Overview

overview

10

Static

static

2020-08-16...in.exe

windows7_x64

10

2020-08-16...in.exe

windows10_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    27-08-2020 15:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2020-08-16_12-33-29.bin.exe

  • Size

    182KB

  • MD5

    31293dfcacc8dc2e1e0daca8ad83ffe4

  • SHA1

    49d99d21ee7070f9923e53247dff9359cef66e56

  • SHA256

    8d6a931a8e8a65cf3a98fc2ee69ded2bd91ee03ef6677c6f653561dd4742ce17

  • SHA512

    962605b126e84500a0039b6ddcc2dd6686c942e2aa762d09ab49f97200812721c837770e116f5cb0477ce6ce145529830ef6cfafadb311944c28d388a3ee68dc

Score
10/10
dharmasmokeloaderbackdoorpersistenceransomwaretrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rexstat35x.xyz/statweb955/

http://dexspot2x.xyz/statweb955/

http://atxspot20x.xyz/statweb955/

http://rexspot7x.xyz/statweb955/

http://fdmail85.club/statweb955/

http://servicem977x.xyz/statweb955/

http://advertxman7x.xyz/statweb955/

http://starxpush7x.xyz/statweb955/
rc4.i32
rc4.i32

Signatures

  • Dharma

    Dharma is a ransomware that uses security software installation to hide malicious activities.

    ransomwaredharma
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 5 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2020-08-16_12-33-29.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\2020-08-16_12-33-29.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:240
    • C:\Users\Admin\AppData\Local\Temp\2020-08-16_12-33-29.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\2020-08-16_12-33-29.bin.exe"
      2⤵
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1876
  • C:\Users\Admin\AppData\Local\Temp\7E.exe
    C:\Users\Admin\AppData\Local\Temp\7E.exe
    1⤵
    • Executes dropped EXE
    • Drops startup file
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\system32\mode.com
        mode con cp select=1251
        3⤵
          PID:804
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          3⤵
          • Interacts with shadow copies
          PID:836
    • C:\Users\Admin\AppData\Local\Temp\1E5.exe
      C:\Users\Admin\AppData\Local\Temp\1E5.exe
      1⤵
      • Executes dropped EXE
      PID:1968
    • C:\Users\Admin\AppData\Local\Temp\2F0.exe
      C:\Users\Admin\AppData\Local\Temp\2F0.exe
      1⤵
      • Executes dropped EXE
      PID:832
    • C:\Users\Admin\AppData\Local\Temp\4A5.exe
      C:\Users\Admin\AppData\Local\Temp\4A5.exe
      1⤵
      • Executes dropped EXE
      PID:1368
    • C:\Users\Admin\AppData\Local\Temp\5DE.exe
      C:\Users\Admin\AppData\Local\Temp\5DE.exe
      1⤵
      • Executes dropped EXE
      PID:1496

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    File Deletion

    2
    T1107

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Inhibit System Recovery

    2
    T1490

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1E5.exe
      MD5

      359a7ae304a3ce473aa85553923f6c65

      SHA1

      a273ef45d9ca0984ee6d216ec184d5056c39b80f

      SHA256

      161e8c0f3023f41c1d2dfa862a797b5308a97c68f468259f6c9347d6e14621aa

      SHA512

      b76418de9c516ce33fbdf7416d53d008cb6f7a7588a8857fcc2edd672e45a2d5f74dbcfbc21c1b6ab46726bb23008f677a8598563eeffc0ddfaa40d93fc1db63

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\2F0.exe
      MD5

      9554ed93dcd76c7eb9cc354c1226b4b9

      SHA1

      cb294b3a17db3cd049f6d3a04d446a0c945fc58d

      SHA256

      f3ff3b74e22c128de4ffa2d52930077f77a9b7cef0d8c52a491166101b34ce2f

      SHA512

      af7001be8e70b14e92e2954f54f2f27588c65bd8819692e90cf7bb3df8af3f706c069ad0ab89646af80be0ad88c83f92965fccd924557db04e479f8ae3a02cc5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\4A5.exe
      MD5

      8a18416a19f624b5ee624e58247436f9

      SHA1

      69a8e7b3dd161317c342bdc50f89ceedaa27421f

      SHA256

      7ce7f067be48fa72bbed8c5cfb27c7c18585847a118ca2bbc6f63b0890865965

      SHA512

      25e28542e8222f41ba6c876f8c21dc83810d7ba987f315396ec780b37af7a65f0102473aae418161095dbdf6d7333eb36f36ada5d4fa0e21a22aed5f7e42cfe5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7E.exe
      MD5

      52ac90f9816873680666d4f2692b0409

      SHA1

      706f2797b81341f7df9786f4c2812f63dfa0a5de

      SHA256

      ee28d94d0c9f1e47e533c65c66fe4ad23923136fb0d0805a86f21ff56c838f12

      SHA512

      519232081dc4ea5b73ccd90a2b58be9cac1ce27801acf0a4d7ea967cc8872be9b849769bbd864a85deb9aa517ef4134ddfa268e05a94ef8d1eb486a2768b8556

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\7E.exe
      MD5

      52ac90f9816873680666d4f2692b0409

      SHA1

      706f2797b81341f7df9786f4c2812f63dfa0a5de

      SHA256

      ee28d94d0c9f1e47e533c65c66fe4ad23923136fb0d0805a86f21ff56c838f12

      SHA512

      519232081dc4ea5b73ccd90a2b58be9cac1ce27801acf0a4d7ea967cc8872be9b849769bbd864a85deb9aa517ef4134ddfa268e05a94ef8d1eb486a2768b8556

      Download Submit
    • \Users\Admin\AppData\Local\Temp\2F0.exe
      MD5

      9554ed93dcd76c7eb9cc354c1226b4b9

      SHA1

      cb294b3a17db3cd049f6d3a04d446a0c945fc58d

      SHA256

      f3ff3b74e22c128de4ffa2d52930077f77a9b7cef0d8c52a491166101b34ce2f

      SHA512

      af7001be8e70b14e92e2954f54f2f27588c65bd8819692e90cf7bb3df8af3f706c069ad0ab89646af80be0ad88c83f92965fccd924557db04e479f8ae3a02cc5

      Download Submit
    • \Users\Admin\AppData\Local\Temp\D47F.tmp
      MD5

      d124f55b9393c976963407dff51ffa79

      SHA1

      2c7bbedd79791bfb866898c85b504186db610b5d

      SHA256

      ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

      SHA512

      278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

      Download Submit
    • memory/240-1-0x0000000004DA0000-0x0000000004DB1000-memory.dmp
      Filesize

      68KB

      Download
    • memory/240-0-0x00000000033AF000-0x00000000033B0000-memory.dmp
      Filesize

      4KB

      Download
    • memory/804-19-0x0000000000000000-mapping.dmp
      Download
    • memory/832-12-0x0000000000000000-mapping.dmp
      Download
    • memory/836-21-0x0000000000000000-mapping.dmp
      Download
    • memory/1208-5-0x0000000002200000-0x0000000002216000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1368-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1496-23-0x0000000000000000-mapping.dmp
      Download
    • memory/1876-3-0x0000000000402C70-mapping.dmp
      Download
    • memory/1876-2-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1964-13-0x0000000003680000-0x0000000003691000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1964-10-0x00000000033AA000-0x00000000033AB000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1964-6-0x0000000000000000-mapping.dmp
      Download
    • memory/1968-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1968-22-0x0000000003630000-0x0000000003641000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2016-16-0x0000000000000000-mapping.dmp
      Download