Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
07/12/2021, 23:47
Static task
static1
Behavioral task
behavioral1
Sample
a4822c960055c8c34fcc130bae6f0d86.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
a4822c960055c8c34fcc130bae6f0d86.exe
Resource
win10-en-20211104
General
-
Target
a4822c960055c8c34fcc130bae6f0d86.exe
-
Size
319KB
-
MD5
a4822c960055c8c34fcc130bae6f0d86
-
SHA1
bd5f62284b8c1c905a72b3c7f66240a4704e1bfa
-
SHA256
f6401919fd20e698ec964ca0df4eee18c1f13852eef32a9246fe4605cff79969
-
SHA512
7bb794fddd9d43483ddf17d4d1a8957db6044d4d4d8271f3c3631b416c0bb788e61ddb2a8a0ea16bbe3d0baa416534b4e8e475628e38bb08922c62f4cae45061
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
f797145799b7b1b77b35d81de942eee0908da519
-
url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar
Extracted
amadey
2.86
185.215.113.35/d2VxjasuwS/index.php
Extracted
raccoon
1.8.3-hotfix
fd4f23250443a724a3d1548e6ab07c481dfc2814
-
url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BitRAT Payload 4 IoCs
resource yara_rule behavioral2/memory/3168-229-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat behavioral2/memory/3168-230-0x000000000068A488-mapping.dmp family_bitrat behavioral2/memory/3168-231-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat behavioral2/memory/3168-232-0x0000000000400000-0x00000000007CE000-memory.dmp family_bitrat -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/1432-137-0x0000000000310000-0x0000000000379000-memory.dmp family_redline behavioral2/memory/1072-163-0x0000000000E90000-0x0000000000F42000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral2/memory/2972-217-0x0000000002240000-0x0000000002280000-memory.dmp BazarLoaderVar5 -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
pid Process 2300 6E56.exe 2788 6E56.exe 2584 84BD.exe 1432 874F.exe 1072 CE1E.exe 2160 DD90.exe 3252 tkools.exe 2344 FC15.exe 2472 13F4.exe 1872 tkools.exe -
Deletes itself 1 IoCs
pid Process 2156 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 2972 regsvr32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
pid Process 1432 874F.exe 1072 CE1E.exe 3168 RegAsm.exe 3168 RegAsm.exe 3168 RegAsm.exe 3168 RegAsm.exe 3168 RegAsm.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2040 set thread context of 3916 2040 a4822c960055c8c34fcc130bae6f0d86.exe 68 PID 2300 set thread context of 2788 2300 6E56.exe 71 PID 2344 set thread context of 3168 2344 FC15.exe 103 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2717123927\1713683155.pri fodhelper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a4822c960055c8c34fcc130bae6f0d86.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a4822c960055c8c34fcc130bae6f0d86.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a4822c960055c8c34fcc130bae6f0d86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6E56.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6E56.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6E56.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3096 schtasks.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command RegAsm.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings RegAsm.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell RegAsm.exe Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open RegAsm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe -wdkill\uf500" RegAsm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3916 a4822c960055c8c34fcc130bae6f0d86.exe 3916 a4822c960055c8c34fcc130bae6f0d86.exe 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found 2156 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2156 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3916 a4822c960055c8c34fcc130bae6f0d86.exe 2788 6E56.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeDebugPrivilege 2344 FC15.exe Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 3168 RegAsm.exe Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found Token: SeShutdownPrivilege 2156 Process not Found Token: SeCreatePagefilePrivilege 2156 Process not Found -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3168 RegAsm.exe 3168 RegAsm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2040 wrote to memory of 3916 2040 a4822c960055c8c34fcc130bae6f0d86.exe 68 PID 2040 wrote to memory of 3916 2040 a4822c960055c8c34fcc130bae6f0d86.exe 68 PID 2040 wrote to memory of 3916 2040 a4822c960055c8c34fcc130bae6f0d86.exe 68 PID 2040 wrote to memory of 3916 2040 a4822c960055c8c34fcc130bae6f0d86.exe 68 PID 2040 wrote to memory of 3916 2040 a4822c960055c8c34fcc130bae6f0d86.exe 68 PID 2040 wrote to memory of 3916 2040 a4822c960055c8c34fcc130bae6f0d86.exe 68 PID 2156 wrote to memory of 2300 2156 Process not Found 70 PID 2156 wrote to memory of 2300 2156 Process not Found 70 PID 2156 wrote to memory of 2300 2156 Process not Found 70 PID 2300 wrote to memory of 2788 2300 6E56.exe 71 PID 2300 wrote to memory of 2788 2300 6E56.exe 71 PID 2300 wrote to memory of 2788 2300 6E56.exe 71 PID 2300 wrote to memory of 2788 2300 6E56.exe 71 PID 2300 wrote to memory of 2788 2300 6E56.exe 71 PID 2300 wrote to memory of 2788 2300 6E56.exe 71 PID 2156 wrote to memory of 2584 2156 Process not Found 72 PID 2156 wrote to memory of 2584 2156 Process not Found 72 PID 2156 wrote to memory of 2584 2156 Process not Found 72 PID 2156 wrote to memory of 1432 2156 Process not Found 73 PID 2156 wrote to memory of 1432 2156 Process not Found 73 PID 2156 wrote to memory of 1432 2156 Process not Found 73 PID 2156 wrote to memory of 2972 2156 Process not Found 74 PID 2156 wrote to memory of 2972 2156 Process not Found 74 PID 2156 wrote to memory of 1072 2156 Process not Found 75 PID 2156 wrote to memory of 1072 2156 Process not Found 75 PID 2156 wrote to memory of 1072 2156 Process not Found 75 PID 2156 wrote to memory of 2160 2156 Process not Found 78 PID 2156 wrote to memory of 2160 2156 Process not Found 78 PID 2156 wrote to memory of 2160 2156 Process not Found 78 PID 2160 wrote to memory of 2728 2160 DD90.exe 79 PID 2160 wrote to memory of 2728 2160 DD90.exe 79 PID 2160 wrote to memory of 2728 2160 DD90.exe 79 PID 2728 wrote to memory of 3128 2728 cmd.exe 81 PID 2728 wrote to memory of 3128 2728 cmd.exe 81 PID 2728 wrote to memory of 3128 2728 cmd.exe 81 PID 2728 wrote to memory of 3532 2728 cmd.exe 82 PID 2728 wrote to memory of 3532 2728 cmd.exe 82 PID 2728 wrote to memory of 3532 2728 cmd.exe 82 PID 2160 wrote to memory of 4048 2160 DD90.exe 83 PID 2160 wrote to memory of 4048 2160 DD90.exe 83 PID 2160 wrote to memory of 4048 2160 DD90.exe 83 PID 4048 wrote to memory of 972 4048 cmd.exe 85 PID 4048 wrote to memory of 972 4048 cmd.exe 85 PID 4048 wrote to memory of 972 4048 cmd.exe 85 PID 2160 wrote to memory of 2328 2160 DD90.exe 86 PID 2160 wrote to memory of 2328 2160 DD90.exe 86 PID 2160 wrote to memory of 2328 2160 DD90.exe 86 PID 2328 wrote to memory of 2892 2328 cmd.exe 88 PID 2328 wrote to memory of 2892 2328 cmd.exe 88 PID 2328 wrote to memory of 2892 2328 cmd.exe 88 PID 2328 wrote to memory of 2392 2328 cmd.exe 89 PID 2328 wrote to memory of 2392 2328 cmd.exe 89 PID 2328 wrote to memory of 2392 2328 cmd.exe 89 PID 2160 wrote to memory of 3204 2160 DD90.exe 90 PID 2160 wrote to memory of 3204 2160 DD90.exe 90 PID 2160 wrote to memory of 3204 2160 DD90.exe 90 PID 3204 wrote to memory of 3160 3204 cmd.exe 92 PID 3204 wrote to memory of 3160 3204 cmd.exe 92 PID 3204 wrote to memory of 3160 3204 cmd.exe 92 PID 2160 wrote to memory of 3252 2160 DD90.exe 93 PID 2160 wrote to memory of 3252 2160 DD90.exe 93 PID 2160 wrote to memory of 3252 2160 DD90.exe 93 PID 3252 wrote to memory of 1208 3252 tkools.exe 94 PID 3252 wrote to memory of 1208 3252 tkools.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe"C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe"C:\Users\Admin\AppData\Local\Temp\a4822c960055c8c34fcc130bae6f0d86.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3916
-
-
C:\Users\Admin\AppData\Local\Temp\6E56.exeC:\Users\Admin\AppData\Local\Temp\6E56.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Users\Admin\AppData\Local\Temp\6E56.exeC:\Users\Admin\AppData\Local\Temp\6E56.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\84BD.exeC:\Users\Admin\AppData\Local\Temp\84BD.exe1⤵
- Executes dropped EXE
PID:2584
-
C:\Users\Admin\AppData\Local\Temp\874F.exeC:\Users\Admin\AppData\Local\Temp\874F.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1432
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\C9B8.dll1⤵
- Loads dropped DLL
PID:2972
-
C:\Users\Admin\AppData\Local\Temp\CE1E.exeC:\Users\Admin\AppData\Local\Temp\CE1E.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1072
-
C:\Users\Admin\AppData\Local\Temp\DD90.exeC:\Users\Admin\AppData\Local\Temp\DD90.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:3128
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"3⤵PID:3532
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E3⤵PID:972
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"2⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵PID:2892
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"3⤵PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E2⤵
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Windows\SysWOW64\cacls.exeCACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E3⤵PID:3160
-
-
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\3⤵PID:1208
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\4⤵PID:3808
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F3⤵
- Creates scheduled task(s)
PID:3096
-
-
-
C:\Users\Admin\AppData\Local\Temp\FC15.exeC:\Users\Admin\AppData\Local\Temp\FC15.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4068
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3168 -
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"3⤵
- Drops file in Windows directory
PID:2172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" -wdkill4⤵PID:3256
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\13F4.exeC:\Users\Admin\AppData\Local\Temp\13F4.exe1⤵
- Executes dropped EXE
PID:2472
-
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exeC:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe1⤵
- Executes dropped EXE
PID:1872