Analysis
-
max time kernel
59s -
max time network
60s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-03-2021 07:05
Errors
General
-
Target
874bcf36482b83f3df470655e985e29b.exe
-
Size
162KB
-
MD5
874bcf36482b83f3df470655e985e29b
-
SHA1
bbcfeea3e3b437680cbf14c8016b3954cac1398a
-
SHA256
1c259208bdea5d896335c7a22d7a3048e4cfe0c7578a466f8faad880446f4e02
-
SHA512
688cd7b19786c7c41079a1867a394ade9ed1201f10f38c408d52bae8da9edcd42b433ae979de6b68ed4bbf628201228c45ec4d9a03987851782265c19b0da8c6
Malware Config
Extracted
smokeloader
2020
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 9 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\874bcf36482b83f3df470655e985e29b.exe"C:\Users\Admin\AppData\Local\Temp\874bcf36482b83f3df470655e985e29b.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E47A.exeC:\Users\Admin\AppData\Local\Temp\E47A.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\88f60da4-d0da-4e37-89b8-c779aa247322" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\E47A.exe"C:\Users\Admin\AppData\Local\Temp\E47A.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\updatewin.exe"C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\updatewin.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\updatewin.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\5.exe"C:\Users\Admin\AppData\Local\e048c6e3-baae-4250-a06b-05b803d58de9\5.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\ED83.exeC:\Users\Admin\AppData\Local\Temp\ED83.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\FB5F.exeC:\Users\Admin\AppData\Local\Temp\FB5F.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wzkwstev\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wwxideck.exe" C:\Windows\SysWOW64\wzkwstev\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create wzkwstev binPath= "C:\Windows\SysWOW64\wzkwstev\wwxideck.exe /d\"C:\Users\Admin\AppData\Local\Temp\FB5F.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description wzkwstev "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start wzkwstev2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Windows\SysWOW64\wzkwstev\wwxideck.exeC:\Windows\SysWOW64\wzkwstev\wwxideck.exe /d"C:\Users\Admin\AppData\Local\Temp\FB5F.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Users\Admin\AppData\Local\Temp\161C.exeC:\Users\Admin\AppData\Local\Temp\161C.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1CB4.exeC:\Users\Admin\AppData\Local\Temp\1CB4.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
2Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
220KB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
7.9MB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
180KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
608KB
-
Filesize
596KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
428KB
-
Filesize
444KB
-
Filesize
1.2MB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
596KB
-
Filesize
608KB
-
Filesize
4KB
-
Filesize
84KB