Analysis
-
max time kernel
151s -
max time network
164s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-07-2021 13:46
Static task
static1
Behavioral task
behavioral1
Sample
e32070f84919d59178bd08cfd39c9a4f.exe
Resource
win7v20210408
General
-
Target
e32070f84919d59178bd08cfd39c9a4f.exe
-
Size
317KB
-
MD5
e32070f84919d59178bd08cfd39c9a4f
-
SHA1
f02c69af0907b7c7c434b23c6aa7746901ce4d05
-
SHA256
c97f7b2a1d29e6ab8e802c3c814e1962452a9ab375a0f0c13ef6d4e4edefe9c2
-
SHA512
d119b278fa397d3bc73c5ccdb8443bf1124e13e84f02ef00e22f3e33f4ffcb5b11dc0e3473265c56488086058360101c389d5fc4e65ecbebe66d0b388d9c0512
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
vidar
39.7
408
https://shpak125.tumblr.com/
-
profile_id
408
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1072-74-0x0000000000220000-0x00000000002BD000-memory.dmp family_vidar behavioral1/memory/1072-81-0x0000000000400000-0x00000000004C3000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
93F6.exeB08B.exeB453.exeBE14.exeC102.exeCE0E.exepid process 568 93F6.exe 1072 B08B.exe 1060 B453.exe 1880 BE14.exe 1604 C102.exe 564 CE0E.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
CE0E.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CE0E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CE0E.exe -
Deletes itself 1 IoCs
Processes:
pid process 1224 -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\CE0E.exe themida behavioral1/memory/564-90-0x00000000011B0000-0x00000000011B1000-memory.dmp themida -
Processes:
CE0E.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CE0E.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
CE0E.exepid process 564 CE0E.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e32070f84919d59178bd08cfd39c9a4f.exedescription pid process target process PID 1996 set thread context of 1220 1996 e32070f84919d59178bd08cfd39c9a4f.exe e32070f84919d59178bd08cfd39c9a4f.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e32070f84919d59178bd08cfd39c9a4f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e32070f84919d59178bd08cfd39c9a4f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e32070f84919d59178bd08cfd39c9a4f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e32070f84919d59178bd08cfd39c9a4f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e32070f84919d59178bd08cfd39c9a4f.exepid process 1220 e32070f84919d59178bd08cfd39c9a4f.exe 1220 e32070f84919d59178bd08cfd39c9a4f.exe 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1224 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e32070f84919d59178bd08cfd39c9a4f.exepid process 1220 e32070f84919d59178bd08cfd39c9a4f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1224 -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1224 1224 1224 1224 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1224 1224 1224 1224 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
93F6.exepid process 568 93F6.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
e32070f84919d59178bd08cfd39c9a4f.exedescription pid process target process PID 1996 wrote to memory of 1220 1996 e32070f84919d59178bd08cfd39c9a4f.exe e32070f84919d59178bd08cfd39c9a4f.exe PID 1996 wrote to memory of 1220 1996 e32070f84919d59178bd08cfd39c9a4f.exe e32070f84919d59178bd08cfd39c9a4f.exe PID 1996 wrote to memory of 1220 1996 e32070f84919d59178bd08cfd39c9a4f.exe e32070f84919d59178bd08cfd39c9a4f.exe PID 1996 wrote to memory of 1220 1996 e32070f84919d59178bd08cfd39c9a4f.exe e32070f84919d59178bd08cfd39c9a4f.exe PID 1996 wrote to memory of 1220 1996 e32070f84919d59178bd08cfd39c9a4f.exe e32070f84919d59178bd08cfd39c9a4f.exe PID 1996 wrote to memory of 1220 1996 e32070f84919d59178bd08cfd39c9a4f.exe e32070f84919d59178bd08cfd39c9a4f.exe PID 1996 wrote to memory of 1220 1996 e32070f84919d59178bd08cfd39c9a4f.exe e32070f84919d59178bd08cfd39c9a4f.exe PID 1224 wrote to memory of 568 1224 93F6.exe PID 1224 wrote to memory of 568 1224 93F6.exe PID 1224 wrote to memory of 568 1224 93F6.exe PID 1224 wrote to memory of 568 1224 93F6.exe PID 1224 wrote to memory of 1072 1224 B08B.exe PID 1224 wrote to memory of 1072 1224 B08B.exe PID 1224 wrote to memory of 1072 1224 B08B.exe PID 1224 wrote to memory of 1072 1224 B08B.exe PID 1224 wrote to memory of 1060 1224 B453.exe PID 1224 wrote to memory of 1060 1224 B453.exe PID 1224 wrote to memory of 1060 1224 B453.exe PID 1224 wrote to memory of 1060 1224 B453.exe PID 1224 wrote to memory of 1880 1224 BE14.exe PID 1224 wrote to memory of 1880 1224 BE14.exe PID 1224 wrote to memory of 1880 1224 BE14.exe PID 1224 wrote to memory of 1880 1224 BE14.exe PID 1224 wrote to memory of 1604 1224 C102.exe PID 1224 wrote to memory of 1604 1224 C102.exe PID 1224 wrote to memory of 1604 1224 C102.exe PID 1224 wrote to memory of 1604 1224 C102.exe PID 1224 wrote to memory of 564 1224 CE0E.exe PID 1224 wrote to memory of 564 1224 CE0E.exe PID 1224 wrote to memory of 564 1224 CE0E.exe PID 1224 wrote to memory of 564 1224 CE0E.exe PID 1224 wrote to memory of 564 1224 CE0E.exe PID 1224 wrote to memory of 564 1224 CE0E.exe PID 1224 wrote to memory of 564 1224 CE0E.exe PID 1224 wrote to memory of 1740 1224 DAFA.exe PID 1224 wrote to memory of 1740 1224 DAFA.exe PID 1224 wrote to memory of 1740 1224 DAFA.exe PID 1224 wrote to memory of 1740 1224 DAFA.exe PID 1224 wrote to memory of 1740 1224 DAFA.exe PID 1224 wrote to memory of 1740 1224 DAFA.exe PID 1224 wrote to memory of 1740 1224 DAFA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e32070f84919d59178bd08cfd39c9a4f.exe"C:\Users\Admin\AppData\Local\Temp\e32070f84919d59178bd08cfd39c9a4f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\e32070f84919d59178bd08cfd39c9a4f.exe"C:\Users\Admin\AppData\Local\Temp\e32070f84919d59178bd08cfd39c9a4f.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\93F6.exeC:\Users\Admin\AppData\Local\Temp\93F6.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\B08B.exeC:\Users\Admin\AppData\Local\Temp\B08B.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B453.exeC:\Users\Admin\AppData\Local\Temp\B453.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\BE14.exeC:\Users\Admin\AppData\Local\Temp\BE14.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\C102.exeC:\Users\Admin\AppData\Local\Temp\C102.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CE0E.exeC:\Users\Admin\AppData\Local\Temp\CE0E.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\DAFA.exeC:\Users\Admin\AppData\Local\Temp\DAFA.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\93F6.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\B08B.exeMD5
e3b131c40069c79c78ac5f63533e6e8c
SHA14100151e35bcd09c0e6192e15ace9a237cfa9d6d
SHA256208517f209dab917900fe71d28f52aab4fa43c6443d906da9aedddf6c5aaf07a
SHA512862b58b65075e7feeafb1bb26426fcd253513f6831426f84d464632163d8adfa2ebd9cdd50dc4d27bd0e81d3737a0472a5349108ad5bd90c7bc0832a27d5150f
-
C:\Users\Admin\AppData\Local\Temp\B453.exeMD5
efcd1876a1e120794eaf59ca2469ab9c
SHA160b7f29f8ffb82dac8b6f0c6d5a31ec11df682b8
SHA2562944952348c7d345f2205f72497251a03e3713298b561519f65d682728151012
SHA512821ddf53dfec8ca5e3b9eb803ae389e1d72fc7c2f639fd5c937106bb32e0a9068eb1102cbce874599fbf81899c67c0b118a0521046f809e2e1f6fd356aa8980f
-
C:\Users\Admin\AppData\Local\Temp\BE14.exeMD5
efcd1876a1e120794eaf59ca2469ab9c
SHA160b7f29f8ffb82dac8b6f0c6d5a31ec11df682b8
SHA2562944952348c7d345f2205f72497251a03e3713298b561519f65d682728151012
SHA512821ddf53dfec8ca5e3b9eb803ae389e1d72fc7c2f639fd5c937106bb32e0a9068eb1102cbce874599fbf81899c67c0b118a0521046f809e2e1f6fd356aa8980f
-
C:\Users\Admin\AppData\Local\Temp\C102.exeMD5
efcd1876a1e120794eaf59ca2469ab9c
SHA160b7f29f8ffb82dac8b6f0c6d5a31ec11df682b8
SHA2562944952348c7d345f2205f72497251a03e3713298b561519f65d682728151012
SHA512821ddf53dfec8ca5e3b9eb803ae389e1d72fc7c2f639fd5c937106bb32e0a9068eb1102cbce874599fbf81899c67c0b118a0521046f809e2e1f6fd356aa8980f
-
C:\Users\Admin\AppData\Local\Temp\CE0E.exeMD5
a1278cca92f8f83bc136b8c551e06cad
SHA16ba4fc48d0267e859dfe284c02d5eef600578ded
SHA256bf48d9da3846be2cfb8134eb21718d88d210c35d5638ba42bb84999479f816a6
SHA512421c7f05b8d151916d9318eb32bd1ab36004e7491c7edc962f019bc5c9822b9cabf89ea7a8d2d6bf3bc883bc0bf87cc44d1a924460731db6f9c9f33ac0bcc982
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/564-84-0x0000000000000000-mapping.dmp
-
memory/564-90-0x00000000011B0000-0x00000000011B1000-memory.dmpFilesize
4KB
-
memory/568-65-0x0000000000000000-mapping.dmp
-
memory/1060-70-0x0000000000000000-mapping.dmp
-
memory/1060-78-0x0000000000220000-0x00000000002B1000-memory.dmpFilesize
580KB
-
memory/1072-74-0x0000000000220000-0x00000000002BD000-memory.dmpFilesize
628KB
-
memory/1072-81-0x0000000000400000-0x00000000004C3000-memory.dmpFilesize
780KB
-
memory/1072-68-0x0000000000000000-mapping.dmp
-
memory/1220-61-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1220-62-0x0000000000402E1A-mapping.dmp
-
memory/1220-63-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1224-64-0x0000000002AB0000-0x0000000002AC6000-memory.dmpFilesize
88KB
-
memory/1604-87-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/1604-79-0x0000000000000000-mapping.dmp
-
memory/1740-89-0x0000000000000000-mapping.dmp
-
memory/1880-75-0x0000000000000000-mapping.dmp
-
memory/1996-60-0x00000000001B0000-0x00000000001BA000-memory.dmpFilesize
40KB