Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
14-12-2021 20:45
General
-
Target
16ab8d15481385d351202245fa572760b68eee32bfebe64757b4cea42262692b.exe
-
Size
321KB
-
MD5
2247bec4be00052ab8d4ad21848087a7
-
SHA1
985b0400c54130ce241cb729a6cd8aac0b3fc3ea
-
SHA256
16ab8d15481385d351202245fa572760b68eee32bfebe64757b4cea42262692b
-
SHA512
4073a0d802ea3d1bc40511e5b3b1786fe536babf7e52f884f08f14b5f74137d2e9832a8090964b79027bd010d4b896897726fb7a3556a4bf20191c3d45499ead
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
icedid
3372020928
jeliskvosh.com
Extracted
raccoon
871b18794e3cbbc6476a5b391363702168853a50
-
url4cnc
http://194.180.174.53/duglassa1
http://91.219.236.18/duglassa1
http://194.180.174.41/duglassa1
http://91.219.236.148/duglassa1
https://t.me/duglassa1
Extracted
warzonerat
91.229.76.26:5200
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
VKeylogger
A keylogger first seen in Nov 2020.
-
VKeylogger Payload 3 IoCs
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Arkei Stealer Payload 3 IoCs
-
Warzone RAT Payload 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 4 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 15 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\16ab8d15481385d351202245fa572760b68eee32bfebe64757b4cea42262692b.exe"C:\Users\Admin\AppData\Local\Temp\16ab8d15481385d351202245fa572760b68eee32bfebe64757b4cea42262692b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\16ab8d15481385d351202245fa572760b68eee32bfebe64757b4cea42262692b.exe"C:\Users\Admin\AppData\Local\Temp\16ab8d15481385d351202245fa572760b68eee32bfebe64757b4cea42262692b.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\7AC9.exeC:\Users\Admin\AppData\Local\Temp\7AC9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7AC9.exeC:\Users\Admin\AppData\Local\Temp\7AC9.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\8932.exeC:\Users\Admin\AppData\Local\Temp\8932.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 4762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\9643.exeC:\Users\Admin\AppData\Local\Temp\9643.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\9B74.dll1⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\9EE0.exeC:\Users\Admin\AppData\Local\Temp\9EE0.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\485.exe"C:\Users\Admin\AppData\Local\Temp\485.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\SInitia\SInitia.exe,"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\SInitia\SInitia.exe,"6⤵
- Modifies WinLogon for persistence
-
-
-
C:\Users\Admin\AppData\Roaming\SInitia\SInitia.exe"C:\Users\Admin\AppData\Roaming\SInitia\SInitia.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\A46F.exeC:\Users\Admin\AppData\Local\Temp\A46F.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\B23B.exeC:\Users\Admin\AppData\Local\Temp\B23B.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B23B.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\B78B.exeC:\Users\Admin\AppData\Local\Temp\B78B.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\2346.exeC:\Users\Admin\AppData\Local\Temp\2346.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\2A4C.exeC:\Users\Admin\AppData\Local\Temp\2A4C.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\3634.exeC:\Users\Admin\AppData\Local\Temp\3634.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3AE8.exeC:\Users\Admin\AppData\Local\Temp\3AE8.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\ProgramData\Reader.exe"C:\ProgramData\Reader.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\61CA.exeC:\Users\Admin\AppData\Local\Temp\61CA.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\extrac32.exeextrac322⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Tra.xlsx & ping 127.0.0.1 -n 302⤵
-
C:\Windows\SysWOW64\cmd.execmd3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^dMFemqVCSwldOigKUiVwItEauGtDewBPrbAynibrquaLXwOyLiwfdszkojVTWsAQmchdHojNJSqBMSxyRZ$" Tenere.xlsx4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Doni.exe.comDoni.exe.com i4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Doni.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Doni.exe.com i5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\nslookup.exeC:\Windows\SysWOW64\nslookup.exe6⤵
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 303⤵
- Runs ping.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\8A43.exeC:\Users\Admin\AppData\Local\Temp\8A43.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
536KB
-
Filesize
964KB
-
Filesize
4KB
-
Filesize
1.8MB
-
Filesize
40KB
-
Filesize
696KB
-
Filesize
60KB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
60KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
696KB
-
Filesize
820KB
-
Filesize
624KB
-
Filesize
1.1MB
-
Filesize
584KB
-
Filesize
1.8MB
-
Filesize
664KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
964KB
-
Filesize
512KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
5.5MB
-
Filesize
19.3MB
-
Filesize
300KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
5.1MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
820KB
-
Filesize
1.3MB
-
Filesize
112KB
-
Filesize
844KB
-
Filesize
1.3MB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
420KB
-
Filesize
4KB
-
Filesize
964KB
-
Filesize
4KB
-
Filesize
1.8MB
-
Filesize
300KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
19.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.5MB
-
Filesize
5.0MB
-
Filesize
5.0MB