Analysis

  • max time kernel
    154s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/12/2021, 14:03

General

  • Target

    b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe

  • Size

    7.6MB

  • MD5

    d12ffcd4fdf8820c753e597f9bbb4249

  • SHA1

    95ed9a95a4ec01e07d172f258d930dad41d05ff1

  • SHA256

    b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0

  • SHA512

    0541989282c92da758ed7b5dc529d23a0312a2c45255d78d44de5f906f3defbd97d7396b9262df7fc3ebb1a206f931dbe2d6972101014ec681a50ae582f2761c

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

raccoon

Botnet

164fb74855c13a4287d8fe7ac579a35bdf7002ab

Attributes
  • url4cnc

    http://194.180.174.53/takecareandkeepitup

    http://91.219.236.18/takecareandkeepitup

    http://194.180.174.41/takecareandkeepitup

    http://91.219.236.148/takecareandkeepitup

    https://t.me/takecareandkeepitup

rc4.plain
rc4.plain

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 24 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Modifies registry class 6 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:872
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
          PID:2792
      • C:\Users\Admin\AppData\Local\Temp\b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe
        "C:\Users\Admin\AppData\Local\Temp\b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe"
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:436
          • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\setup_install.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\setup_install.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:972
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              4⤵
                PID:1544
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1860
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                4⤵
                  PID:1664
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1700
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Sat160f3eef83e07cf3a.exe
                  4⤵
                    PID:1092
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat160387988bf6.exe
                    4⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1324
                    • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat160387988bf6.exe
                      Sat160387988bf6.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Adds Run key to start application
                      PID:1872
                      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
                        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
                        6⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Suspicious behavior: EnumeratesProcesses
                        PID:768
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                          7⤵
                            PID:1576
                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
                            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
                            7⤵
                            • Executes dropped EXE
                            PID:1136
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 288
                              8⤵
                              • Program crash
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2392
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Sat162e27781f4.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1800
                      • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat162e27781f4.exe
                        Sat162e27781f4.exe
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1720
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Sat16cfe72a18.exe
                      4⤵
                        PID:1740
                        • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat16cfe72a18.exe
                          Sat16cfe72a18.exe
                          5⤵
                          • Executes dropped EXE
                          PID:2800
                          • C:\Windows\SysWOW64\msiexec.exe
                            "C:\Windows\System32\msiexec.exe" /y .\u0VMOCA.KE6
                            6⤵
                              PID:2916
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sat166587ce542f4081.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1856
                          • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat166587ce542f4081.exe
                            Sat166587ce542f4081.exe
                            5⤵
                            • Executes dropped EXE
                            PID:1932
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sat167c8d2a2ad.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1000
                          • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat167c8d2a2ad.exe
                            Sat167c8d2a2ad.exe
                            5⤵
                            • Executes dropped EXE
                            • Checks computer location settings
                            • Loads dropped DLL
                            PID:896
                            • C:\Users\Admin\Pictures\Adobe Films\wN5hYBg_m_Olc7sw116icSiq.exe
                              "C:\Users\Admin\Pictures\Adobe Films\wN5hYBg_m_Olc7sw116icSiq.exe"
                              6⤵
                              • Executes dropped EXE
                              PID:2832
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 844
                              6⤵
                              • Program crash
                              PID:2236
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sat166a2d0352f0def.exe /mixtwo
                          4⤵
                          • Loads dropped DLL
                          PID:924
                          • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat166a2d0352f0def.exe
                            Sat166a2d0352f0def.exe /mixtwo
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of SetThreadContext
                            PID:328
                            • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat166a2d0352f0def.exe
                              Sat166a2d0352f0def.exe /mixtwo
                              6⤵
                              • Executes dropped EXE
                              PID:1884
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sat1616f4fdcffa5fe.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1852
                          • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat1616f4fdcffa5fe.exe
                            Sat1616f4fdcffa5fe.exe
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Checks processor information in registry
                            PID:952
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c taskkill /im Sat1616f4fdcffa5fe.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat1616f4fdcffa5fe.exe" & del C:\ProgramData\*.dll & exit
                              6⤵
                                PID:964
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /im Sat1616f4fdcffa5fe.exe /f
                                  7⤵
                                  • Kills process with taskkill
                                  PID:1872
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Sat1679fedabf32e9e.exe
                            4⤵
                            • Loads dropped DLL
                            PID:656
                            • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat1679fedabf32e9e.exe
                              Sat1679fedabf32e9e.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Checks SCSI registry key(s)
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: MapViewOfSection
                              PID:1164
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Sat1632049d9fe71f9c.exe
                            4⤵
                              PID:544
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Sat16f0c9fe4357bd5.exe
                              4⤵
                              • Loads dropped DLL
                              PID:1904
                              • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat16f0c9fe4357bd5.exe
                                Sat16f0c9fe4357bd5.exe
                                5⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Modifies system certificate store
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1548
                                • C:\Windows\SysWOW64\cmd.exe
                                  cmd.exe /c taskkill /f /im chrome.exe
                                  6⤵
                                    PID:2368
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /f /im chrome.exe
                                      7⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2444
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Sat1633393229bac.exe
                                4⤵
                                • Loads dropped DLL
                                PID:956
                                • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat1633393229bac.exe
                                  Sat1633393229bac.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:1888
                                  • C:\Windows\SysWOW64\control.exe
                                    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\K7IbNX.cpL",
                                    6⤵
                                      PID:2188
                                      • C:\Windows\SysWOW64\rundll32.exe
                                        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\K7IbNX.cpL",
                                        7⤵
                                          PID:2256
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sat16391fb04cc7c106.exe
                                    4⤵
                                    • Loads dropped DLL
                                    PID:816
                                    • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat16391fb04cc7c106.exe
                                      Sat16391fb04cc7c106.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:1692
                                      • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat16391fb04cc7c106.exe
                                        "C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat16391fb04cc7c106.exe" -u
                                        6⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:1512
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sat161d014284dc2.exe
                                    4⤵
                                    • Loads dropped DLL
                                    PID:1460
                                    • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat161d014284dc2.exe
                                      Sat161d014284dc2.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:2000
                                      • C:\Users\Admin\AppData\Local\Temp\is-US7UQ.tmp\Sat161d014284dc2.tmp
                                        "C:\Users\Admin\AppData\Local\Temp\is-US7UQ.tmp\Sat161d014284dc2.tmp" /SL5="$50156,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat161d014284dc2.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:1624
                                        • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat161d014284dc2.exe
                                          "C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat161d014284dc2.exe" /SILENT
                                          7⤵
                                          • Executes dropped EXE
                                          PID:1372
                                          • C:\Users\Admin\AppData\Local\Temp\is-3IRQH.tmp\Sat161d014284dc2.tmp
                                            "C:\Users\Admin\AppData\Local\Temp\is-3IRQH.tmp\Sat161d014284dc2.tmp" /SL5="$10176,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat161d014284dc2.exe" /SILENT
                                            8⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: GetForegroundWindowSpam
                                            PID:860
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sat16ec4a145f.exe
                                    4⤵
                                    • Loads dropped DLL
                                    PID:1028
                                    • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat16ec4a145f.exe
                                      Sat16ec4a145f.exe
                                      5⤵
                                      • Executes dropped EXE
                                      PID:1648
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sat160a606e591dcbf39.exe
                                    4⤵
                                    • Loads dropped DLL
                                    PID:1864
                                    • C:\Users\Admin\AppData\Local\Temp\7zS4B16B976\Sat160a606e591dcbf39.exe
                                      Sat160a606e591dcbf39.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:1696
                            • C:\Windows\system32\rundll32.exe
                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                              1⤵
                              • Process spawned unexpected child process
                              PID:2692
                              • C:\Windows\SysWOW64\rundll32.exe
                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                2⤵
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2708

                            Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • memory/852-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

                                    Filesize

                                    8KB

                                  • memory/952-225-0x0000000000650000-0x00000000006CD000-memory.dmp

                                    Filesize

                                    500KB

                                  • memory/972-94-0x0000000064940000-0x0000000064959000-memory.dmp

                                    Filesize

                                    100KB

                                  • memory/972-96-0x0000000064940000-0x0000000064959000-memory.dmp

                                    Filesize

                                    100KB

                                  • memory/972-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                    Filesize

                                    572KB

                                  • memory/972-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                    Filesize

                                    572KB

                                  • memory/972-92-0x0000000064940000-0x0000000064959000-memory.dmp

                                    Filesize

                                    100KB

                                  • memory/972-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                    Filesize

                                    572KB

                                  • memory/972-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                    Filesize

                                    1.5MB

                                  • memory/972-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                    Filesize

                                    1.5MB

                                  • memory/972-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                    Filesize

                                    1.5MB

                                  • memory/972-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                    Filesize

                                    1.5MB

                                  • memory/972-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                    Filesize

                                    152KB

                                  • memory/972-106-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                    Filesize

                                    152KB

                                  • memory/972-99-0x0000000064940000-0x0000000064959000-memory.dmp

                                    Filesize

                                    100KB

                                  • memory/972-102-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                    Filesize

                                    572KB

                                  • memory/972-104-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                    Filesize

                                    1.5MB

                                  • memory/1136-223-0x0000000000400000-0x0000000003D6C000-memory.dmp

                                    Filesize

                                    57.4MB

                                  • memory/1136-216-0x0000000000300000-0x0000000000400000-memory.dmp

                                    Filesize

                                    1024KB

                                  • memory/1136-217-0x0000000000400000-0x0000000003D6C000-memory.dmp

                                    Filesize

                                    57.4MB

                                  • memory/1136-220-0x0000000000400000-0x0000000003D6C000-memory.dmp

                                    Filesize

                                    57.4MB

                                  • memory/1136-228-0x0000000000400000-0x0000000003D6C000-memory.dmp

                                    Filesize

                                    57.4MB

                                  • memory/1136-227-0x0000000000400000-0x0000000003D6C000-memory.dmp

                                    Filesize

                                    57.4MB

                                  • memory/1164-229-0x0000000000680000-0x0000000000691000-memory.dmp

                                    Filesize

                                    68KB

                                  • memory/1884-190-0x0000000000400000-0x0000000000450000-memory.dmp

                                    Filesize

                                    320KB

                                  • memory/1884-192-0x0000000000400000-0x0000000000450000-memory.dmp

                                    Filesize

                                    320KB

                                  • memory/1932-231-0x0000000000070000-0x0000000000071000-memory.dmp

                                    Filesize

                                    4KB