84dc36733d72

  • SHA1

    f754f920680587190176a6bb9a80e796d82a12fa

  • SHA256

    c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947

  • SHA512

    70f7603a74eac8c1e9765f24f784f53f47060859e88586dfa5f6ae8da0a923c3416e110cf5a4408b4cddb498de24c56013501915e2b6d25f56c4d69314b5f130

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32
rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

f797145799b7b1b77b35d81de942eee0908da519

Attributes
  • url4cnc

    http://91.219.236.27/capibar

    http://94.158.245.167/capibar

    http://185.163.204.216/capibar

    http://185.225.19.238/capibar

    http://185.163.204.218/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Extracted

Family

amadey

Version

2.86

C2

185.215.113.35/d2VxjasuwS/index.php

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fd4f23250443a724a3d1548e6ab07c481dfc2814

Attributes
  • url4cnc

    http://91.219.236.27/duglassa1

    http://94.158.245.167/duglassa1

    http://185.163.204.216/duglassa1

    http://185.225.19.238/duglassa1

    http://185.163.204.218/duglassa1

    https://t.me/duglassa1

rc4.plain
rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • suricata: ET MALWARE Amadey CnC Check-In

    suricata: ET MALWARE Amadey CnC Check-In

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

  • Bazar/Team9 Loader payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe
    "C:\Users\Admin\AppData\Local\Temp\c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Temp\c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe
      "C:\Users\Admin\AppData\Local\Temp\c0348c9924f77a767d373b543916c02f18addc0e6dccc3db4fd75b6fd118b947.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:772
  • C:\Users\Admin\AppData\Local\Temp\8BA2.exe
    C:\Users\Admin\AppData\Local\Temp\8BA2.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Users\Admin\AppData\Local\Temp\8BA2.exe
      C:\Users\Admin\AppData\Local\Temp\8BA2.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:3744
  • C:\Users\Admin\AppData\Local\Temp\A18C.exe
    C:\Users\Admin\AppData\Local\Temp\A18C.exe
    1⤵
    • Executes dropped EXE
    PID:1116
  • C:\Users\Admin\AppData\Local\Temp\A48B.exe
    C:\Users\Admin\AppData\Local\Temp\A48B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1404
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DFDF.dll
    1⤵
    • Loads dropped DLL
    PID:3752
  • C:\Users\Admin\AppData\Local\Temp\E3E8.exe
    C:\Users\Admin\AppData\Local\Temp\E3E8.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:3544
  • C:\Users\Admin\AppData\Local\Temp\F3C7.exe
    C:\Users\Admin\AppData\Local\Temp\F3C7.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        3⤵
          PID:2152
        • C:\Windows\SysWOW64\cacls.exe
          CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
          3⤵
            PID:1908
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\SysWOW64\cacls.exe
            CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
            3⤵
              PID:3588
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3156
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" echo Y"
              3⤵
                PID:3932
              • C:\Windows\SysWOW64\cacls.exe
                CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
                3⤵
                  PID:2216
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2480
                • C:\Windows\SysWOW64\cacls.exe
                  CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
                  3⤵
                    PID:820
                • C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
                  "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:3064
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
                    3⤵
                      PID:584
                      • C:\Windows\SysWOW64\reg.exe
                        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
                        4⤵
                          PID:2628
                      • C:\Windows\SysWOW64\schtasks.exe
                        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F
                        3⤵
                        • Creates scheduled task(s)
                        PID:1716
                  • C:\Users\Admin\AppData\Local\Temp\1421.exe
                    C:\Users\Admin\AppData\Local\Temp\1421.exe
                    1⤵
                    • Executes dropped EXE
                    PID:3496
                  • C:\Users\Admin\AppData\Local\Temp\5840.exe
                    C:\Users\Admin\AppData\Local\Temp\5840.exe
                    1⤵
                    • Executes dropped EXE
                    PID:3636
                  • C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
                    C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
                    1⤵
                    • Executes dropped EXE
                    PID:808

                  Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/772-116-0x0000000000400000-0x0000000000409000-memory.dmp

                          Filesize

                          36KB

                        • memory/808-211-0x0000000000530000-0x000000000067A000-memory.dmp

                          Filesize

                          1.3MB

                        • memory/808-209-0x000000000069E000-0x00000000006BC000-memory.dmp

                          Filesize

                          120KB

                        • memory/808-212-0x0000000000400000-0x000000000045E000-memory.dmp

                          Filesize

                          376KB

                        • memory/1116-136-0x0000000000400000-0x0000000000491000-memory.dmp

                          Filesize

                          580KB

                        • memory/1116-135-0x0000000002120000-0x00000000021AF000-memory.dmp

                          Filesize

                          572KB

                        • memory/1268-166-0x0000000000400000-0x000000000045E000-memory.dmp

                          Filesize

                          376KB

                        • memory/1268-164-0x0000000000508000-0x0000000000526000-memory.dmp

                          Filesize

                          120KB

                        • memory/1268-165-0x0000000001F80000-0x0000000001FB9000-memory.dmp

                          Filesize

                          228KB

                        • memory/1404-134-0x00000000029D0000-0x0000000002A15000-memory.dmp

                          Filesize

                          276KB

                        • memory/2648-118-0x0000000000030000-0x0000000000039000-memory.dmp

                          Filesize

                          36KB

                        • memory/3020-137-0x0000000001FF0000-0x0000000002006000-memory.dmp

                          Filesize

                          88KB

                        • memory/3020-119-0x0000000000520000-0x0000000000536000-memory.dmp

                          Filesize

                          88KB

                        • memory/3064-182-0x0000000000460000-0x00000000005AA000-memory.dmp

                          Filesize

                          1.3MB

                        • memory/3064-179-0x0000000000808000-0x0000000000826000-memory.dmp

                          Filesize

                          120KB

                        • memory/3064-185-0x0000000000400000-0x000000000045E000-memory.dmp

                          Filesize

                          376KB

                        • memory/3496-195-0x0000000000681000-0x00000000006D0000-memory.dmp

                          Filesize

                          316KB

                        • memory/3496-196-0x00000000007D0000-0x000000000085F000-memory.dmp

                          Filesize

                          572KB

                        • memory/3496-197-0x0000000000400000-0x0000000000515000-memory.dmp

                          Filesize

                          1.1MB

                        • memory/3544-145-0x0000000000120000-0x0000000000121000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-163-0x000000006FC60000-0x000000006FCAB000-memory.dmp

                          Filesize

                          300KB

                        • memory/3544-154-0x0000000004F90000-0x0000000004F91000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-155-0x0000000004E70000-0x0000000004E71000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-146-0x0000000076740000-0x0000000076902000-memory.dmp

                          Filesize

                          1.8MB

                        • memory/3544-153-0x0000000000C00000-0x0000000000C01000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-144-0x0000000000ED0000-0x0000000000F82000-memory.dmp

                          Filesize

                          712KB

                        • memory/3544-148-0x0000000076510000-0x0000000076601000-memory.dmp

                          Filesize

                          964KB

                        • memory/3544-186-0x0000000004E80000-0x0000000004E81000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-156-0x0000000002A70000-0x0000000002A71000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-189-0x00000000050A0000-0x00000000050A1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-191-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-149-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-192-0x0000000004F40000-0x0000000004F41000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-193-0x0000000005400000-0x0000000005401000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-162-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-147-0x00000000023F0000-0x0000000002435000-memory.dmp

                          Filesize

                          276KB

                        • memory/3544-158-0x0000000074490000-0x00000000757D8000-memory.dmp

                          Filesize

                          19.3MB

                        • memory/3544-151-0x00000000719F0000-0x0000000071A70000-memory.dmp

                          Filesize

                          512KB

                        • memory/3544-198-0x0000000006770000-0x0000000006771000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-199-0x0000000006E70000-0x0000000006E71000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-200-0x00000000066D0000-0x00000000066D1000-memory.dmp

                          Filesize

                          4KB

                        • memory/3544-157-0x0000000075D10000-0x0000000076294000-memory.dmp

                          Filesize

                          5.5MB

                        • memory/3544-152-0x0000000005490000-0x0000000005491000-memory.dmp

                          Filesize

                          4KB

                        • memory/3636-207-0x0000000001400000-0x00000000014AE000-memory.dmp

                          Filesize

                          696KB

                        • memory/3752-203-0x0000000002510000-0x0000000002550000-memory.dmp

                          Filesize

                          256KB

                        • memory/3752-201-0x0000000000820000-0x0000000000822000-memory.dmp

                          Filesize

                          8KB

                        • memory/3752-202-0x0000000000820000-0x0000000000822000-memory.dmp

                          Filesize

                          8KB