Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-12-2021 21:24
General
-
Target
209b4be0aa4801cb928ced5e6deb65f9ea3dba6a2ee3838c2511bc982ee1f78a.exe
-
Size
212KB
-
MD5
2c68058dbc749613a9cea8d8049f34f1
-
SHA1
dcc676b20cb901d6347324356b4cc6ba3f9ee4c3
-
SHA256
209b4be0aa4801cb928ced5e6deb65f9ea3dba6a2ee3838c2511bc982ee1f78a
-
SHA512
ae2225929c37c9fb6f6b15314a2c8059e399b0b156f4ecd1933de63b8daa2bb1c8c5519c1738256130abd31ced2bc5f0734e9b1267e44358fda8a3d1311719d3
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
tofsee
mubrikych.top
oxxyfix.xyz
Extracted
redline
1
86.107.197.138:38133
Extracted
amadey
2.86
2.56.56.210/notAnoob/index.php
Extracted
redline
runpe
142.202.242.172:7667
Extracted
raccoon
10da56e7e71e97bdc1f36eb76813bbc3231de7e4
-
url4cnc
http://194.180.174.53/capibar
http://91.219.236.18/capibar
http://194.180.174.41/capibar
http://91.219.236.148/capibar
https://t.me/capibar
Extracted
redline
444
31.131.254.105:1498
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Arkei
Arkei is an infostealer written in C++.
-
Detect Neshta Payload 24 IoCs
-
Modifies system executable filetype association 2 TTPs 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
VKeylogger
A keylogger first seen in Nov 2020.
-
VKeylogger Payload 3 IoCs
-
Windows security bypass 2 TTPs
-
Arkei Stealer Payload 3 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 4 IoCs
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 55 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\209b4be0aa4801cb928ced5e6deb65f9ea3dba6a2ee3838c2511bc982ee1f78a.exe"C:\Users\Admin\AppData\Local\Temp\209b4be0aa4801cb928ced5e6deb65f9ea3dba6a2ee3838c2511bc982ee1f78a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\209b4be0aa4801cb928ced5e6deb65f9ea3dba6a2ee3838c2511bc982ee1f78a.exe"C:\Users\Admin\AppData\Local\Temp\209b4be0aa4801cb928ced5e6deb65f9ea3dba6a2ee3838c2511bc982ee1f78a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\FE08.exeC:\Users\Admin\AppData\Local\Temp\FE08.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\FE08.exeC:\Users\Admin\AppData\Local\Temp\FE08.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\963.exeC:\Users\Admin\AppData\Local\Temp\963.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\6CF1.exeC:\Users\Admin\AppData\Local\Temp\6CF1.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\6CF1.exe" & exit2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\7147.exeC:\Users\Admin\AppData\Local\Temp\7147.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qdywswoh\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wkiikjfo.exe" C:\Windows\SysWOW64\qdywswoh\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create qdywswoh binPath= "C:\Windows\SysWOW64\qdywswoh\wkiikjfo.exe /d\"C:\Users\Admin\AppData\Local\Temp\7147.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description qdywswoh "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start qdywswoh2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\762A.exeC:\Users\Admin\AppData\Local\Temp\762A.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\762A.exeC:\Users\Admin\AppData\Local\Temp\762A.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\762A.exeC:\Users\Admin\AppData\Local\Temp\762A.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\762A.exeC:\Users\Admin\AppData\Local\Temp\762A.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\qdywswoh\wkiikjfo.exeC:\Windows\SysWOW64\qdywswoh\wkiikjfo.exe /d"C:\Users\Admin\AppData\Local\Temp\7147.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\CE6D.exeC:\Users\Admin\AppData\Local\Temp\CE6D.exe1⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\3582-490\CE6D.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\CE6D.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\PROGRA~3\9543_1~1.EXE"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\PROGRA~3\9543_1~1.EXEC:\PROGRA~3\9543_1~1.EXE4⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exeC:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe6⤵
- Executes dropped EXE
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\D6BB.exeC:\Users\Admin\AppData\Local\Temp\D6BB.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 4002⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\E850.exeC:\Users\Admin\AppData\Local\Temp\E850.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\EB6E.exeC:\Users\Admin\AppData\Local\Temp\EB6E.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\F561.exeC:\Users\Admin\AppData\Local\Temp\F561.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
-
Filesize
52KB
-
Filesize
1.3MB
-
Filesize
36KB
-
Filesize
112KB
-
Filesize
4.2MB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
384KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
108KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.2MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
10.7MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
60KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
36KB
-
Filesize
32KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
852KB
-
Filesize
56KB
-
Filesize
4.4MB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
32KB
-
Filesize
4.1MB
-
Filesize
36KB