Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
31-03-2021 14:37
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe
-
Size
176KB
-
MD5
2a838bb8b42d0fe72bb89b3129603e01
-
SHA1
06dff415d576c5c91c72fa821caed6059d9abdc7
-
SHA256
d27e90665d0a697e1fea9dfc3641c9785bfbf8fbd7ef885d82788943417d1ccd
-
SHA512
ef1de5a8ab7e920bf326c90b7d85bd1eac7dca688c9b825e2f574ad4617491a7ac30bd08b97ae5b843706b0f3f26817d33dd1a2b1852c6874bbcbfe460cd34e1
Malware Config
Extracted
smokeloader
2020
http://xsss99.icu/upload/
http://bingooodsg.icu/upload/
http://junntd.xyz/upload/
http://ginessa11.xyz/upload/
http://overplayninsx.xyz/upload/
http://bananinze.com/upload/
http://daunimlas.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Executes dropped EXE 3 IoCs
Processes:
2AA9.exe315E.exerdcqbltn.exepid process 412 2AA9.exe 596 315E.exe 1608 rdcqbltn.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 1268 -
Loads dropped DLL 1 IoCs
Processes:
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exepid process 1908 SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
315E.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 315E.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rdcqbltn.exedescription pid process target process PID 1608 set thread context of 1432 1608 rdcqbltn.exe svchost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exepid process 1908 SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe 1908 SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exepid process 1908 SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
315E.exedescription pid process Token: SeShutdownPrivilege 596 315E.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1268 1268 1268 1268 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1268 1268 1268 1268 -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
2AA9.exerdcqbltn.exedescription pid process target process PID 1268 wrote to memory of 412 1268 2AA9.exe PID 1268 wrote to memory of 412 1268 2AA9.exe PID 1268 wrote to memory of 412 1268 2AA9.exe PID 1268 wrote to memory of 412 1268 2AA9.exe PID 1268 wrote to memory of 596 1268 315E.exe PID 1268 wrote to memory of 596 1268 315E.exe PID 1268 wrote to memory of 596 1268 315E.exe PID 1268 wrote to memory of 596 1268 315E.exe PID 412 wrote to memory of 616 412 2AA9.exe cmd.exe PID 412 wrote to memory of 616 412 2AA9.exe cmd.exe PID 412 wrote to memory of 616 412 2AA9.exe cmd.exe PID 412 wrote to memory of 616 412 2AA9.exe cmd.exe PID 412 wrote to memory of 828 412 2AA9.exe cmd.exe PID 412 wrote to memory of 828 412 2AA9.exe cmd.exe PID 412 wrote to memory of 828 412 2AA9.exe cmd.exe PID 412 wrote to memory of 828 412 2AA9.exe cmd.exe PID 412 wrote to memory of 1452 412 2AA9.exe sc.exe PID 412 wrote to memory of 1452 412 2AA9.exe sc.exe PID 412 wrote to memory of 1452 412 2AA9.exe sc.exe PID 412 wrote to memory of 1452 412 2AA9.exe sc.exe PID 412 wrote to memory of 1080 412 2AA9.exe sc.exe PID 412 wrote to memory of 1080 412 2AA9.exe sc.exe PID 412 wrote to memory of 1080 412 2AA9.exe sc.exe PID 412 wrote to memory of 1080 412 2AA9.exe sc.exe PID 412 wrote to memory of 1640 412 2AA9.exe sc.exe PID 412 wrote to memory of 1640 412 2AA9.exe sc.exe PID 412 wrote to memory of 1640 412 2AA9.exe sc.exe PID 412 wrote to memory of 1640 412 2AA9.exe sc.exe PID 412 wrote to memory of 1384 412 2AA9.exe netsh.exe PID 412 wrote to memory of 1384 412 2AA9.exe netsh.exe PID 412 wrote to memory of 1384 412 2AA9.exe netsh.exe PID 412 wrote to memory of 1384 412 2AA9.exe netsh.exe PID 1608 wrote to memory of 1432 1608 rdcqbltn.exe svchost.exe PID 1608 wrote to memory of 1432 1608 rdcqbltn.exe svchost.exe PID 1608 wrote to memory of 1432 1608 rdcqbltn.exe svchost.exe PID 1608 wrote to memory of 1432 1608 rdcqbltn.exe svchost.exe PID 1608 wrote to memory of 1432 1608 rdcqbltn.exe svchost.exe PID 1608 wrote to memory of 1432 1608 rdcqbltn.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Mal.GandCrypt-A.4160.29287.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1908
-
C:\Users\Admin\AppData\Local\Temp\2AA9.exeC:\Users\Admin\AppData\Local\Temp\2AA9.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lkxgfbgz\2⤵PID:616
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rdcqbltn.exe" C:\Windows\SysWOW64\lkxgfbgz\2⤵PID:828
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create lkxgfbgz binPath= "C:\Windows\SysWOW64\lkxgfbgz\rdcqbltn.exe /d\"C:\Users\Admin\AppData\Local\Temp\2AA9.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:1452
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description lkxgfbgz "wifi internet conection"2⤵PID:1080
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start lkxgfbgz2⤵PID:1640
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\315E.exeC:\Users\Admin\AppData\Local\Temp\315E.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:596
-
C:\Windows\SysWOW64\lkxgfbgz\rdcqbltn.exeC:\Windows\SysWOW64\lkxgfbgz\rdcqbltn.exe /d"C:\Users\Admin\AppData\Local\Temp\2AA9.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:1432
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2AA9.exeMD5
b20716d309609aa36556998fb0af3e20
SHA1edc1b882058cdb76101acfc4b4bfe3f9c905ce0e
SHA256c78557d6afa3b2876ce7d243f3617682af47e06137465c4e32a423a385699dc3
SHA512f8faa478b25fb9d126e5ee6b0ddf0e349da923469c8a648c920fcbc61f322e5d718b6d83ad717acfcc9c7d1f743cb758fc59e067a455118a230090a4291b89f4
-
C:\Users\Admin\AppData\Local\Temp\2AA9.exeMD5
b20716d309609aa36556998fb0af3e20
SHA1edc1b882058cdb76101acfc4b4bfe3f9c905ce0e
SHA256c78557d6afa3b2876ce7d243f3617682af47e06137465c4e32a423a385699dc3
SHA512f8faa478b25fb9d126e5ee6b0ddf0e349da923469c8a648c920fcbc61f322e5d718b6d83ad717acfcc9c7d1f743cb758fc59e067a455118a230090a4291b89f4
-
C:\Users\Admin\AppData\Local\Temp\315E.exeMD5
a894918941dc35fec11435637d26c2e2
SHA1ef6c757bd4b3fd1cfe313b7df168c53b2d5583fc
SHA256da9733687ebdfe93f0bdb6686a3fdba6bdc2169ad08d576fc2a33dce5542f9a2
SHA512e5c6ab538142ab2f135cb7c3b820fa6924f81aeae7ffc666d7d2a7e6f91df1dc4c74d18c0badebd8976ec2c109fa5193b95ec2bc5eca14e94b0c67470cd1b9be
-
C:\Users\Admin\AppData\Local\Temp\rdcqbltn.exeMD5
e5d4eab188073c060b34973407befbba
SHA10d0f7a91d4747dceca8d1b0cdf4ef10c749d943e
SHA256dbf628a7e9bb5bae80dfafe48fcad0574991570c7728e9b51f6c1481d93b2aac
SHA512be8ad3025cf1244fa7c00f6d1dbd5f0cae82ff75556cbaf17c5af512f142d6833595f179edef61c8786574400fca7e1bdb3af92a45b61d7185c507dff1d5da32
-
C:\Windows\SysWOW64\lkxgfbgz\rdcqbltn.exeMD5
e5d4eab188073c060b34973407befbba
SHA10d0f7a91d4747dceca8d1b0cdf4ef10c749d943e
SHA256dbf628a7e9bb5bae80dfafe48fcad0574991570c7728e9b51f6c1481d93b2aac
SHA512be8ad3025cf1244fa7c00f6d1dbd5f0cae82ff75556cbaf17c5af512f142d6833595f179edef61c8786574400fca7e1bdb3af92a45b61d7185c507dff1d5da32
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/412-19-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/412-8-0x0000000000000000-mapping.dmp
-
memory/412-13-0x0000000000220000-0x0000000000233000-memory.dmpFilesize
76KB
-
memory/412-12-0x0000000004620000-0x0000000004631000-memory.dmpFilesize
68KB
-
memory/596-27-0x0000000000400000-0x000000000046F000-memory.dmpFilesize
444KB
-
memory/596-10-0x0000000000000000-mapping.dmp
-
memory/596-26-0x00000000043B0000-0x000000000441B000-memory.dmpFilesize
428KB
-
memory/596-22-0x00000000043B0000-0x00000000043C1000-memory.dmpFilesize
68KB
-
memory/616-16-0x0000000000000000-mapping.dmp
-
memory/828-17-0x0000000000000000-mapping.dmp
-
memory/1080-24-0x0000000000000000-mapping.dmp
-
memory/1268-7-0x0000000003980000-0x0000000003996000-memory.dmpFilesize
88KB
-
memory/1384-32-0x0000000000000000-mapping.dmp
-
memory/1432-36-0x0000000000089A6B-mapping.dmp
-
memory/1432-35-0x0000000000080000-0x0000000000095000-memory.dmpFilesize
84KB
-
memory/1452-21-0x0000000000000000-mapping.dmp
-
memory/1608-39-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1608-33-0x0000000003080000-0x0000000003091000-memory.dmpFilesize
68KB
-
memory/1640-29-0x0000000000000000-mapping.dmp
-
memory/1908-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1908-3-0x0000000076271000-0x0000000076273000-memory.dmpFilesize
8KB
-
memory/1908-2-0x0000000002180000-0x0000000002191000-memory.dmpFilesize
68KB
-
memory/1908-5-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB