30e58538e3ddab70cc1edda521bfbba6.exe

General
Target

30e58538e3ddab70cc1edda521bfbba6.exe

Filesize

233KB

Completed

22-07-2021 08:07

Score
10 /10
MD5

30e58538e3ddab70cc1edda521bfbba6

SHA1

862591b95d16216f74b6b197de4f4740a881ccb8

SHA256

879f63c384febbffc5845be57df9c7ef33234b584f8059a38a3f4aafa2bc37e9

Malware Config

Extracted

Family smokeloader
Version 2020
C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

http://999080321test61-service10020125999080321.website/

http://999080321test51-service10020125999080321.xyz/

http://999080321test41-service100201pro25999080321.ru/

http://999080321yest31-service100201rus25999080321.ru/

http://999080321rest21-service10020125999080321.eu/

http://999080321test11-service10020125999080321.press/

http://999080321newfolder4561-service10020125999080321.ru/

http://999080321rustest213-service10020125999080321.ru/

http://999080321test281-service10020125999080321.ru/

http://999080321test261-service10020125999080321.space/

http://999080321yomtest251-service10020125999080321.ru/

http://999080321yirtest231-service10020125999080321.ru/

rc4.i32
rc4.i32
Signatures 11

Filter: none

Discovery
  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

  • Deletes itself

    Reported IOCs

    pidprocess
    1252
  • Loads dropped DLL
    30e58538e3ddab70cc1edda521bfbba6.exe

    Reported IOCs

    pidprocess
    178430e58538e3ddab70cc1edda521bfbba6.exe
  • Suspicious use of SetThreadContext
    30e58538e3ddab70cc1edda521bfbba6.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1208 set thread context of 1784120830e58538e3ddab70cc1edda521bfbba6.exe30e58538e3ddab70cc1edda521bfbba6.exe
  • Checks SCSI registry key(s)
    30e58538e3ddab70cc1edda521bfbba6.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key enumerated\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI30e58538e3ddab70cc1edda521bfbba6.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI30e58538e3ddab70cc1edda521bfbba6.exe
    Key queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI30e58538e3ddab70cc1edda521bfbba6.exe
  • Suspicious behavior: EnumeratesProcesses
    30e58538e3ddab70cc1edda521bfbba6.exe

    Reported IOCs

    pidprocess
    178430e58538e3ddab70cc1edda521bfbba6.exe
    178430e58538e3ddab70cc1edda521bfbba6.exe
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
    1252
  • Suspicious behavior: GetForegroundWindowSpam

    Reported IOCs

    pidprocess
    1252
  • Suspicious behavior: MapViewOfSection
    30e58538e3ddab70cc1edda521bfbba6.exe

    Reported IOCs

    pidprocess
    178430e58538e3ddab70cc1edda521bfbba6.exe
  • Suspicious use of FindShellTrayWindow

    Reported IOCs

    pidprocess
    1252
    1252
    1252
    1252
  • Suspicious use of SendNotifyMessage

    Reported IOCs

    pidprocess
    1252
    1252
    1252
    1252
  • Suspicious use of WriteProcessMemory
    30e58538e3ddab70cc1edda521bfbba6.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1208 wrote to memory of 1784120830e58538e3ddab70cc1edda521bfbba6.exe30e58538e3ddab70cc1edda521bfbba6.exe
    PID 1208 wrote to memory of 1784120830e58538e3ddab70cc1edda521bfbba6.exe30e58538e3ddab70cc1edda521bfbba6.exe
    PID 1208 wrote to memory of 1784120830e58538e3ddab70cc1edda521bfbba6.exe30e58538e3ddab70cc1edda521bfbba6.exe
    PID 1208 wrote to memory of 1784120830e58538e3ddab70cc1edda521bfbba6.exe30e58538e3ddab70cc1edda521bfbba6.exe
    PID 1208 wrote to memory of 1784120830e58538e3ddab70cc1edda521bfbba6.exe30e58538e3ddab70cc1edda521bfbba6.exe
    PID 1208 wrote to memory of 1784120830e58538e3ddab70cc1edda521bfbba6.exe30e58538e3ddab70cc1edda521bfbba6.exe
    PID 1208 wrote to memory of 1784120830e58538e3ddab70cc1edda521bfbba6.exe30e58538e3ddab70cc1edda521bfbba6.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe
    "C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe"
    Suspicious use of SetThreadContext
    Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe
      "C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe"
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1784
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • \Users\Admin\AppData\Local\Temp\AE30.tmp

                          MD5

                          d124f55b9393c976963407dff51ffa79

                          SHA1

                          2c7bbedd79791bfb866898c85b504186db610b5d

                          SHA256

                          ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

                          SHA512

                          278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

                        • memory/1208-63-0x0000000000220000-0x000000000022C000-memory.dmp

                        • memory/1252-65-0x0000000002A20000-0x0000000002A37000-memory.dmp

                        • memory/1784-60-0x0000000000400000-0x000000000040C000-memory.dmp

                        • memory/1784-61-0x0000000000402F68-mapping.dmp

                        • memory/1784-62-0x0000000075C71000-0x0000000075C73000-memory.dmp