Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-09-2021 20:38
Static task
static1
Behavioral task
behavioral1
Sample
2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe
Resource
win10-en-20210920
General
-
Target
2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe
-
Size
149KB
-
MD5
d1d269f0657a03bfd2c038f27d726cbc
-
SHA1
8a1d69853f2dbb5945b8a70b1fef413b5854c0f1
-
SHA256
2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44
-
SHA512
ec7d03c2d6623eb909cc518c11a3934b65f9e7947e71105cd0d47096f1fa6cd607e4997c6b7dea1309a2d9a5ee6ac88f4aa956d67a7062ef303d7fab2b9b583f
Malware Config
Extracted
smokeloader
2020
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
Processes:
wgchutswgchutspid process 3020 wgchuts 3124 wgchuts -
Deletes itself 1 IoCs
Processes:
pid process 3064 -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exewgchutsdescription pid process target process PID 2384 set thread context of 2632 2384 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe PID 3020 set thread context of 3124 3020 wgchuts wgchuts -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exewgchutsdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wgchuts Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wgchuts Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wgchuts -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exepid process 2632 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe 2632 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 3064 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3064 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exewgchutspid process 2632 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe 3124 wgchuts -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3064 Token: SeCreatePagefilePrivilege 3064 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exewgchutsdescription pid process target process PID 2384 wrote to memory of 2632 2384 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe PID 2384 wrote to memory of 2632 2384 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe PID 2384 wrote to memory of 2632 2384 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe PID 2384 wrote to memory of 2632 2384 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe PID 2384 wrote to memory of 2632 2384 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe PID 2384 wrote to memory of 2632 2384 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe 2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe PID 3020 wrote to memory of 3124 3020 wgchuts wgchuts PID 3020 wrote to memory of 3124 3020 wgchuts wgchuts PID 3020 wrote to memory of 3124 3020 wgchuts wgchuts PID 3020 wrote to memory of 3124 3020 wgchuts wgchuts PID 3020 wrote to memory of 3124 3020 wgchuts wgchuts PID 3020 wrote to memory of 3124 3020 wgchuts wgchuts
Processes
-
C:\Users\Admin\AppData\Local\Temp\2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe"C:\Users\Admin\AppData\Local\Temp\2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe"C:\Users\Admin\AppData\Local\Temp\2685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\wgchutsC:\Users\Admin\AppData\Roaming\wgchuts1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\wgchutsC:\Users\Admin\AppData\Roaming\wgchuts2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wgchutsMD5
d1d269f0657a03bfd2c038f27d726cbc
SHA18a1d69853f2dbb5945b8a70b1fef413b5854c0f1
SHA2562685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44
SHA512ec7d03c2d6623eb909cc518c11a3934b65f9e7947e71105cd0d47096f1fa6cd607e4997c6b7dea1309a2d9a5ee6ac88f4aa956d67a7062ef303d7fab2b9b583f
-
C:\Users\Admin\AppData\Roaming\wgchutsMD5
d1d269f0657a03bfd2c038f27d726cbc
SHA18a1d69853f2dbb5945b8a70b1fef413b5854c0f1
SHA2562685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44
SHA512ec7d03c2d6623eb909cc518c11a3934b65f9e7947e71105cd0d47096f1fa6cd607e4997c6b7dea1309a2d9a5ee6ac88f4aa956d67a7062ef303d7fab2b9b583f
-
C:\Users\Admin\AppData\Roaming\wgchutsMD5
d1d269f0657a03bfd2c038f27d726cbc
SHA18a1d69853f2dbb5945b8a70b1fef413b5854c0f1
SHA2562685220add8cee3abaf13ce39e42b40fcae63b02591a485d80e712ab8ca37c44
SHA512ec7d03c2d6623eb909cc518c11a3934b65f9e7947e71105cd0d47096f1fa6cd607e4997c6b7dea1309a2d9a5ee6ac88f4aa956d67a7062ef303d7fab2b9b583f
-
memory/2384-117-0x00000000001E0000-0x00000000001E9000-memory.dmpFilesize
36KB
-
memory/2632-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2632-116-0x0000000000402FA5-mapping.dmp
-
memory/3064-118-0x0000000000920000-0x0000000000936000-memory.dmpFilesize
88KB
-
memory/3064-124-0x0000000000990000-0x00000000009A6000-memory.dmpFilesize
88KB
-
memory/3124-122-0x0000000000402FA5-mapping.dmp