Overview

overview

10

Static

static

51D8ECF0ED...1F.exe

windows7_x64

10

51D8ECF0ED...1F.exe

windows10_x64

Analysis

  • max time kernel
    151s
  • max time network
    179s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    31-05-2021 18:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51D8ECF0ED7ECB364FD78F3FC53F871F.exe

  • Size

    3.1MB

  • MD5

    51d8ecf0ed7ecb364fd78f3fc53f871f

  • SHA1

    03a0a32d8c9dd0f4a97eacde1f010ee5665d2b8a

  • SHA256

    6a966d8a8bc18b016f35a159c110eb8dd5527b83e39db5fa7300e4634c9cb096

  • SHA512

    6baf4d67d6dc5ad47658b48e83b1a9d9cb4d49e5f615439232b3817d01a9c7d847e2ac2b280eae8a4b757599462e4fb2ea39e217ec46b6c54b23a18f201f4aff

Score
10/10
smokeloaderbackdoorevasiontrojanupxvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://20xbtc.com/upload/

http://yzsnw.com/upload/

http://kaledebiyat.com/upload/

http://expertizizmir.com/upload/

http://dedkndy.com/upload/

http://theuncu.com/upload/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 10 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 11 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 38 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • autoit_exe 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51D8ECF0ED7ECB364FD78F3FC53F871F.exe
    "C:\Users\Admin\AppData\Local\Temp\51D8ECF0ED7ECB364FD78F3FC53F871F.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
      "C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg3_3uag.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg3_3uag.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 192
          4⤵
          • Loads dropped DLL
          • Program crash
          • Suspicious use of AdjustPrivilegeToken
          PID:112
    • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1324
    • C:\Users\Admin\AppData\Local\Temp\Files.exe
      "C:\Users\Admin\AppData\Local\Temp\Files.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\File.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\File.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1044
    • C:\Users\Admin\AppData\Local\Temp\Folder.exe
      "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
      2⤵
      • Executes dropped EXE
      PID:624
    • C:\Users\Admin\AppData\Local\Temp\pzyh.exe
      "C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        3⤵
        • Executes dropped EXE
        PID:1656
      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        3⤵
        • Executes dropped EXE
        PID:1672
    • C:\Users\Admin\AppData\Local\Temp\pub2.exe
      "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:764
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:732 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/112-143-0x00000000005A0000-0x00000000005A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/576-136-0x0000000000400000-0x00000000005DE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/732-133-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/748-60-0x0000000075451000-0x0000000075453000-memory.dmp

    Filesize

    8KB

    Download

  • memory/764-122-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

    Download

  • memory/764-125-0x0000000000400000-0x0000000000458000-memory.dmp

    Filesize

    352KB

    Download

  • memory/1200-126-0x0000000002B90000-0x0000000002BA6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1324-81-0x00000000012C0000-0x00000000012C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-109-0x00000000001D0000-0x00000000001F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1324-119-0x0000000001240000-0x0000000001242000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1324-110-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-97-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

    Download