Vr.rar

Errors
Reason Machine shutdown
General
Target

0x000300000001ac99-126.exe

Filesize

300KB

Completed

25-11-2020 10:46

Score
10 /10
MD5

ca58d4cf4a5e0725f844c8eae3f8ae67

SHA1

fbce92619ce23f4594846f2f789e513dab9f3239

SHA256

0e3774d65577253a820f1ee272d7a0c96e4c6a869ef8f749fe7f83d2fc49f054

Malware Config

Extracted

Family smokeloader
Version 2020
C2

http://vintrsi.com/upload/

http://woatdert.com/upload/

http://waruse.com/upload/
rc4.i32
rc4.i32
Signatures 11

Filter: none

Discovery
Persistence
  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Executes dropped EXE
    E881.exeF19A.exeF8FE.exe

    Reported IOCs

    pidprocess
    4208E881.exe
    3860F19A.exe
    1736F8FE.exe
  • Deletes itself

    Reported IOCs

    pidprocess
    2300
  • Loads dropped DLL
    0x000300000001ac99-126.exe

    Reported IOCs

    pidprocess
    46920x000300000001ac99-126.exe
  • Writes to the Master Boot Record (MBR)
    E881.exe

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\PHYSICALDRIVE0E881.exe
  • Checks SCSI registry key(s)
    0x000300000001ac99-126.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac99-126.exe
    Key queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac99-126.exe
    Key enumerated\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI0x000300000001ac99-126.exe
  • Suspicious behavior: EnumeratesProcesses
    0x000300000001ac99-126.exe

    Reported IOCs

    pidprocess
    46920x000300000001ac99-126.exe
    46920x000300000001ac99-126.exe
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
    2300
  • Suspicious behavior: MapViewOfSection
    0x000300000001ac99-126.exe

    Reported IOCs

    pidprocess
    46920x000300000001ac99-126.exe
  • Suspicious use of AdjustPrivilegeToken
    E881.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege4208E881.exe
  • Suspicious use of UnmapMainImage

    Reported IOCs

    pidprocess
    2300
  • Suspicious use of WriteProcessMemory

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2300 wrote to memory of 42082300E881.exe
    PID 2300 wrote to memory of 42082300E881.exe
    PID 2300 wrote to memory of 42082300E881.exe
    PID 2300 wrote to memory of 38602300F19A.exe
    PID 2300 wrote to memory of 38602300F19A.exe
    PID 2300 wrote to memory of 38602300F19A.exe
    PID 2300 wrote to memory of 17362300F8FE.exe
    PID 2300 wrote to memory of 17362300F8FE.exe
    PID 2300 wrote to memory of 17362300F8FE.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\0x000300000001ac99-126.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000300000001ac99-126.exe"
    Loads dropped DLL
    Checks SCSI registry key(s)
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: MapViewOfSection
    PID:4692
  • C:\Users\Admin\AppData\Local\Temp\E881.exe
    C:\Users\Admin\AppData\Local\Temp\E881.exe
    Executes dropped EXE
    Writes to the Master Boot Record (MBR)
    Suspicious use of AdjustPrivilegeToken
    PID:4208
  • C:\Users\Admin\AppData\Local\Temp\F19A.exe
    C:\Users\Admin\AppData\Local\Temp\F19A.exe
    Executes dropped EXE
    PID:3860
  • C:\Users\Admin\AppData\Local\Temp\F8FE.exe
    C:\Users\Admin\AppData\Local\Temp\F8FE.exe
    Executes dropped EXE
    PID:1736
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\E881.exe

                        MD5

                        dd82df483ab0a2875831209f12c4e978

                        SHA1

                        42b7715d00487578f228ae391c72edada07767d9

                        SHA256

                        5882c641289a6ea69516167a057dc7099d7dc17a00b78c0afaee9b2133e30d9f

                        SHA512

                        b66c288c073e85072adbcaac0b284ce4f2b307ca8729aef3c1b8a94c2c28b900018cddc5a6971f89a5ae70caa4d146369d7dbc41f89157be356a8f900b6eeacc

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\E881.exe

                        MD5

                        dd82df483ab0a2875831209f12c4e978

                        SHA1

                        42b7715d00487578f228ae391c72edada07767d9

                        SHA256

                        5882c641289a6ea69516167a057dc7099d7dc17a00b78c0afaee9b2133e30d9f

                        SHA512

                        b66c288c073e85072adbcaac0b284ce4f2b307ca8729aef3c1b8a94c2c28b900018cddc5a6971f89a5ae70caa4d146369d7dbc41f89157be356a8f900b6eeacc

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\F19A.exe

                        MD5

                        801a4e85faeb41919a0da6fa174ada04

                        SHA1

                        cf6a3be6cf3130a0d2a92ac9eec392e43029a06c

                        SHA256

                        23a96527c86ed75232f146343a612a96b8a6e70433cbdf39c9a611aeb3191ddd

                        SHA512

                        319b835e51c98e710a9bea852b79796f1516a5f38b092a2319e65cf21ca63be25621a8a89bd33fe32bc75fde5e115597d141fb68897738daccf476e9576dd54b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\F19A.exe

                        MD5

                        801a4e85faeb41919a0da6fa174ada04

                        SHA1

                        cf6a3be6cf3130a0d2a92ac9eec392e43029a06c

                        SHA256

                        23a96527c86ed75232f146343a612a96b8a6e70433cbdf39c9a611aeb3191ddd

                        SHA512

                        319b835e51c98e710a9bea852b79796f1516a5f38b092a2319e65cf21ca63be25621a8a89bd33fe32bc75fde5e115597d141fb68897738daccf476e9576dd54b

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\F8FE.exe

                        MD5

                        7f1c0fe70e588f3bead08b64910b455e

                        SHA1

                        b0d78d67ee8a703e2c5dff5f50b34c504a91cfee

                        SHA256

                        4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4

                        SHA512

                        e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\F8FE.exe

                        MD5

                        7f1c0fe70e588f3bead08b64910b455e

                        SHA1

                        b0d78d67ee8a703e2c5dff5f50b34c504a91cfee

                        SHA256

                        4788a1207c8a83d6051a12d1bbc63e889fbf142e9479c8d2919e8dcb0e4a6cc4

                        SHA512

                        e5c5227943683851d393328d41c86066ece40f6813533f010963f5515d369d3aa57175f169aef9f428deca38810be75ee8d40b735a0af8826fd7c1bb444b1a84

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\CC4F.tmp

                        MD5

                        50741b3f2d7debf5d2bed63d88404029

                        SHA1

                        56210388a627b926162b36967045be06ffb1aad3

                        SHA256

                        f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

                        SHA512

                        fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

                        Download Submit

                      • memory/1736-9-0x0000000000000000-mapping.dmp

                        Download

                      • memory/2300-2-0x0000000000890000-0x00000000008A6000-memory.dmp

                        Download

                      • memory/3860-13-0x0000000006440000-0x0000000006441000-memory.dmp

                        Download

                      • memory/3860-6-0x0000000000000000-mapping.dmp

                        Download

                      • memory/4208-3-0x0000000000000000-mapping.dmp

                        Download

                      • memory/4208-12-0x0000000006530000-0x0000000006531000-memory.dmp

                        Download

                      • memory/4692-0-0x0000000006490000-0x0000000006491000-memory.dmp

                        Download