Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-07-2021 04:02
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe
Resource
win10v20210408
General
-
Target
SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe
-
Size
213KB
-
MD5
bce65fe09f2b9a521f2d24409ba64e66
-
SHA1
dfe0203ee99ae1c2fbd3989e3adc43ada5812b84
-
SHA256
0e3e6cf4f7fcc5367f2ffa78947973a92b69d8aaca5fdaa5a01ff786003470a8
-
SHA512
2e99eee986a41ed3b83d0effb527fc78b0bd13bcaab0f15e5c978e6d683b5dab9779a660fd44dded0a9fc1f50e8295b2762f508c47c13788dd5c82194fc2f1ee
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
Processes:
ussgwrtussgwrtpid process 2336 ussgwrt 2484 ussgwrt -
Deletes itself 1 IoCs
Processes:
pid process 3024 -
Suspicious use of SetThreadContext 2 IoCs
Processes:
SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exeussgwrtdescription pid process target process PID 900 set thread context of 4080 900 SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe PID 2336 set thread context of 2484 2336 ussgwrt ussgwrt -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exeussgwrtdescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ussgwrt Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ussgwrt Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ussgwrt Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exepid process 4080 SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe 4080 SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3024 -
Suspicious behavior: MapViewOfSection 20 IoCs
Processes:
SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exeussgwrtpid process 4080 SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 3024 2484 ussgwrt -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3024 Token: SeCreatePagefilePrivilege 3024 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3024 -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exeussgwrtdescription pid process target process PID 900 wrote to memory of 4080 900 SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe PID 900 wrote to memory of 4080 900 SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe PID 900 wrote to memory of 4080 900 SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe PID 900 wrote to memory of 4080 900 SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe PID 900 wrote to memory of 4080 900 SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe PID 900 wrote to memory of 4080 900 SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe PID 3024 wrote to memory of 200 3024 explorer.exe PID 3024 wrote to memory of 200 3024 explorer.exe PID 3024 wrote to memory of 200 3024 explorer.exe PID 3024 wrote to memory of 200 3024 explorer.exe PID 3024 wrote to memory of 2304 3024 explorer.exe PID 3024 wrote to memory of 2304 3024 explorer.exe PID 3024 wrote to memory of 2304 3024 explorer.exe PID 3024 wrote to memory of 2708 3024 explorer.exe PID 3024 wrote to memory of 2708 3024 explorer.exe PID 3024 wrote to memory of 2708 3024 explorer.exe PID 3024 wrote to memory of 2708 3024 explorer.exe PID 3024 wrote to memory of 4024 3024 explorer.exe PID 3024 wrote to memory of 4024 3024 explorer.exe PID 3024 wrote to memory of 4024 3024 explorer.exe PID 3024 wrote to memory of 1304 3024 explorer.exe PID 3024 wrote to memory of 1304 3024 explorer.exe PID 3024 wrote to memory of 1304 3024 explorer.exe PID 3024 wrote to memory of 1304 3024 explorer.exe PID 3024 wrote to memory of 4020 3024 explorer.exe PID 3024 wrote to memory of 4020 3024 explorer.exe PID 3024 wrote to memory of 4020 3024 explorer.exe PID 3024 wrote to memory of 3488 3024 explorer.exe PID 3024 wrote to memory of 3488 3024 explorer.exe PID 3024 wrote to memory of 3488 3024 explorer.exe PID 3024 wrote to memory of 3488 3024 explorer.exe PID 3024 wrote to memory of 3380 3024 explorer.exe PID 3024 wrote to memory of 3380 3024 explorer.exe PID 3024 wrote to memory of 3380 3024 explorer.exe PID 3024 wrote to memory of 1152 3024 explorer.exe PID 3024 wrote to memory of 1152 3024 explorer.exe PID 3024 wrote to memory of 1152 3024 explorer.exe PID 3024 wrote to memory of 1152 3024 explorer.exe PID 2336 wrote to memory of 2484 2336 ussgwrt ussgwrt PID 2336 wrote to memory of 2484 2336 ussgwrt ussgwrt PID 2336 wrote to memory of 2484 2336 ussgwrt ussgwrt PID 2336 wrote to memory of 2484 2336 ussgwrt ussgwrt PID 2336 wrote to memory of 2484 2336 ussgwrt ussgwrt PID 2336 wrote to memory of 2484 2336 ussgwrt ussgwrt
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.394875.22109.32284.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\ussgwrtC:\Users\Admin\AppData\Roaming\ussgwrt1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ussgwrtC:\Users\Admin\AppData\Roaming\ussgwrt2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\ussgwrtMD5
bce65fe09f2b9a521f2d24409ba64e66
SHA1dfe0203ee99ae1c2fbd3989e3adc43ada5812b84
SHA2560e3e6cf4f7fcc5367f2ffa78947973a92b69d8aaca5fdaa5a01ff786003470a8
SHA5122e99eee986a41ed3b83d0effb527fc78b0bd13bcaab0f15e5c978e6d683b5dab9779a660fd44dded0a9fc1f50e8295b2762f508c47c13788dd5c82194fc2f1ee
-
C:\Users\Admin\AppData\Roaming\ussgwrtMD5
bce65fe09f2b9a521f2d24409ba64e66
SHA1dfe0203ee99ae1c2fbd3989e3adc43ada5812b84
SHA2560e3e6cf4f7fcc5367f2ffa78947973a92b69d8aaca5fdaa5a01ff786003470a8
SHA5122e99eee986a41ed3b83d0effb527fc78b0bd13bcaab0f15e5c978e6d683b5dab9779a660fd44dded0a9fc1f50e8295b2762f508c47c13788dd5c82194fc2f1ee
-
C:\Users\Admin\AppData\Roaming\ussgwrtMD5
bce65fe09f2b9a521f2d24409ba64e66
SHA1dfe0203ee99ae1c2fbd3989e3adc43ada5812b84
SHA2560e3e6cf4f7fcc5367f2ffa78947973a92b69d8aaca5fdaa5a01ff786003470a8
SHA5122e99eee986a41ed3b83d0effb527fc78b0bd13bcaab0f15e5c978e6d683b5dab9779a660fd44dded0a9fc1f50e8295b2762f508c47c13788dd5c82194fc2f1ee
-
memory/200-120-0x00000000032B0000-0x0000000003324000-memory.dmpFilesize
464KB
-
memory/200-118-0x0000000000000000-mapping.dmp
-
memory/200-121-0x0000000003240000-0x00000000032AB000-memory.dmpFilesize
428KB
-
memory/900-116-0x00000000001D0000-0x00000000001DA000-memory.dmpFilesize
40KB
-
memory/1152-143-0x0000000002D60000-0x0000000002D65000-memory.dmpFilesize
20KB
-
memory/1152-144-0x0000000002D50000-0x0000000002D59000-memory.dmpFilesize
36KB
-
memory/1152-142-0x0000000000000000-mapping.dmp
-
memory/1304-130-0x0000000000000000-mapping.dmp
-
memory/1304-132-0x0000000002840000-0x0000000002849000-memory.dmpFilesize
36KB
-
memory/1304-131-0x0000000002850000-0x0000000002855000-memory.dmpFilesize
20KB
-
memory/2304-122-0x00000000003A0000-0x00000000003A7000-memory.dmpFilesize
28KB
-
memory/2304-119-0x0000000000000000-mapping.dmp
-
memory/2304-123-0x0000000000390000-0x000000000039C000-memory.dmpFilesize
48KB
-
memory/2484-148-0x0000000000402E1A-mapping.dmp
-
memory/2708-125-0x0000000002B20000-0x0000000002B27000-memory.dmpFilesize
28KB
-
memory/2708-126-0x0000000002B10000-0x0000000002B1B000-memory.dmpFilesize
44KB
-
memory/2708-124-0x0000000000000000-mapping.dmp
-
memory/3024-117-0x0000000000600000-0x0000000000616000-memory.dmpFilesize
88KB
-
memory/3024-150-0x00000000023A0000-0x00000000023B6000-memory.dmpFilesize
88KB
-
memory/3380-139-0x0000000000000000-mapping.dmp
-
memory/3380-141-0x00000000003C0000-0x00000000003C9000-memory.dmpFilesize
36KB
-
memory/3380-140-0x00000000003D0000-0x00000000003D5000-memory.dmpFilesize
20KB
-
memory/3488-136-0x0000000000000000-mapping.dmp
-
memory/3488-137-0x0000000002F10000-0x0000000002F14000-memory.dmpFilesize
16KB
-
memory/3488-138-0x0000000002F00000-0x0000000002F09000-memory.dmpFilesize
36KB
-
memory/4020-133-0x0000000000000000-mapping.dmp
-
memory/4020-134-0x00000000012E0000-0x00000000012E6000-memory.dmpFilesize
24KB
-
memory/4020-135-0x00000000012D0000-0x00000000012DC000-memory.dmpFilesize
48KB
-
memory/4024-129-0x0000000000BD0000-0x0000000000BDF000-memory.dmpFilesize
60KB
-
memory/4024-127-0x0000000000000000-mapping.dmp
-
memory/4024-128-0x0000000000BE0000-0x0000000000BE9000-memory.dmpFilesize
36KB
-
memory/4080-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4080-115-0x0000000000402E1A-mapping.dmp