Analysis
-
max time kernel
31s -
max time network
30s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-12-2020 15:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
Resource
win10v20201028
Errors
General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe
-
Size
154KB
-
MD5
c15de5bd771cbdadc7870814debee5e6
-
SHA1
89dc5b908e99a6270864e2df0c72cc31fb7b05ff
-
SHA256
310966da92c632e2cb4b22c9efc1bcbffe71c54be89cdb4b2b2119611be25fd0
-
SHA512
299cac00651dfe3b73cc1554d8e8e23ff8286b17c95f46be6e59f10e4932cdcbc28790e2e8c00d43b002d8e7e251f0a9a4ce7f2cd84f186d6cdb81991f820556
Malware Config
Extracted
smokeloader
2020
http://vtdilet.com/upload/
http://netvxi.com/upload/
http://tinnys.monster/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 3 IoCs
Processes:
99B5.exe9C85.exeA502.exepid process 2920 99B5.exe 2252 9C85.exe 208 A502.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\99B5.exe upx C:\Users\Admin\AppData\Local\Temp\99B5.exe upx C:\Users\Admin\AppData\Local\Temp\9C85.exe upx C:\Users\Admin\AppData\Local\Temp\9C85.exe upx C:\Users\Admin\AppData\Local\Temp\A502.exe upx C:\Users\Admin\AppData\Local\Temp\A502.exe upx -
Deletes itself 1 IoCs
Processes:
pid process 3024 -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exepid process 500 SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
9C85.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 9C85.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe -
Suspicious behavior: EnumeratesProcesses 432 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exepid process 500 SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe 500 SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exepid process 500 SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9C85.exedescription pid process Token: SeShutdownPrivilege 2252 9C85.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
description pid process target process PID 3024 wrote to memory of 2920 3024 99B5.exe PID 3024 wrote to memory of 2920 3024 99B5.exe PID 3024 wrote to memory of 2920 3024 99B5.exe PID 3024 wrote to memory of 2252 3024 9C85.exe PID 3024 wrote to memory of 2252 3024 9C85.exe PID 3024 wrote to memory of 2252 3024 9C85.exe PID 3024 wrote to memory of 208 3024 A502.exe PID 3024 wrote to memory of 208 3024 A502.exe PID 3024 wrote to memory of 208 3024 A502.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Trojan.cc.21406.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\99B5.exeC:\Users\Admin\AppData\Local\Temp\99B5.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9C85.exeC:\Users\Admin\AppData\Local\Temp\9C85.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\A502.exeC:\Users\Admin\AppData\Local\Temp\A502.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\99B5.exeMD5
57a9c6d1f80eec2792d26d5903a9228b
SHA115455de7cb21d125651d9cf88b23af2953bfa96f
SHA256b33cc87f7974c98429bcf0396527bb81c97bb11eb143257e9e1196d685949120
SHA5120f1b1e42bba286c6b5d08571c97d770c287eff5249acef52809640a0e55a67711331e5adaaa6dae89ea16e817f29fd59da2bf0ff66864f53279cb834f112a280
-
C:\Users\Admin\AppData\Local\Temp\99B5.exeMD5
57a9c6d1f80eec2792d26d5903a9228b
SHA115455de7cb21d125651d9cf88b23af2953bfa96f
SHA256b33cc87f7974c98429bcf0396527bb81c97bb11eb143257e9e1196d685949120
SHA5120f1b1e42bba286c6b5d08571c97d770c287eff5249acef52809640a0e55a67711331e5adaaa6dae89ea16e817f29fd59da2bf0ff66864f53279cb834f112a280
-
C:\Users\Admin\AppData\Local\Temp\9C85.exeMD5
aff43b3464d6aea75d486c1618112476
SHA1ad4e1033d4967b1d0adcae003e8f920f4114893f
SHA256c86df483c8fe3b4ba65b3bc4d8c355a075b4264f62f952847cf6a2c6ddcdc311
SHA512804631caf878cccf2c8a8987134b13074c5e70c5cea8516c11cbdf156029b9c4aa9e9c76f55f3a7a86e49fd0186fdcb702012bc09002d6c66158aca95e2585e5
-
C:\Users\Admin\AppData\Local\Temp\9C85.exeMD5
aff43b3464d6aea75d486c1618112476
SHA1ad4e1033d4967b1d0adcae003e8f920f4114893f
SHA256c86df483c8fe3b4ba65b3bc4d8c355a075b4264f62f952847cf6a2c6ddcdc311
SHA512804631caf878cccf2c8a8987134b13074c5e70c5cea8516c11cbdf156029b9c4aa9e9c76f55f3a7a86e49fd0186fdcb702012bc09002d6c66158aca95e2585e5
-
C:\Users\Admin\AppData\Local\Temp\A502.exeMD5
f5231eea86abc6f1b83a7df7b1768bfd
SHA1f5472cebe3176794d8dc57b6a138649ca2068c32
SHA2569f72c6acbee23bf4f813dc6afaf9abf4aac384ad64685846e6f0162291e7dc07
SHA5120d415e132a33485adfd6c55466115e1ccba0ac08c3b408ab642190044146564c036fb5aa8cd75b5be621327c916d6b3653c5ba97aedf68e8a74b3a4d8d35ac0b
-
C:\Users\Admin\AppData\Local\Temp\A502.exeMD5
f5231eea86abc6f1b83a7df7b1768bfd
SHA1f5472cebe3176794d8dc57b6a138649ca2068c32
SHA2569f72c6acbee23bf4f813dc6afaf9abf4aac384ad64685846e6f0162291e7dc07
SHA5120d415e132a33485adfd6c55466115e1ccba0ac08c3b408ab642190044146564c036fb5aa8cd75b5be621327c916d6b3653c5ba97aedf68e8a74b3a4d8d35ac0b
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/208-20-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/208-19-0x0000000004E96000-0x0000000004E97000-memory.dmpFilesize
4KB
-
memory/208-16-0x0000000000000000-mapping.dmp
-
memory/500-2-0x0000000004DD6000-0x0000000004DD7000-memory.dmpFilesize
4KB
-
memory/500-3-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/2252-11-0x0000000000000000-mapping.dmp
-
memory/2252-14-0x0000000004FE5000-0x0000000004FE6000-memory.dmpFilesize
4KB
-
memory/2252-15-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/2920-6-0x0000000000000000-mapping.dmp
-
memory/2920-10-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/2920-9-0x0000000004F06000-0x0000000004F07000-memory.dmpFilesize
4KB
-
memory/3024-5-0x0000000001030000-0x0000000001046000-memory.dmpFilesize
88KB