General
-
Target
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287
-
Size
176KB
-
Sample
210331-8j1mr53f7j
-
MD5
2a838bb8b42d0fe72bb89b3129603e01
-
SHA1
06dff415d576c5c91c72fa821caed6059d9abdc7
-
SHA256
d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd
-
SHA512
ef1de5a8ab7e920bf326c90b7d85bd1eac7dca688c9b825e2f574ad4617491a7ac30bd08b97ae5b843706b0f3f26817d33dd1a2b1852c6874bbcbfe460cd34e1
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe
Resource
win7v20201028
Malware Config
Extracted
smokeloader
2020
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Targets
-
-
Target
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287
-
Size
176KB
-
MD5
2a838bb8b42d0fe72bb89b3129603e01
-
SHA1
06dff415d576c5c91c72fa821caed6059d9abdc7
-
SHA256
d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd
-
SHA512
ef1de5a8ab7e920bf326c90b7d85bd1eac7dca688c9b825e2f574ad4617491a7ac30bd08b97ae5b843706b0f3f26817d33dd1a2b1852c6874bbcbfe460cd34e1
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Creates new service(s)
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
New Service
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Bootkit
1Defense Evasion
Virtualization/Sandbox Evasion
1Modify Registry
3File Permissions Modification
1Install Root Certificate
1