Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    28-03-2021 07:07

General

  • Target

    a27e10e9ae9c9322be87216d84ac718f.exe

  • Size

    163KB

  • MD5

    a27e10e9ae9c9322be87216d84ac718f

  • SHA1

    41ef20744ae39b938dd45b9e0fc15f3215fe0ce5

  • SHA256

    8501dc331081a8fdbb9f6a5789a8317acddd6ea7d5c0446f359df9c4922f9f72

  • SHA512

    622f387a16066681ab59e54d8d8ba7a404682f7e27d1ddd5e0694717a5a136551a55e6dd2b62380a49ebdc67242fde600e1b8b3ee6261d589973045bb298b895

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Windows security bypass 2 TTPs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner Payload 2 IoCs
  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Sets service image path in registry 2 TTPs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a27e10e9ae9c9322be87216d84ac718f.exe
    "C:\Users\Admin\AppData\Local\Temp\a27e10e9ae9c9322be87216d84ac718f.exe"
    1⤵
    • Loads dropped DLL
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:504
  • C:\Users\Admin\AppData\Local\Temp\F8BD.exe
    C:\Users\Admin\AppData\Local\Temp\F8BD.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im F8BD.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\F8BD.exe" & del C:\ProgramData\*.dll & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im F8BD.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4028
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 6
        3⤵
        • Delays execution with timeout.exe
        PID:1284
  • C:\Users\Admin\AppData\Local\Temp\810.exe
    C:\Users\Admin\AppData\Local\Temp\810.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mqscyzmg\
      2⤵
        PID:1344
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ofbizycg.exe" C:\Windows\SysWOW64\mqscyzmg\
        2⤵
          PID:3644
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create mqscyzmg binPath= "C:\Windows\SysWOW64\mqscyzmg\ofbizycg.exe /d\"C:\Users\Admin\AppData\Local\Temp\810.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3760
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description mqscyzmg "wifi internet conection"
            2⤵
              PID:3968
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start mqscyzmg
              2⤵
                PID:1792
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2856
              • C:\Windows\SysWOW64\mqscyzmg\ofbizycg.exe
                C:\Windows\SysWOW64\mqscyzmg\ofbizycg.exe /d"C:\Users\Admin\AppData\Local\Temp\810.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3700
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3192
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o msr.pool-pay.com:6199 -u 9jNvTpsSutBLodbiiRngN2S4AfM84WJ4Y8zRpo6H4QPBK625huByLqkiCTh5Uog1qHVBr7cyZfbA1GiiPqSsSv83HAiirSf.50000 -p x -k
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3732

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\freebl3.dll

                MD5

                ef2834ac4ee7d6724f255beaf527e635

                SHA1

                5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

                SHA256

                a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

                SHA512

                c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

              • C:\ProgramData\mozglue.dll

                MD5

                8f73c08a9660691143661bf7332c3c27

                SHA1

                37fa65dd737c50fda710fdbde89e51374d0c204a

                SHA256

                3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                SHA512

                0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

              • C:\ProgramData\msvcp140.dll

                MD5

                109f0f02fd37c84bfc7508d4227d7ed5

                SHA1

                ef7420141bb15ac334d3964082361a460bfdb975

                SHA256

                334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

                SHA512

                46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

              • C:\ProgramData\nss3.dll

                MD5

                bfac4e3c5908856ba17d41edcd455a51

                SHA1

                8eec7e888767aa9e4cca8ff246eb2aacb9170428

                SHA256

                e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                SHA512

                2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

              • C:\ProgramData\softokn3.dll

                MD5

                a2ee53de9167bf0d6c019303b7ca84e5

                SHA1

                2a3c737fa1157e8483815e98b666408a18c0db42

                SHA256

                43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

                SHA512

                45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

              • C:\ProgramData\vcruntime140.dll

                MD5

                7587bf9cb4147022cd5681b015183046

                SHA1

                f2106306a8f6f0da5afb7fc765cfa0757ad5a628

                SHA256

                c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

                SHA512

                0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

              • C:\Users\Admin\AppData\Local\Temp\810.exe

                MD5

                69406f0fa2873b10ca1b6eae091b50d2

                SHA1

                8bf626c9c8a414257ad4be6c5902f8b1049412e3

                SHA256

                34b45184e382c684ee2ce8f91fc3dfb0627bc888283d8e76b73576ed11c1a3c5

                SHA512

                7e754dbff83ed0fb5745565b35b8d56a159950ca4243152cbb5d46f57d8140d49c53bea063dbe2807f039fa006ee062d33a410bf6c02e93cb3bcde15c166a067

              • C:\Users\Admin\AppData\Local\Temp\810.exe

                MD5

                69406f0fa2873b10ca1b6eae091b50d2

                SHA1

                8bf626c9c8a414257ad4be6c5902f8b1049412e3

                SHA256

                34b45184e382c684ee2ce8f91fc3dfb0627bc888283d8e76b73576ed11c1a3c5

                SHA512

                7e754dbff83ed0fb5745565b35b8d56a159950ca4243152cbb5d46f57d8140d49c53bea063dbe2807f039fa006ee062d33a410bf6c02e93cb3bcde15c166a067

              • C:\Users\Admin\AppData\Local\Temp\F8BD.exe

                MD5

                db8ccbbbcf3fd49089a596868128dcbe

                SHA1

                04afd57ba0a3ff60370c77b227b086f7b9869f62

                SHA256

                08058b1b27a29f5c3310b0b1ed36d3d4e11282e5fa9a5f9790d3c5b3515e84e3

                SHA512

                a67034aea26122d5979cc7d421e4598cbe49a694549c484eef16eec622c56fa635308f7482ede325d4991205f26d17095f89a4fb23a5e2d40f33969964c4a4dc

              • C:\Users\Admin\AppData\Local\Temp\F8BD.exe

                MD5

                db8ccbbbcf3fd49089a596868128dcbe

                SHA1

                04afd57ba0a3ff60370c77b227b086f7b9869f62

                SHA256

                08058b1b27a29f5c3310b0b1ed36d3d4e11282e5fa9a5f9790d3c5b3515e84e3

                SHA512

                a67034aea26122d5979cc7d421e4598cbe49a694549c484eef16eec622c56fa635308f7482ede325d4991205f26d17095f89a4fb23a5e2d40f33969964c4a4dc

              • C:\Users\Admin\AppData\Local\Temp\ofbizycg.exe

                MD5

                89484febf5df461aa58fab7e0d42eab3

                SHA1

                be1597ff790e44b1f3017c45ba1aa3fa10c75377

                SHA256

                4121af8f53df35b687a1ef6ee99a285724a0a31464f55f96e08503c566bc6d04

                SHA512

                26bd53a8d8658028d1198cb1a1b5f87df7241d10d1706aa253cd20dab20685427fbe17cce797f13d2b55de4262030e88afa5aa4f5341a9c2d91f93c7e3790db4

              • C:\Windows\SysWOW64\mqscyzmg\ofbizycg.exe

                MD5

                89484febf5df461aa58fab7e0d42eab3

                SHA1

                be1597ff790e44b1f3017c45ba1aa3fa10c75377

                SHA256

                4121af8f53df35b687a1ef6ee99a285724a0a31464f55f96e08503c566bc6d04

                SHA512

                26bd53a8d8658028d1198cb1a1b5f87df7241d10d1706aa253cd20dab20685427fbe17cce797f13d2b55de4262030e88afa5aa4f5341a9c2d91f93c7e3790db4

              • \ProgramData\mozglue.dll

                MD5

                8f73c08a9660691143661bf7332c3c27

                SHA1

                37fa65dd737c50fda710fdbde89e51374d0c204a

                SHA256

                3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                SHA512

                0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

              • \ProgramData\nss3.dll

                MD5

                bfac4e3c5908856ba17d41edcd455a51

                SHA1

                8eec7e888767aa9e4cca8ff246eb2aacb9170428

                SHA256

                e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                SHA512

                2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

              • \Users\Admin\AppData\Local\Temp\CC4F.tmp

                MD5

                50741b3f2d7debf5d2bed63d88404029

                SHA1

                56210388a627b926162b36967045be06ffb1aad3

                SHA256

                f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c

                SHA512

                fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3

              • memory/504-2-0x0000000002580000-0x0000000002581000-memory.dmp

                Filesize

                4KB

              • memory/504-3-0x00000000001E0000-0x00000000001E9000-memory.dmp

                Filesize

                36KB

              • memory/504-4-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

              • memory/1284-33-0x0000000000000000-mapping.dmp

              • memory/1344-21-0x0000000000000000-mapping.dmp

              • memory/1792-29-0x0000000000000000-mapping.dmp

              • memory/2244-28-0x0000000000000000-mapping.dmp

              • memory/2760-10-0x0000000002590000-0x0000000002591000-memory.dmp

                Filesize

                4KB

              • memory/2760-13-0x0000000000400000-0x0000000000498000-memory.dmp

                Filesize

                608KB

              • memory/2760-12-0x0000000000B40000-0x0000000000BD5000-memory.dmp

                Filesize

                596KB

              • memory/2760-7-0x0000000000000000-mapping.dmp

              • memory/2856-32-0x0000000000000000-mapping.dmp

              • memory/2876-6-0x0000000000B40000-0x0000000000B56000-memory.dmp

                Filesize

                88KB

              • memory/3192-47-0x0000000004450000-0x000000000465F000-memory.dmp

                Filesize

                2.1MB

              • memory/3192-48-0x00000000006F0000-0x00000000006F6000-memory.dmp

                Filesize

                24KB

              • memory/3192-40-0x0000000000660000-0x0000000000675000-memory.dmp

                Filesize

                84KB

              • memory/3192-36-0x0000000000660000-0x0000000000675000-memory.dmp

                Filesize

                84KB

              • memory/3192-37-0x0000000000669A6B-mapping.dmp

              • memory/3644-24-0x0000000000000000-mapping.dmp

              • memory/3656-14-0x0000000000000000-mapping.dmp

              • memory/3656-23-0x0000000000400000-0x0000000000415000-memory.dmp

                Filesize

                84KB

              • memory/3656-22-0x0000000000910000-0x0000000000923000-memory.dmp

                Filesize

                76KB

              • memory/3656-19-0x00000000024E0000-0x00000000024E1000-memory.dmp

                Filesize

                4KB

              • memory/3700-39-0x0000000000400000-0x0000000000415000-memory.dmp

                Filesize

                84KB

              • memory/3700-35-0x00000000012C0000-0x00000000012C1000-memory.dmp

                Filesize

                4KB

              • memory/3700-34-0x00000000012C0000-0x00000000012C1000-memory.dmp

                Filesize

                4KB

              • memory/3732-49-0x00000000032F0000-0x00000000033E1000-memory.dmp

                Filesize

                964KB

              • memory/3732-51-0x000000000338259C-mapping.dmp

              • memory/3760-26-0x0000000000000000-mapping.dmp

              • memory/3968-27-0x0000000000000000-mapping.dmp

              • memory/4028-30-0x0000000000000000-mapping.dmp