Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07/12/2021, 22:30
Static task
static1
Behavioral task
behavioral1
Sample
f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe
Resource
win10-en-20211014
General
-
Target
f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe
-
Size
342KB
-
MD5
d13c274224fc24e2428a914e3e6e0944
-
SHA1
1994db80c5a23b563ecdab94fc957be83d21fed5
-
SHA256
f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8
-
SHA512
4db8cf786ccc32a06fe4d335095dd81cac709fb9524130b92b8221b6cb3b65df6b00383be089f7d5f98a7e705c0493fdc2f9eb212ae74357292cae01617cdc68
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
f797145799b7b1b77b35d81de942eee0908da519
-
url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar
Extracted
amadey
2.86
185.215.113.35/d2VxjasuwS/index.php
Extracted
raccoon
1.8.3-hotfix
fd4f23250443a724a3d1548e6ab07c481dfc2814
-
url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/2628-136-0x0000000001160000-0x00000000011C9000-memory.dmp family_redline behavioral1/memory/2644-161-0x00000000013A0000-0x0000000001452000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral1/memory/440-220-0x00000000023C0000-0x0000000002400000-memory.dmp BazarLoaderVar5 -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
pid Process 3656 A7D5.exe 1432 A7D5.exe 3128 B87F.exe 2628 BB01.exe 2644 F33A.exe 1856 192.exe 3508 1A2C.exe 1904 tkools.exe 3220 5B9B.exe 1724 tkools.exe -
Deletes itself 1 IoCs
pid Process 3020 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 440 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2628 BB01.exe 2644 F33A.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2668 set thread context of 3988 2668 f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe 69 PID 3656 set thread context of 1432 3656 A7D5.exe 71 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A7D5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A7D5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI A7D5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1056 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3988 f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe 3988 f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3020 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3988 f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe 1432 A7D5.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeDebugPrivilege 2644 F33A.exe Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found Token: SeShutdownPrivilege 3020 Process not Found Token: SeCreatePagefilePrivilege 3020 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 3988 2668 f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe 69 PID 2668 wrote to memory of 3988 2668 f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe 69 PID 2668 wrote to memory of 3988 2668 f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe 69 PID 2668 wrote to memory of 3988 2668 f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe 69 PID 2668 wrote to memory of 3988 2668 f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe 69 PID 2668 wrote to memory of 3988 2668 f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe 69 PID 3020 wrote to memory of 3656 3020 Process not Found 70 PID 3020 wrote to memory of 3656 3020 Process not Found 70 PID 3020 wrote to memory of 3656 3020 Process not Found 70 PID 3656 wrote to memory of 1432 3656 A7D5.exe 71 PID 3656 wrote to memory of 1432 3656 A7D5.exe 71 PID 3656 wrote to memory of 1432 3656 A7D5.exe 71 PID 3656 wrote to memory of 1432 3656 A7D5.exe 71 PID 3656 wrote to memory of 1432 3656 A7D5.exe 71 PID 3656 wrote to memory of 1432 3656 A7D5.exe 71 PID 3020 wrote to memory of 3128 3020 Process not Found 72 PID 3020 wrote to memory of 3128 3020 Process not Found 72 PID 3020 wrote to memory of 3128 3020 Process not Found 72 PID 3020 wrote to memory of 2628 3020 Process not Found 73 PID 3020 wrote to memory of 2628 3020 Process not Found 73 PID 3020 wrote to memory of 2628 3020 Process not Found 73 PID 3020 wrote to memory of 440 3020 Process not Found 76 PID 3020 wrote to memory of 440 3020 Process not Found 76 PID 3020 wrote to memory of 2644 3020 Process not Found 77 PID 3020 wrote to memory of 2644 3020 Process not Found 77 PID 3020 wrote to memory of 2644 3020 Process not Found 77 PID 3020 wrote to memory of 1856 3020 Process not Found 78 PID 3020 wrote to memory of 1856 3020 Process not Found 78 PID 3020 wrote to memory of 1856 3020 Process not Found 78 PID 1856 wrote to memory of 3228 1856 192.exe 79 PID 1856 wrote to memory of 3228 1856 192.exe 79 PID 1856 wrote to memory of 3228 1856 192.exe 79 PID 3228 wrote to memory of 4060 3228 cmd.exe 81 PID 3228 wrote to memory of 4060 3228 cmd.exe 81 PID 3228 wrote to memory of 4060 3228 cmd.exe 81 PID 3228 wrote to memory of 2964 3228 cmd.exe 82 PID 3228 wrote to memory of 2964 3228 cmd.exe 82 PID 3228 wrote to memory of 2964 3228 cmd.exe 82 PID 1856 wrote to memory of 3748 1856 192.exe 83 PID 1856 wrote to memory of 3748 1856 192.exe 83 PID 1856 wrote to memory of 3748 1856 192.exe 83 PID 3748 wrote to memory of 1916 3748 cmd.exe 85 PID 3748 wrote to memory of 1916 3748 cmd.exe 85 PID 3748 wrote to memory of 1916 3748 cmd.exe 85 PID 1856 wrote to memory of 2688 1856 192.exe 87 PID 1856 wrote to memory of 2688 1856 192.exe 87 PID 1856 wrote to memory of 2688 1856 192.exe 87 PID 2688 wrote to memory of 1612 2688 cmd.exe 89 PID 2688 wrote to memory of 1612 2688 cmd.exe 89 PID 2688 wrote to memory of 1612 2688 cmd.exe 89 PID 2688 wrote to memory of 3860 2688 cmd.exe 90 PID 2688 wrote to memory of 3860 2688 cmd.exe 90 PID 2688 wrote to memory of 3860 2688 cmd.exe 90 PID 3020 wrote to memory of 3508 3020 Process not Found 91 PID 3020 wrote to memory of 3508 3020 Process not Found 91 PID 3020 wrote to memory of 3508 3020 Process not Found 91 PID 1856 wrote to memory of 2892 1856 192.exe 92 PID 1856 wrote to memory of 2892 1856 192.exe 92 PID 1856 wrote to memory of 2892 1856 192.exe 92 PID 1856 wrote to memory of 1904 1856 192.exe 93 PID 1856 wrote to memory of 1904 1856 192.exe 93 PID 1856 wrote to memory of 1904 1856 192.exe 93 PID 2892 wrote to memory of 3920 2892 cmd.exe 95 PID 2892 wrote to memory of 3920 2892 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe"C:\Users\Admin\AppData\Local\Temp\f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe"C:\Users\Admin\AppData\Local\Temp\f18f0b1d0730abd3db4a433075d7d5b230e80f16fffa3497ebf75f6c2ee70da8.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\A7D5.exeC:\Users\Admin\AppData\Local\Temp\A7D5.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\A7D5.exeC:\Users\Admin\AppData\Local\Temp\A7D5.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1432
-
-
C:\Users\Admin\AppData\Local\Temp\B87F.exeC:\Users\Admin\AppData\Local\Temp\B87F.exe1⤵
- Executes dropped EXE
PID:3128
-
C:\Users\Admin\AppData\Local\Temp\BB01.exeC:\Users\Admin\AppData\Local\Temp\BB01.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2628
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\EF7F.dll1⤵
- Loads dropped DLL
PID:440
-
C:\Users\Admin\AppData\Local\Temp\F33A.exeC:\Users\Admin\AppData\Local\Temp\F33A.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
C:\Users\Admin\AppData\Local\Temp\192.exeC:\Users\Admin\AppData\Local\Temp\192.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:4060
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"3⤵PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E3⤵PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:1612
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"3⤵PID:3860
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E3⤵PID:3920
-
-
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"2⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\3⤵PID:3924
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\4⤵PID:680
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F3⤵
- Creates scheduled task(s)
PID:1056
-
-
-
C:\Users\Admin\AppData\Local\Temp\1A2C.exeC:\Users\Admin\AppData\Local\Temp\1A2C.exe1⤵
- Executes dropped EXE
PID:3508
-
C:\Users\Admin\AppData\Local\Temp\5B9B.exeC:\Users\Admin\AppData\Local\Temp\5B9B.exe1⤵
- Executes dropped EXE
PID:3220
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exeC:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe1⤵
- Executes dropped EXE
PID:1724