Analysis
-
max time kernel
159s -
max time network
163s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07/12/2021, 22:45
Static task
static1
Behavioral task
behavioral1
Sample
570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe
Resource
win10-en-20211014
General
-
Target
570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe
-
Size
342KB
-
MD5
2a29a794fdb635b937942bded9584ae2
-
SHA1
ac2fb60a071869cd4717f2e2f3e7e3650bfc4ce2
-
SHA256
570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308
-
SHA512
4c000ddfb322cf4ad06a9a5430651ef73b4b43485358e6860ca6074f22955ecef27768eeb0294a1fc519786475da1fbf0949392d8ce0368155935aefa1e17fb0
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
f797145799b7b1b77b35d81de942eee0908da519
-
url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar
Extracted
amadey
2.86
185.215.113.35/d2VxjasuwS/index.php
Extracted
raccoon
1.8.3-hotfix
fd4f23250443a724a3d1548e6ab07c481dfc2814
-
url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BitRAT Payload 4 IoCs
resource yara_rule behavioral1/memory/2376-235-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat behavioral1/memory/2376-236-0x000000000068A488-mapping.dmp family_bitrat behavioral1/memory/2376-237-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat behavioral1/memory/2376-238-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/2756-135-0x0000000000A30000-0x0000000000A99000-memory.dmp family_redline behavioral1/memory/1288-160-0x00000000009A0000-0x0000000000A52000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral1/memory/1056-226-0x0000000002710000-0x0000000002750000-memory.dmp BazarLoaderVar5 -
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
pid Process 3756 683B.exe 3672 683B.exe 2880 DC05.exe 2756 E117.exe 1288 2352.exe 2036 32F3.exe 2492 4A45.exe 2804 tkools.exe 1208 683E.exe 3676 ABB0.exe 2412 tkools.exe -
Deletes itself 1 IoCs
pid Process 3024 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 1056 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 2756 E117.exe 1288 2352.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe 2376 RegAsm.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2820 set thread context of 1868 2820 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe 68 PID 3756 set thread context of 3672 3756 683B.exe 71 PID 2492 set thread context of 2376 2492 4A45.exe 104 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 683B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 683B.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 683B.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3196 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1868 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe 1868 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3024 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1868 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe 3672 683B.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeDebugPrivilege 1288 2352.exe Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeDebugPrivilege 2492 4A45.exe Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 2376 RegAsm.exe Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2376 RegAsm.exe 2376 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2820 wrote to memory of 1868 2820 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe 68 PID 2820 wrote to memory of 1868 2820 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe 68 PID 2820 wrote to memory of 1868 2820 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe 68 PID 2820 wrote to memory of 1868 2820 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe 68 PID 2820 wrote to memory of 1868 2820 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe 68 PID 2820 wrote to memory of 1868 2820 570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe 68 PID 3024 wrote to memory of 3756 3024 Process not Found 70 PID 3024 wrote to memory of 3756 3024 Process not Found 70 PID 3024 wrote to memory of 3756 3024 Process not Found 70 PID 3756 wrote to memory of 3672 3756 683B.exe 71 PID 3756 wrote to memory of 3672 3756 683B.exe 71 PID 3756 wrote to memory of 3672 3756 683B.exe 71 PID 3756 wrote to memory of 3672 3756 683B.exe 71 PID 3756 wrote to memory of 3672 3756 683B.exe 71 PID 3756 wrote to memory of 3672 3756 683B.exe 71 PID 3024 wrote to memory of 2880 3024 Process not Found 72 PID 3024 wrote to memory of 2880 3024 Process not Found 72 PID 3024 wrote to memory of 2880 3024 Process not Found 72 PID 3024 wrote to memory of 2756 3024 Process not Found 73 PID 3024 wrote to memory of 2756 3024 Process not Found 73 PID 3024 wrote to memory of 2756 3024 Process not Found 73 PID 3024 wrote to memory of 1056 3024 Process not Found 76 PID 3024 wrote to memory of 1056 3024 Process not Found 76 PID 3024 wrote to memory of 1288 3024 Process not Found 77 PID 3024 wrote to memory of 1288 3024 Process not Found 77 PID 3024 wrote to memory of 1288 3024 Process not Found 77 PID 3024 wrote to memory of 2036 3024 Process not Found 78 PID 3024 wrote to memory of 2036 3024 Process not Found 78 PID 3024 wrote to memory of 2036 3024 Process not Found 78 PID 2036 wrote to memory of 3336 2036 32F3.exe 79 PID 2036 wrote to memory of 3336 2036 32F3.exe 79 PID 2036 wrote to memory of 3336 2036 32F3.exe 79 PID 3336 wrote to memory of 2284 3336 cmd.exe 81 PID 3336 wrote to memory of 2284 3336 cmd.exe 81 PID 3336 wrote to memory of 2284 3336 cmd.exe 81 PID 3336 wrote to memory of 2920 3336 cmd.exe 82 PID 3336 wrote to memory of 2920 3336 cmd.exe 82 PID 3336 wrote to memory of 2920 3336 cmd.exe 82 PID 2036 wrote to memory of 1456 2036 32F3.exe 83 PID 2036 wrote to memory of 1456 2036 32F3.exe 83 PID 2036 wrote to memory of 1456 2036 32F3.exe 83 PID 1456 wrote to memory of 948 1456 cmd.exe 85 PID 1456 wrote to memory of 948 1456 cmd.exe 85 PID 1456 wrote to memory of 948 1456 cmd.exe 85 PID 2036 wrote to memory of 3272 2036 32F3.exe 87 PID 2036 wrote to memory of 3272 2036 32F3.exe 87 PID 2036 wrote to memory of 3272 2036 32F3.exe 87 PID 3272 wrote to memory of 3796 3272 cmd.exe 89 PID 3272 wrote to memory of 3796 3272 cmd.exe 89 PID 3272 wrote to memory of 3796 3272 cmd.exe 89 PID 3272 wrote to memory of 3912 3272 cmd.exe 90 PID 3272 wrote to memory of 3912 3272 cmd.exe 90 PID 3272 wrote to memory of 3912 3272 cmd.exe 90 PID 3024 wrote to memory of 2492 3024 Process not Found 91 PID 3024 wrote to memory of 2492 3024 Process not Found 91 PID 2036 wrote to memory of 1400 2036 32F3.exe 92 PID 2036 wrote to memory of 1400 2036 32F3.exe 92 PID 2036 wrote to memory of 1400 2036 32F3.exe 92 PID 2036 wrote to memory of 2804 2036 32F3.exe 94 PID 2036 wrote to memory of 2804 2036 32F3.exe 94 PID 2036 wrote to memory of 2804 2036 32F3.exe 94 PID 1400 wrote to memory of 3904 1400 cmd.exe 95 PID 1400 wrote to memory of 3904 1400 cmd.exe 95 PID 1400 wrote to memory of 3904 1400 cmd.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe"C:\Users\Admin\AppData\Local\Temp\570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe"C:\Users\Admin\AppData\Local\Temp\570ea7d4bf8c0a48a0e1e912fa3a10c69bc5ffb77d51e077aa016796ac452308.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\683B.exeC:\Users\Admin\AppData\Local\Temp\683B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Users\Admin\AppData\Local\Temp\683B.exeC:\Users\Admin\AppData\Local\Temp\683B.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3672
-
-
C:\Users\Admin\AppData\Local\Temp\DC05.exeC:\Users\Admin\AppData\Local\Temp\DC05.exe1⤵
- Executes dropped EXE
PID:2880
-
C:\Users\Admin\AppData\Local\Temp\E117.exeC:\Users\Admin\AppData\Local\Temp\E117.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2756
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1F88.dll1⤵
- Loads dropped DLL
PID:1056
-
C:\Users\Admin\AppData\Local\Temp\2352.exeC:\Users\Admin\AppData\Local\Temp\2352.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
C:\Users\Admin\AppData\Local\Temp\32F3.exeC:\Users\Admin\AppData\Local\Temp\32F3.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2284
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"3⤵PID:2920
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E3⤵PID:948
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3796
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"3⤵PID:3912
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E3⤵PID:3904
-
-
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"2⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\3⤵PID:1608
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\4⤵PID:812
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F3⤵
- Creates scheduled task(s)
PID:3196
-
-
-
C:\Users\Admin\AppData\Local\Temp\4A45.exeC:\Users\Admin\AppData\Local\Temp\4A45.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2032
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\683E.exeC:\Users\Admin\AppData\Local\Temp\683E.exe1⤵
- Executes dropped EXE
PID:1208
-
C:\Users\Admin\AppData\Local\Temp\ABB0.exeC:\Users\Admin\AppData\Local\Temp\ABB0.exe1⤵
- Executes dropped EXE
PID:3676
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exeC:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe1⤵
- Executes dropped EXE
PID:2412