Overview

overview

10

Static

static

9080ab9859...ed.exe

windows7_x64

10

9080ab9859...ed.exe

windows10_x64

10

Analysis

  • max time kernel
    159s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29-08-2021 08:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9080ab9859bb892a940cf84b2e36d7ed.exe

  • Size

    143KB

  • MD5

    9080ab9859bb892a940cf84b2e36d7ed

  • SHA1

    873bd3f48cb086ec5c64de1616f9323d23f110d7

  • SHA256

    bf520bbd4e544a6129d12c481b7347b6007a10dfdb744d2c79a1a245dc76e3c8

  • SHA512

    9a32eeb1f4f9c1ff4ac2a74a8af63cafd3c6a44ea74d682183f840ea6d54c9cb0fc16e6957343b6aa37d901d0507f035af2c8cbb08fef8709b228b2073cb9429

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9080ab9859bb892a940cf84b2e36d7ed.exe
    "C:\Users\Admin\AppData\Local\Temp\9080ab9859bb892a940cf84b2e36d7ed.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Users\Admin\AppData\Local\Temp\9080ab9859bb892a940cf84b2e36d7ed.exe
      "C:\Users\Admin\AppData\Local\Temp\9080ab9859bb892a940cf84b2e36d7ed.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2820
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:492
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:208
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:2272
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          1⤵
            PID:2256
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:3536
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:3560
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:3652
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:2212
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:3692
                    • C:\Users\Admin\AppData\Roaming\rwtdiub
                      C:\Users\Admin\AppData\Roaming\rwtdiub
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:4072
                      • C:\Users\Admin\AppData\Roaming\rwtdiub
                        C:\Users\Admin\AppData\Roaming\rwtdiub
                        2⤵
                        • Executes dropped EXE
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: MapViewOfSection
                        PID:2608

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\rwtdiub
                      MD5

                      9080ab9859bb892a940cf84b2e36d7ed

                      SHA1

                      873bd3f48cb086ec5c64de1616f9323d23f110d7

                      SHA256

                      bf520bbd4e544a6129d12c481b7347b6007a10dfdb744d2c79a1a245dc76e3c8

                      SHA512

                      9a32eeb1f4f9c1ff4ac2a74a8af63cafd3c6a44ea74d682183f840ea6d54c9cb0fc16e6957343b6aa37d901d0507f035af2c8cbb08fef8709b228b2073cb9429

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\rwtdiub
                      MD5

                      9080ab9859bb892a940cf84b2e36d7ed

                      SHA1

                      873bd3f48cb086ec5c64de1616f9323d23f110d7

                      SHA256

                      bf520bbd4e544a6129d12c481b7347b6007a10dfdb744d2c79a1a245dc76e3c8

                      SHA512

                      9a32eeb1f4f9c1ff4ac2a74a8af63cafd3c6a44ea74d682183f840ea6d54c9cb0fc16e6957343b6aa37d901d0507f035af2c8cbb08fef8709b228b2073cb9429

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\rwtdiub
                      MD5

                      9080ab9859bb892a940cf84b2e36d7ed

                      SHA1

                      873bd3f48cb086ec5c64de1616f9323d23f110d7

                      SHA256

                      bf520bbd4e544a6129d12c481b7347b6007a10dfdb744d2c79a1a245dc76e3c8

                      SHA512

                      9a32eeb1f4f9c1ff4ac2a74a8af63cafd3c6a44ea74d682183f840ea6d54c9cb0fc16e6957343b6aa37d901d0507f035af2c8cbb08fef8709b228b2073cb9429

                      Download Submit

                    • memory/208-121-0x0000000000CA0000-0x0000000000CA7000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/208-122-0x0000000000C90000-0x0000000000C9C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/208-119-0x0000000000000000-mapping.dmp

                      Download

                    • memory/492-118-0x0000000000000000-mapping.dmp

                      Download

                    • memory/492-120-0x0000000000540000-0x00000000005B4000-memory.dmp

                      Filesize

                      464KB

                      Download

                    • memory/492-126-0x00000000004D0000-0x000000000053B000-memory.dmp

                      Filesize

                      428KB

                      Download

                    • memory/740-116-0x0000000001D80000-0x0000000001ECA000-memory.dmp

                      Filesize

                      1.3MB

                      Download

                    • memory/2212-139-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2212-141-0x0000000000FA0000-0x0000000000FA9000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/2212-140-0x0000000000FB0000-0x0000000000FB5000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/2256-127-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2256-129-0x0000000000140000-0x000000000014F000-memory.dmp

                      Filesize

                      60KB

                      Download

                    • memory/2256-128-0x0000000000150000-0x0000000000159000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/2272-123-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2272-124-0x00000000003F0000-0x00000000003F7000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/2272-125-0x00000000003E0000-0x00000000003EB000-memory.dmp

                      Filesize

                      44KB

                      Download

                    • memory/2536-117-0x0000000000880000-0x0000000000896000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/2536-151-0x0000000000730000-0x0000000000746000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/2608-148-0x0000000000402FAB-mapping.dmp

                      Download

                    • memory/2820-114-0x0000000000400000-0x0000000000409000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/2820-115-0x0000000000402FAB-mapping.dmp

                      Download

                    • memory/3536-130-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3536-131-0x0000000000C90000-0x0000000000C95000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/3536-132-0x0000000000C80000-0x0000000000C89000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/3560-135-0x00000000003F0000-0x00000000003FC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3560-134-0x0000000000680000-0x0000000000686000-memory.dmp

                      Filesize

                      24KB

                      Download

                    • memory/3560-133-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3652-137-0x0000000000FD0000-0x0000000000FD4000-memory.dmp

                      Filesize

                      16KB

                      Download

                    • memory/3652-138-0x0000000000FC0000-0x0000000000FC9000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/3652-136-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3692-144-0x0000000000A90000-0x0000000000A99000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/3692-143-0x0000000000AA0000-0x0000000000AA5000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/3692-142-0x0000000000000000-mapping.dmp

                      Download

                    • memory/4072-150-0x0000000001D80000-0x0000000001ECA000-memory.dmp

                      Filesize

                      1.3MB

                      Download