Analysis
-
max time kernel
128s -
max time network
127s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-03-2021 17:05
Static task
static1
Behavioral task
behavioral1
Sample
E4B1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
E4B1.exe
Resource
win10v20201028
Errors
General
-
Target
E4B1.exe
-
Size
167KB
-
MD5
47838511727aae396e6269f03eca0166
-
SHA1
cd9f435fa188377177f892de5b97f37149878009
-
SHA256
a7a2a4f56a6eda5df0d82dc1cf60eee82d3a8d16f2d746df037cdeaafaebcd5d
-
SHA512
463462a1972f5f4d9c1ba25ce5ef75f15ebaec2fc4b314d58bb155207899519caf3c5b49122ae1eca67d89a08b7a29d16ce17df2d64a6ed8539d416344ed18a5
Malware Config
Extracted
smokeloader
2020
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 4 IoCs
Processes:
F670.exe197.exeDB9.exeedrthefx.exepid process 396 F670.exe 528 197.exe 1504 DB9.exe 616 edrthefx.exe -
Deletes itself 1 IoCs
Processes:
pid process 1388 -
Loads dropped DLL 2 IoCs
Processes:
E4B1.exe197.exepid process 1968 E4B1.exe 528 197.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
F670.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 F670.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
E4B1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E4B1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E4B1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI E4B1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
E4B1.exepid process 1968 E4B1.exe 1968 E4B1.exe 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 1388 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
E4B1.exepid process 1968 E4B1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
F670.exedescription pid process Token: SeShutdownPrivilege 396 F670.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1388 1388 1388 1388 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1388 1388 1388 1388 -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
197.exedescription pid process target process PID 1388 wrote to memory of 396 1388 F670.exe PID 1388 wrote to memory of 396 1388 F670.exe PID 1388 wrote to memory of 396 1388 F670.exe PID 1388 wrote to memory of 396 1388 F670.exe PID 1388 wrote to memory of 528 1388 197.exe PID 1388 wrote to memory of 528 1388 197.exe PID 1388 wrote to memory of 528 1388 197.exe PID 1388 wrote to memory of 528 1388 197.exe PID 528 wrote to memory of 548 528 197.exe cmd.exe PID 528 wrote to memory of 548 528 197.exe cmd.exe PID 528 wrote to memory of 548 528 197.exe cmd.exe PID 528 wrote to memory of 548 528 197.exe cmd.exe PID 1388 wrote to memory of 1504 1388 DB9.exe PID 1388 wrote to memory of 1504 1388 DB9.exe PID 1388 wrote to memory of 1504 1388 DB9.exe PID 1388 wrote to memory of 1504 1388 DB9.exe PID 528 wrote to memory of 1240 528 197.exe cmd.exe PID 528 wrote to memory of 1240 528 197.exe cmd.exe PID 528 wrote to memory of 1240 528 197.exe cmd.exe PID 528 wrote to memory of 1240 528 197.exe cmd.exe PID 528 wrote to memory of 1076 528 197.exe sc.exe PID 528 wrote to memory of 1076 528 197.exe sc.exe PID 528 wrote to memory of 1076 528 197.exe sc.exe PID 528 wrote to memory of 1076 528 197.exe sc.exe PID 528 wrote to memory of 1164 528 197.exe sc.exe PID 528 wrote to memory of 1164 528 197.exe sc.exe PID 528 wrote to memory of 1164 528 197.exe sc.exe PID 528 wrote to memory of 1164 528 197.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\E4B1.exe"C:\Users\Admin\AppData\Local\Temp\E4B1.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F670.exeC:\Users\Admin\AppData\Local\Temp\F670.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\197.exeC:\Users\Admin\AppData\Local\Temp\197.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ryvrfltl\2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xrritctv.exe" C:\Windows\SysWOW64\ryvrfltl\2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ryvrfltl binPath= "C:\Windows\SysWOW64\ryvrfltl\xrritctv.exe /d\"C:\Users\Admin\AppData\Local\Temp\197.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ryvrfltl "wifi internet conection"2⤵
-
C:\Users\Admin\edrthefx.exe"C:\Users\Admin\edrthefx.exe" /d"C:\Users\Admin\AppData\Local\Temp\197.exe" /e55030114000000052⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\DB9.exeC:\Users\Admin\AppData\Local\Temp\DB9.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\197.exeMD5
777dbe0332fc35cd603eb43396066647
SHA18b84fa49f64406730c28bcfc0129b458e7971f81
SHA256270ffd86c1968afba9c8c7054fbf2ef2e41e3c957152e791a1055223e36d92f5
SHA512736b7e89247f1ca73c4f5ed2fb33a0033299916188aed674feee0ace7d0b232e642b0aa717cc52644b0b541f76a126e89e38d1040f3dec036a87962b39a40df9
-
C:\Users\Admin\AppData\Local\Temp\197.exeMD5
777dbe0332fc35cd603eb43396066647
SHA18b84fa49f64406730c28bcfc0129b458e7971f81
SHA256270ffd86c1968afba9c8c7054fbf2ef2e41e3c957152e791a1055223e36d92f5
SHA512736b7e89247f1ca73c4f5ed2fb33a0033299916188aed674feee0ace7d0b232e642b0aa717cc52644b0b541f76a126e89e38d1040f3dec036a87962b39a40df9
-
C:\Users\Admin\AppData\Local\Temp\DB9.exeMD5
648f0d37b65ec97fd1754d53d78a6a24
SHA1ba9c8a94d83f66f93523345aa7fe266cf9769a0e
SHA256894efce31cc70924a097c89b02eb544cb1303268b569f39ccbfba492d6c2b166
SHA512e222e2ef11a00605575bc8431587f9e89dbd6c3579f43cd36c97527385c85e837f831a583ede7a4c3413f6c0c8ff2139c4b1e4821224c6e4f57eb5cd18fe8410
-
C:\Users\Admin\AppData\Local\Temp\F670.exeMD5
4650e2d8019f6c388d2fc1b33964d423
SHA1caad0ab0d25dc7b3b7cb815121a7f679e7e8fce4
SHA2563697481365c7ab3f789488f443f27ddd8e63f605c3f8e202638665dfb583cda0
SHA512bfd1ef24e073eeabe830a723797a2829effd54ab44dbfb39b493433fdeaed7c9a2a6191ba14c7cb4569c047588aa8e3049db641be0eab71f732d42f20388f44d
-
C:\Users\Admin\AppData\Local\Temp\xrritctv.exeMD5
346312f759cb0e00fe1b1f52f6b990cc
SHA1d8d305766c2b0a41cd9733efe6c9c5f4bcc667e3
SHA256033639ecdceacd63af792b9555b175911df4134b506e19b5a9a128a0006a2b8e
SHA51242f5502a4d81696450190a2cf94666e87a70f8093cd284cae79b818f9405e0145f614f2628914fd55397c3c0f4a84ab8f648e1213e630589b1aaaa540a5f7dba
-
C:\Users\Admin\edrthefx.exeMD5
cdb19afe5d93a453b017fd341d32b049
SHA1ba861fcb7626c378c665db066d2b951215a3be6f
SHA2562ff380c1dbdf4678ffa007f2c89db83cf429796c2c47b7ab14515e416bcd21ec
SHA512147cc0ffb7fc264faf9b7d692b438f8bae7b7f31165ae71898c73decacf09f602b573ce1b5f65aaf2b89c0cf512c086d403563d3792db294cf1e7478a037a17c
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
\Users\Admin\edrthefx.exeMD5
92dabe07dabe3e993164ca5edea34a96
SHA11f3e994bb2f4019624561dbe55ab474724e697a7
SHA256c4bdd4973113f4ecb5e18191434a74c54777379293c0b61cc94c7f873383773a
SHA512c8b9797078a04906649ca493bda21b11f4d363228aa8601d54618928a4634a84f47a8637856979da6f678415a61037d6998494041c1caf08cfb2ff7d5c0d7c42
-
memory/396-8-0x0000000000000000-mapping.dmp
-
memory/396-10-0x0000000002D30000-0x0000000002D41000-memory.dmpFilesize
68KB
-
memory/396-13-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/396-12-0x0000000002C00000-0x0000000002C6B000-memory.dmpFilesize
428KB
-
memory/528-14-0x0000000000000000-mapping.dmp
-
memory/528-16-0x0000000003100000-0x0000000003111000-memory.dmpFilesize
68KB
-
memory/528-23-0x0000000000020000-0x0000000000033000-memory.dmpFilesize
76KB
-
memory/528-24-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/548-19-0x0000000000000000-mapping.dmp
-
memory/1076-26-0x0000000000000000-mapping.dmp
-
memory/1164-31-0x0000000000000000-mapping.dmp
-
memory/1240-22-0x0000000000000000-mapping.dmp
-
memory/1388-7-0x00000000026E0000-0x00000000026F6000-memory.dmpFilesize
88KB
-
memory/1504-20-0x0000000000000000-mapping.dmp
-
memory/1504-27-0x0000000000C20000-0x0000000000C31000-memory.dmpFilesize
68KB
-
memory/1504-29-0x0000000000AA0000-0x0000000000BBA000-memory.dmpFilesize
1.1MB
-
memory/1504-30-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1968-3-0x0000000075ED1000-0x0000000075ED3000-memory.dmpFilesize
8KB
-
memory/1968-6-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1968-5-0x0000000000020000-0x000000000002A000-memory.dmpFilesize
40KB
-
memory/1968-2-0x0000000002E60000-0x0000000002E71000-memory.dmpFilesize
68KB