Analysis

  • max time kernel
    292s
  • max time network
    304s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08/11/2022, 12:19

General

  • Target

    anon1.c.exe

  • Size

    6.3MB

  • MD5

    ec54635cd5ecaf1b3bfeaac4ad54f360

  • SHA1

    78ce05e39cd35bb9f932dadf0d2dc7bb2783cb15

  • SHA256

    04d31c61d53359359e896db066a150f94321c1fd788a9ef7cb6a3e08ab963761

  • SHA512

    44043cdae43b0fe3e9c8a247e568925c5c8047fa425d61bfb428cb6376f9ba1d8bfa50b362657ca73a48c015f7fb1ea6b496a00d68473f6ee92eebbc17e5e236

  • SSDEEP

    98304:F0fI8YvciV+yBm0XA7HCOaYh5JTrQOdauaHaSZSxT+yq1Dc0:F0oxLA7HJaW5tbauFgSx4

Malware Config

Extracted

Family

raccoon

Botnet

94c54520400750937a6f1bf6044f8667

C2

http://194.37.80.221/

rc4.plain

Extracted

Family

systembc

C2

45.15.156.48:4254

146.70.53.169:4254

Extracted

Family

redline

Botnet

Test1

C2

45.15.156.48:8285

Attributes
  • auth_value

    3ec6815aabd0bab316e997c1c7898294

Signatures

  • Raccoon

    Raccoon is an infostealer written in C++ and first seen in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 4 IoCs
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • GoLang User-Agent 4 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\anon1.c.exe
    "C:\Users\Admin\AppData\Local\Temp\anon1.c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe
      "C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2036
    • C:\Users\Admin\AppData\Roaming\c6dvZEah.exe
      "C:\Users\Admin\AppData\Roaming\c6dvZEah.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\system32\cmd.exe
        cmd.exe /C schtasks /create /tn tfmMOxFVCU /tr C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn tfmMOxFVCU /tr C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
          4⤵
          • Creates scheduled task(s)
          PID:1364
    • C:\Users\Admin\AppData\Roaming\ksUM43uw.exe
      "C:\Users\Admin\AppData\Roaming\ksUM43uw.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1876
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {A3B4FD51-C93F-4A01-8B93-861222ECF246} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:976
    • C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe
      C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe start
      2⤵
      • Executes dropped EXE
      PID:1496
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {11097B21-E440-4B64-8A1B-12C9B30BF8B1} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
      C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
      2⤵
      • Executes dropped EXE
      PID:972

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe

          Filesize

          322KB

          MD5

          8850b7c96abf365df3fd542cb17755c5

          SHA1

          90e77265727ab091e9ee48e82df170b8929998b4

          SHA256

          cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5

          SHA512

          d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933

        • C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe

          Filesize

          322KB

          MD5

          8850b7c96abf365df3fd542cb17755c5

          SHA1

          90e77265727ab091e9ee48e82df170b8929998b4

          SHA256

          cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5

          SHA512

          d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933

        • C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe

          Filesize

          322KB

          MD5

          8850b7c96abf365df3fd542cb17755c5

          SHA1

          90e77265727ab091e9ee48e82df170b8929998b4

          SHA256

          cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5

          SHA512

          d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933

        • C:\Users\Admin\AppData\Roaming\c6dvZEah.exe

          Filesize

          4.8MB

          MD5

          27d2a70c1f2a5a6cdb5b5e87e976014d

          SHA1

          9b68a92a1e305f44ad040cc7ab5f4eb63ea58907

          SHA256

          d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a

          SHA512

          c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5

        • C:\Users\Admin\AppData\Roaming\c6dvZEah.exe

          Filesize

          4.8MB

          MD5

          27d2a70c1f2a5a6cdb5b5e87e976014d

          SHA1

          9b68a92a1e305f44ad040cc7ab5f4eb63ea58907

          SHA256

          d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a

          SHA512

          c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5

        • C:\Users\Admin\AppData\Roaming\ksUM43uw.exe

          Filesize

          2.4MB

          MD5

          25b80f714520a949e5ae6b95b0585ce8

          SHA1

          9265fb3f52d272fe4a034f45b5e9b49eefd28e09

          SHA256

          b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba

          SHA512

          0b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98

        • C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe

          Filesize

          4.8MB

          MD5

          27d2a70c1f2a5a6cdb5b5e87e976014d

          SHA1

          9b68a92a1e305f44ad040cc7ab5f4eb63ea58907

          SHA256

          d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a

          SHA512

          c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5

        • C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe

          Filesize

          4.8MB

          MD5

          27d2a70c1f2a5a6cdb5b5e87e976014d

          SHA1

          9b68a92a1e305f44ad040cc7ab5f4eb63ea58907

          SHA256

          d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a

          SHA512

          c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5

        • \Users\Admin\AppData\LocalLow\mozglue.dll

          Filesize

          612KB

          MD5

          f07d9977430e762b563eaadc2b94bbfa

          SHA1

          da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

          SHA256

          4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

          SHA512

          6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

        • \Users\Admin\AppData\LocalLow\nss3.dll

          Filesize

          1.9MB

          MD5

          f67d08e8c02574cbc2f1122c53bfb976

          SHA1

          6522992957e7e4d074947cad63189f308a80fcf2

          SHA256

          c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

          SHA512

          2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

        • \Users\Admin\AppData\LocalLow\sqlite3.dll

          Filesize

          1.0MB

          MD5

          dbf4f8dcefb8056dc6bae4b67ff810ce

          SHA1

          bbac1dd8a07c6069415c04b62747d794736d0689

          SHA256

          47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

          SHA512

          b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

        • \Users\Admin\AppData\Roaming\14dsT2Dg.exe

          Filesize

          322KB

          MD5

          8850b7c96abf365df3fd542cb17755c5

          SHA1

          90e77265727ab091e9ee48e82df170b8929998b4

          SHA256

          cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5

          SHA512

          d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933

        • \Users\Admin\AppData\Roaming\14dsT2Dg.exe

          Filesize

          322KB

          MD5

          8850b7c96abf365df3fd542cb17755c5

          SHA1

          90e77265727ab091e9ee48e82df170b8929998b4

          SHA256

          cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5

          SHA512

          d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933

        • \Users\Admin\AppData\Roaming\c6dvZEah.exe

          Filesize

          4.8MB

          MD5

          27d2a70c1f2a5a6cdb5b5e87e976014d

          SHA1

          9b68a92a1e305f44ad040cc7ab5f4eb63ea58907

          SHA256

          d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a

          SHA512

          c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5

        • \Users\Admin\AppData\Roaming\c6dvZEah.exe

          Filesize

          4.8MB

          MD5

          27d2a70c1f2a5a6cdb5b5e87e976014d

          SHA1

          9b68a92a1e305f44ad040cc7ab5f4eb63ea58907

          SHA256

          d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a

          SHA512

          c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5

        • \Users\Admin\AppData\Roaming\ksUM43uw.exe

          Filesize

          2.4MB

          MD5

          25b80f714520a949e5ae6b95b0585ce8

          SHA1

          9265fb3f52d272fe4a034f45b5e9b49eefd28e09

          SHA256

          b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba

          SHA512

          0b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98

        • \Users\Admin\AppData\Roaming\ksUM43uw.exe

          Filesize

          2.4MB

          MD5

          25b80f714520a949e5ae6b95b0585ce8

          SHA1

          9265fb3f52d272fe4a034f45b5e9b49eefd28e09

          SHA256

          b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba

          SHA512

          0b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98

        • \Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe

          Filesize

          4.8MB

          MD5

          27d2a70c1f2a5a6cdb5b5e87e976014d

          SHA1

          9b68a92a1e305f44ad040cc7ab5f4eb63ea58907

          SHA256

          d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a

          SHA512

          c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5

        • \Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe

          Filesize

          4.8MB

          MD5

          27d2a70c1f2a5a6cdb5b5e87e976014d

          SHA1

          9b68a92a1e305f44ad040cc7ab5f4eb63ea58907

          SHA256

          d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a

          SHA512

          c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5

        • memory/1184-56-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

          Filesize

          8KB

        • memory/1184-77-0x0000000000400000-0x0000000000DCA000-memory.dmp

          Filesize

          9.8MB

        • memory/1184-54-0x0000000000400000-0x0000000000DCA000-memory.dmp

          Filesize

          9.8MB

        • memory/1184-57-0x0000000000400000-0x0000000000DCA000-memory.dmp

          Filesize

          9.8MB

        • memory/1184-61-0x0000000000400000-0x0000000000DCA000-memory.dmp

          Filesize

          9.8MB

        • memory/1496-105-0x00000000002CB000-0x00000000002E1000-memory.dmp

          Filesize

          88KB

        • memory/1496-103-0x0000000000400000-0x0000000002C3E000-memory.dmp

          Filesize

          40.2MB

        • memory/1496-102-0x00000000002CB000-0x00000000002E1000-memory.dmp

          Filesize

          88KB

        • memory/1876-90-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1876-91-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1876-84-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/1876-82-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

        • memory/2036-101-0x0000000002E0B000-0x0000000002E21000-memory.dmp

          Filesize

          88KB

        • memory/2036-81-0x0000000000400000-0x0000000002C3E000-memory.dmp

          Filesize

          40.2MB

        • memory/2036-80-0x0000000000220000-0x0000000000225000-memory.dmp

          Filesize

          20KB

        • memory/2036-79-0x0000000002E0B000-0x0000000002E21000-memory.dmp

          Filesize

          88KB