Overview
overview
10Static
static
80x00030000...22.exe
windows7_x64
0x00030000...22.exe
windows10_x64
100x00030000...35.exe
windows7_x64
100x00030000...35.exe
windows10_x64
70x00030000...41.exe
windows7_x64
80x00030000...41.exe
windows10_x64
80x00030000...61.exe
windows7_x64
100x00030000...61.exe
windows10_x64
100x00030000...51.exe
windows7_x64
100x00030000...51.exe
windows10_x64
100x00030000...56.exe
windows7_x64
100x00030000...56.exe
windows10_x64
100x00030000...88.exe
windows7_x64
10x00030000...88.exe
windows10_x64
10x00040000...27.exe
windows7_x64
100x00040000...27.exe
windows10_x64
100x00040000...63.exe
windows7_x64
0x00040000...63.exe
windows10_x64
10Analysis
-
max time kernel
1800s -
max time network
1722s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
08-07-2021 11:17
Static task
static1
Behavioral task
behavioral1
Sample
0x00030000000130db-122.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
0x00030000000130db-122.exe
Resource
win10v20210410
Behavioral task
behavioral3
Sample
0x00030000000130dc-135.exe
Resource
win7v20210410
Behavioral task
behavioral4
Sample
0x00030000000130dc-135.exe
Resource
win10v20210408
Behavioral task
behavioral5
Sample
0x00030000000130dd-141.exe
Resource
win7v20210410
Behavioral task
behavioral6
Sample
0x00030000000130dd-141.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
0x00030000000130de-161.exe
Resource
win7v20210410
Behavioral task
behavioral8
Sample
0x00030000000130de-161.exe
Resource
win10v20210408
Behavioral task
behavioral9
Sample
0x00030000000130df-151.exe
Resource
win7v20210410
Behavioral task
behavioral10
Sample
0x00030000000130df-151.exe
Resource
win10v20210410
Behavioral task
behavioral11
Sample
0x00030000000130e1-156.exe
Resource
win7v20210408
Behavioral task
behavioral12
Sample
0x00030000000130e1-156.exe
Resource
win10v20210410
Behavioral task
behavioral13
Sample
0x000300000001310b-88.exe
Resource
win7v20210408
Behavioral task
behavioral14
Sample
0x000300000001310b-88.exe
Resource
win10v20210410
Behavioral task
behavioral15
Sample
0x00040000000130bf-127.exe
Resource
win7v20210408
Behavioral task
behavioral16
Sample
0x00040000000130bf-127.exe
Resource
win10v20210410
Behavioral task
behavioral17
Sample
0x00040000000130e0-63.exe
Resource
win7v20210408
General
-
Target
0x00030000000130db-122.exe
-
Size
345KB
-
MD5
c6f791cdb3ec5ab080f0d84e9cb1d4eb
-
SHA1
d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf
-
SHA256
d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414
-
SHA512
d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30
Malware Config
Extracted
smokeloader
2020
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2284 created 3292 2284 WerFault.exe fbdvura -
Executes dropped EXE 1 IoCs
Processes:
fbdvurapid process 3292 fbdvura -
Deletes itself 1 IoCs
Processes:
pid process 3020 -
Loads dropped DLL 1 IoCs
Processes:
0x00030000000130db-122.exepid process 2116 0x00030000000130db-122.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2284 3292 WerFault.exe fbdvura -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
0x00030000000130db-122.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x00030000000130db-122.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x00030000000130db-122.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0x00030000000130db-122.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0x00030000000130db-122.exepid process 2116 0x00030000000130db-122.exe 2116 0x00030000000130db-122.exe 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 3020 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3020 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
0x00030000000130db-122.exepid process 2116 0x00030000000130db-122.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
WerFault.exedescription pid process Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeRestorePrivilege 2284 WerFault.exe Token: SeBackupPrivilege 2284 WerFault.exe Token: SeDebugPrivilege 2284 WerFault.exe Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020 Token: SeShutdownPrivilege 3020 Token: SeCreatePagefilePrivilege 3020
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x00030000000130db-122.exe"C:\Users\Admin\AppData\Local\Temp\0x00030000000130db-122.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\fbdvuraC:\Users\Admin\AppData\Roaming\fbdvura1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 4802⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
C:\Users\Admin\AppData\Roaming\fbdvuraMD5
c6f791cdb3ec5ab080f0d84e9cb1d4eb
SHA1d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf
SHA256d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414
SHA512d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30
-
C:\Users\Admin\AppData\Roaming\fbdvuraMD5
c6f791cdb3ec5ab080f0d84e9cb1d4eb
SHA1d22f28ccda8b98265f9dba0c26d3f0cc3e2b6cdf
SHA256d70b6e5dad1618f3d9f08a1d8220c6c34f959db468640b4e21f0b2b5c2507414
SHA512d41134a4b310d5e640240c1083a39e4e0ffa5c025287060a9cdd94be67a877e6e88f8d85cb6ceca432bdc3de19e95465a560642fb119820105141bd9c57a0d30
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/2116-115-0x0000000000950000-0x0000000000959000-memory.dmpFilesize
36KB
-
memory/2116-116-0x0000000000400000-0x00000000008F4000-memory.dmpFilesize
5.0MB
-
memory/3020-117-0x00000000010D0000-0x00000000010E6000-memory.dmpFilesize
88KB
-
memory/3292-122-0x0000000000400000-0x00000000008F4000-memory.dmpFilesize
5.0MB