Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
19-01-2022 20:52
Static task
static1
Behavioral task
behavioral1
Sample
67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe
Resource
win10-en-20211208
General
-
Target
67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe
-
Size
256KB
-
MD5
4c62b642ff4ec34605e3e45ebedf9167
-
SHA1
fb799c3f0222ae527c8b9a3f8ab4cdb4ef12b02c
-
SHA256
67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d
-
SHA512
23b79aeb68a3aacc19dfcfe29b59eb49c5c434498422378ea560be368d7ff795293c94cb5df23b63c185e801a0a15aad3ba397a7a6b4e50097a3ab59590b6a08
Malware Config
Extracted
smokeloader
2020
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
Extracted
vidar
49.7
1131
https://mastodon.online/@prophef1
https://koyu.space/@prophef2
-
profile_id
1131
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Inbound)
-
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)
suricata: ET MALWARE Win32/Delf.BLL Variant CnC Activity (Outbound)
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
ModiLoader First Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1968-186-0x0000000000400000-0x000000000045A000-memory.dmp modiloader_stage1 behavioral1/memory/1968-188-0x0000000000400000-0x000000000045A000-memory.dmp modiloader_stage1 -
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/784-128-0x0000000000400000-0x0000000000794000-memory.dmp family_vidar behavioral1/memory/784-130-0x0000000000400000-0x0000000000794000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
53C.exe23A2.exe23A2.exe23A2.exepid process 784 53C.exe 364 23A2.exe 1980 23A2.exe 1968 23A2.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
53C.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 53C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 53C.exe -
Deletes itself 1 IoCs
Processes:
pid process 3028 -
Loads dropped DLL 2 IoCs
Processes:
53C.exepid process 784 53C.exe 784 53C.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
23A2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\RevoUninstall_2_3_5 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Revo\\RevoUninstall_2_3_5.exe\"" 23A2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
53C.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 53C.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
23A2.exedescription ioc process File opened for modification \??\PhysicalDrive0 23A2.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
53C.exepid process 784 53C.exe 784 53C.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
23A2.exedescription pid process target process PID 364 set thread context of 1968 364 23A2.exe 23A2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
53C.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 53C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 53C.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exepid process 2352 67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe 2352 67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3028 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exepid process 2352 67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
23A2.exedescription pid process Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeDebugPrivilege 364 23A2.exe Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 Token: SeShutdownPrivilege 3028 Token: SeCreatePagefilePrivilege 3028 -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
23A2.execmd.exedescription pid process target process PID 3028 wrote to memory of 784 3028 53C.exe PID 3028 wrote to memory of 784 3028 53C.exe PID 3028 wrote to memory of 784 3028 53C.exe PID 3028 wrote to memory of 364 3028 23A2.exe PID 3028 wrote to memory of 364 3028 23A2.exe PID 3028 wrote to memory of 364 3028 23A2.exe PID 364 wrote to memory of 2832 364 23A2.exe cmd.exe PID 364 wrote to memory of 2832 364 23A2.exe cmd.exe PID 364 wrote to memory of 2832 364 23A2.exe cmd.exe PID 2832 wrote to memory of 1312 2832 cmd.exe PING.EXE PID 2832 wrote to memory of 1312 2832 cmd.exe PING.EXE PID 2832 wrote to memory of 1312 2832 cmd.exe PING.EXE PID 364 wrote to memory of 1980 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1980 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1980 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe PID 364 wrote to memory of 1968 364 23A2.exe 23A2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe"C:\Users\Admin\AppData\Local\Temp\67820ccc5249149b19caac0761280f57bd2d677fb4c0f2aaab81bdb26053171d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\53C.exeC:\Users\Admin\AppData\Local\Temp\53C.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\23A2.exeC:\Users\Admin\AppData\Local\Temp\23A2.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping google.com2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping google.com3⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\23A2.exeC:\Users\Admin\AppData\Local\Temp\23A2.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\23A2.exeC:\Users\Admin\AppData\Local\Temp\23A2.exe2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\23A2.exeMD5
d71eb9926317054c9a8da5b7a8e22ba4
SHA15319a4dbdb1ae2662100375559a6247929616f2d
SHA25607aceec8c3194a7e86f406f2cedfd0b7a765de90f1147c3bb1f58eb97617530e
SHA51290d8aaff479ac3884607136b95d72f7d51b7b4aa9667fcd621b4890487d87bc3d10ebf13d9bffc2665d7a465a9e186f2c62f4b17a81ea8f84109d74a3d182cb8
-
C:\Users\Admin\AppData\Local\Temp\23A2.exeMD5
d71eb9926317054c9a8da5b7a8e22ba4
SHA15319a4dbdb1ae2662100375559a6247929616f2d
SHA25607aceec8c3194a7e86f406f2cedfd0b7a765de90f1147c3bb1f58eb97617530e
SHA51290d8aaff479ac3884607136b95d72f7d51b7b4aa9667fcd621b4890487d87bc3d10ebf13d9bffc2665d7a465a9e186f2c62f4b17a81ea8f84109d74a3d182cb8
-
C:\Users\Admin\AppData\Local\Temp\23A2.exeMD5
d71eb9926317054c9a8da5b7a8e22ba4
SHA15319a4dbdb1ae2662100375559a6247929616f2d
SHA25607aceec8c3194a7e86f406f2cedfd0b7a765de90f1147c3bb1f58eb97617530e
SHA51290d8aaff479ac3884607136b95d72f7d51b7b4aa9667fcd621b4890487d87bc3d10ebf13d9bffc2665d7a465a9e186f2c62f4b17a81ea8f84109d74a3d182cb8
-
C:\Users\Admin\AppData\Local\Temp\23A2.exeMD5
d71eb9926317054c9a8da5b7a8e22ba4
SHA15319a4dbdb1ae2662100375559a6247929616f2d
SHA25607aceec8c3194a7e86f406f2cedfd0b7a765de90f1147c3bb1f58eb97617530e
SHA51290d8aaff479ac3884607136b95d72f7d51b7b4aa9667fcd621b4890487d87bc3d10ebf13d9bffc2665d7a465a9e186f2c62f4b17a81ea8f84109d74a3d182cb8
-
C:\Users\Admin\AppData\Local\Temp\53C.exeMD5
b5d3bb71ea746a115af16ec859cb0cbf
SHA18a56a6da989c5a1e4bceea554de821387e9e01e7
SHA2568c8fd0120327d4795bcf8fcf2ce131a480ae41cf200e844bc1eb0185cd2d3741
SHA5129025428ba9c3c48863a6415603e5e1b157f548fb3e637ee31e21eaa7a0a6c3bd8a535fae2a17ad27ea937ad5e9084ae3d3a8e16f85a49779ce2d66a351ac699e
-
C:\Users\Admin\AppData\Local\Temp\53C.exeMD5
b5d3bb71ea746a115af16ec859cb0cbf
SHA18a56a6da989c5a1e4bceea554de821387e9e01e7
SHA2568c8fd0120327d4795bcf8fcf2ce131a480ae41cf200e844bc1eb0185cd2d3741
SHA5129025428ba9c3c48863a6415603e5e1b157f548fb3e637ee31e21eaa7a0a6c3bd8a535fae2a17ad27ea937ad5e9084ae3d3a8e16f85a49779ce2d66a351ac699e
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/364-183-0x00000000050F0000-0x000000000513C000-memory.dmpFilesize
304KB
-
memory/364-180-0x0000000004F30000-0x0000000004F31000-memory.dmpFilesize
4KB
-
memory/364-140-0x00000000005E0000-0x000000000060E000-memory.dmpFilesize
184KB
-
memory/364-181-0x0000000005080000-0x00000000050EC000-memory.dmpFilesize
432KB
-
memory/364-182-0x0000000005B80000-0x0000000005BD6000-memory.dmpFilesize
344KB
-
memory/364-184-0x0000000005950000-0x00000000059B6000-memory.dmpFilesize
408KB
-
memory/784-122-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/784-124-0x00000000023F0000-0x0000000002433000-memory.dmpFilesize
268KB
-
memory/784-129-0x0000000077E40000-0x0000000077FCE000-memory.dmpFilesize
1.6MB
-
memory/784-128-0x0000000000400000-0x0000000000794000-memory.dmpFilesize
3.6MB
-
memory/784-127-0x0000000000400000-0x0000000000794000-memory.dmpFilesize
3.6MB
-
memory/784-126-0x0000000000400000-0x0000000000794000-memory.dmpFilesize
3.6MB
-
memory/784-125-0x0000000000400000-0x0000000000794000-memory.dmpFilesize
3.6MB
-
memory/784-130-0x0000000000400000-0x0000000000794000-memory.dmpFilesize
3.6MB
-
memory/784-123-0x0000000076F80000-0x0000000077142000-memory.dmpFilesize
1.8MB
-
memory/784-121-0x0000000000400000-0x0000000000794000-memory.dmpFilesize
3.6MB
-
memory/1968-186-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/1968-188-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/2352-115-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/2352-117-0x0000000000400000-0x0000000000447000-memory.dmpFilesize
284KB
-
memory/2352-116-0x00000000004A0000-0x00000000005EA000-memory.dmpFilesize
1.3MB
-
memory/3028-118-0x00000000008A0000-0x00000000008B6000-memory.dmpFilesize
88KB