Overview

overview

10

Static

static

9DBF08C9B7...55.exe

windows7_x64

9DBF08C9B7...55.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    31-05-2021 19:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9DBF08C9B7029EB80CE9AA24F1511C55.exe

  • Size

    3.1MB

  • MD5

    9dbf08c9b7029eb80ce9aa24f1511c55

  • SHA1

    d340feafe12e4aa6ffffdbaca34a80965b7b893e

  • SHA256

    04361291bf3ae8acd73f886bf5cab71fa35097256e12c0bb1b2360d4603a40e7

  • SHA512

    156f59a565ea7254296a8db28cbf8b1c8ccc8ec84ddd1bf7aedd608fb437c0bafe327c3f5cd8338cbe60a10e4583d8dca129952c2c0b76aa14d6fb27a8e56e84

Score
10/10
smokeloaderbackdoorevasionspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://20xbtc.com/upload/

http://yzsnw.com/upload/

http://kaledebiyat.com/upload/

http://expertizizmir.com/upload/

http://dedkndy.com/upload/

http://theuncu.com/upload/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 10 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • autoit_exe 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Browser
    1⤵
      PID:2656
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s WpnService
      1⤵
        PID:2436
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
        1⤵
          PID:2428
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2320
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2272
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
            1⤵
              PID:1864
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1456
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1396
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s Themes
                  1⤵
                    PID:1288
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                    1⤵
                      PID:1148
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                      • Drops file in System32 directory
                      PID:1064
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                      1⤵
                        PID:352
                      • C:\Users\Admin\AppData\Local\Temp\9DBF08C9B7029EB80CE9AA24F1511C55.exe
                        "C:\Users\Admin\AppData\Local\Temp\9DBF08C9B7029EB80CE9AA24F1511C55.exe"
                        1⤵
                        • Checks computer location settings
                        • Suspicious use of WriteProcessMemory
                        PID:656
                        • C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
                          "C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:3080
                          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg3_3uag.exe
                            "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg3_3uag.exe"
                            3⤵
                            • Executes dropped EXE
                            • Checks whether UAC is enabled
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2224
                        • C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
                          "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:416
                        • C:\Users\Admin\AppData\Local\Temp\Files.exe
                          "C:\Users\Admin\AppData\Local\Temp\Files.exe"
                          2⤵
                          • Executes dropped EXE
                          • Checks computer location settings
                          • Suspicious use of WriteProcessMemory
                          PID:2036
                          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\File.exe
                            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\File.exe"
                            3⤵
                            • Executes dropped EXE
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            PID:4260
                        • C:\Users\Admin\AppData\Local\Temp\Folder.exe
                          "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
                          2⤵
                          • Executes dropped EXE
                          • Checks computer location settings
                          • Modifies registry class
                          • Suspicious use of WriteProcessMemory
                          PID:1696
                          • C:\Windows\SysWOW64\rUNdlL32.eXe
                            "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd
                            3⤵
                            • Loads dropped DLL
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4432
                        • C:\Users\Admin\AppData\Local\Temp\pzyh.exe
                          "C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of WriteProcessMemory
                          PID:4144
                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                            3⤵
                            • Executes dropped EXE
                            PID:4716
                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                            3⤵
                            • Executes dropped EXE
                            PID:792
                        • C:\Users\Admin\AppData\Local\Temp\pub2.exe
                          "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
                          2⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:4180
                      • \??\c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s BITS
                        1⤵
                        • Suspicious use of SetThreadContext
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:412
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                          2⤵
                            PID:4592
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                          1⤵
                          • Drops file in Windows directory
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SetWindowsHookEx
                          PID:2188
                        • C:\Windows\system32\browser_broker.exe
                          C:\Windows\system32\browser_broker.exe -Embedding
                          1⤵
                          • Modifies Internet Explorer settings
                          PID:2468
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                          1⤵
                          • Suspicious behavior: MapViewOfSection
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:4376
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                          1⤵
                          • Modifies Internet Explorer settings
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4452
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                          1⤵
                          • Modifies registry class
                          PID:4484
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                          1⤵
                          • Modifies registry class
                          PID:5052
                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                          1⤵
                          • Modifies registry class
                          PID:4940

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/352-201-0x000001F963240000-0x000001F9632B0000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/412-176-0x000001FD3BEA0000-0x000001FD3BF10000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/416-133-0x000000001B4A0000-0x000000001B4A2000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/416-129-0x0000000000BF0000-0x0000000000C10000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/416-124-0x00000000006C0000-0x00000000006C1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/416-126-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/416-131-0x0000000000C20000-0x0000000000C21000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1064-181-0x000001B747B10000-0x000001B747B80000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/1148-172-0x000001EB44380000-0x000001EB443CB000-memory.dmp

                          Filesize

                          300KB

                          Download

                        • memory/1148-175-0x000001EB44680000-0x000001EB446F0000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/1288-196-0x0000027BB06A0000-0x0000027BB0710000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/1396-202-0x000001F47A300000-0x000001F47A370000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/1456-186-0x00000297D0190000-0x00000297D0200000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/1864-190-0x000002B3A9F80000-0x000002B3A9FF0000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/2224-237-0x0000000004C20000-0x0000000004C28000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2224-236-0x00000000048E0000-0x00000000048E8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2224-230-0x00000000036D0000-0x00000000036E0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2224-132-0x0000000000400000-0x00000000005DE000-memory.dmp

                          Filesize

                          1.9MB

                          Download

                        • memory/2224-224-0x0000000003530000-0x0000000003540000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2272-207-0x000001A2C5780000-0x000001A2C57F0000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/2320-170-0x0000016250BD0000-0x0000016250C40000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/2428-209-0x0000029E4CC30000-0x0000029E4CCA0000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/2436-214-0x0000026CBD570000-0x0000026CBD5E0000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/2656-191-0x000001C2C16D0000-0x000001C2C1740000-memory.dmp

                          Filesize

                          448KB

                          Download

                        • memory/3092-218-0x0000000000A60000-0x0000000000A76000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/4180-215-0x0000000000460000-0x00000000005AA000-memory.dmp

                          Filesize

                          1.3MB

                          Download

                        • memory/4180-216-0x0000000000400000-0x0000000000458000-memory.dmp

                          Filesize

                          352KB

                          Download

                        • memory/4432-169-0x0000000004B70000-0x0000000004BCC000-memory.dmp

                          Filesize

                          368KB

                          Download

                        • memory/4432-168-0x00000000049A2000-0x0000000004AA3000-memory.dmp

                          Filesize

                          1.0MB

                          Download

                        • memory/4592-195-0x0000022DBA560000-0x0000022DBA5D0000-memory.dmp

                          Filesize

                          448KB

                          Download