Overview

overview

10

Static

static

60cdab3742...65.exe

windows7_x64

10

60cdab3742...65.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    28-10-2021 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    60cdab374236b2efe894bce090719365.exe

  • Size

    339KB

  • MD5

    60cdab374236b2efe894bce090719365

  • SHA1

    fe35e203023a64e0831bdb8b4b27fc28e1feb0db

  • SHA256

    0c4a2dc11b12ad8545e5397eff8bcde53238c2283905e7b49610f9cafa779800

  • SHA512

    8654d91ab7c1d824c9802e2395dad3f224fc2417599c359c3d80a89b97b1331c78755369aacd2ec00dea757e165d0b7df87c3dc3ae92574ac735e5e4ee7f4da9

Score
10/10
smokeloaderbackdoorsuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60cdab374236b2efe894bce090719365.exe
    "C:\Users\Admin\AppData\Local\Temp\60cdab374236b2efe894bce090719365.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1728
  • C:\Users\Admin\AppData\Local\Temp\B06B.exe
    C:\Users\Admin\AppData\Local\Temp\B06B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dfpc5t_b.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:540
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6E7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE6E6.tmp"
          4⤵
            PID:1984
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:296
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1716
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1732
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {943541DF-ACE8-41CA-BC7C-9762982B1B92} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Roaming\drrbiwr
        C:\Users\Admin\AppData\Roaming\drrbiwr
        2⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: MapViewOfSection
        PID:1452

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\B06B.exe
      MD5

      63151e4f7c3972f18a23c0e9996e14ef

      SHA1

      5d041fde6433a8ff8fc78a69fca1fd4630e3f270

      SHA256

      cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

      SHA512

      f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RESE6E7.tmp
      MD5

      bbbaa5b5b0ca5db0e7cd243f6bcba650

      SHA1

      b91dbde53ecdee573354965673041ec1c36b4429

      SHA256

      a2e9dc981f532c5d2e67653a5b1d54bb70b5f1d2bc3fb4d7a7cfffbb53da0b95

      SHA512

      368bb3835af98df53d2e9dfc69e5a6170edfdea6bcc289c87a55bf65bb23e35781de88405e89b7ba5fb97735fc2c767d04f65905cb5f49413958ffaedc5f9c5c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dfpc5t_b.dll
      MD5

      cd4156693ad180cb9f0e263228ad6a81

      SHA1

      475b1ff18dc9b0a06cedc77a5efa81a070494ca5

      SHA256

      775305a007c2b1c8d8753a62e7d769c1d629e5419a269d33e60c426ca3fc5c7c

      SHA512

      a8704b6f59f19fc0855f8bc518a9f88dda44f511efbacd5f739e48d3154d06f7e4f7ef2fc46bc563fa675f1717ea99c744e6f24f76fdfe49d0c633e05b016b7d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dfpc5t_b.pdb
      MD5

      81cab078ec78a8e6f15f7493c07444d9

      SHA1

      699e6dc765e01b62aaff4ed75d5e911084676c21

      SHA256

      1be07f7f60d3b3d2845a4d08179e35aafbf1c87eefead96c9addc1f002b49931

      SHA512

      a2a693a65d4e1b3fa8c7fec7b52b554fad194bf888b662cd0fed48ecb12fe6264eb3aad2e032175e35a5e414af053cf5fcbf6605deaf8e2678d26a2e2ee86ce9

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1
      MD5

      f783019c5dc4a5477d1ffd4f9f512979

      SHA1

      37c8d1e5dd2ebce647c4e0a92f8598ebf2fdcc7b

      SHA256

      4c81fee866a87b2de6e10640fe094f0db29258014177e294ac94a819940f5348

      SHA512

      64d90352f4466f0097dd2c7ace8ccb155947dda8ae148c8c6ba1507a9e879247fab2eba452c812ba628a65de93cc096dabfcb23d2be4b525a92e5ef9e4b57d6a

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ready.ps1
      MD5

      28d9755addec05c0b24cca50dfe3a92b

      SHA1

      7d3156f11c7a7fb60d29809caf93101de2681aa3

      SHA256

      abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9

      SHA512

      891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      81ce18889b9c4cf3591b042e06f23530

      SHA1

      646a0f57ac9361a07db4b956f7a71dbc74eea359

      SHA256

      131d9dfc22a591e10190f6c3a0da0bc616cd0e09b5a7021558f41089dcb682fe

      SHA512

      14a911a23a3ef2d6af6d58dda80e704599659d7108671cc9ede75659d1374e3c89d023f9dbf1a8efae06e93b9323491484b5e95ecdb44154ffbcc3f3dd6ad9f2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      81ce18889b9c4cf3591b042e06f23530

      SHA1

      646a0f57ac9361a07db4b956f7a71dbc74eea359

      SHA256

      131d9dfc22a591e10190f6c3a0da0bc616cd0e09b5a7021558f41089dcb682fe

      SHA512

      14a911a23a3ef2d6af6d58dda80e704599659d7108671cc9ede75659d1374e3c89d023f9dbf1a8efae06e93b9323491484b5e95ecdb44154ffbcc3f3dd6ad9f2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      MD5

      81ce18889b9c4cf3591b042e06f23530

      SHA1

      646a0f57ac9361a07db4b956f7a71dbc74eea359

      SHA256

      131d9dfc22a591e10190f6c3a0da0bc616cd0e09b5a7021558f41089dcb682fe

      SHA512

      14a911a23a3ef2d6af6d58dda80e704599659d7108671cc9ede75659d1374e3c89d023f9dbf1a8efae06e93b9323491484b5e95ecdb44154ffbcc3f3dd6ad9f2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\drrbiwr
      MD5

      60cdab374236b2efe894bce090719365

      SHA1

      fe35e203023a64e0831bdb8b4b27fc28e1feb0db

      SHA256

      0c4a2dc11b12ad8545e5397eff8bcde53238c2283905e7b49610f9cafa779800

      SHA512

      8654d91ab7c1d824c9802e2395dad3f224fc2417599c359c3d80a89b97b1331c78755369aacd2ec00dea757e165d0b7df87c3dc3ae92574ac735e5e4ee7f4da9

      Download Submit
    • C:\Users\Admin\AppData\Roaming\drrbiwr
      MD5

      60cdab374236b2efe894bce090719365

      SHA1

      fe35e203023a64e0831bdb8b4b27fc28e1feb0db

      SHA256

      0c4a2dc11b12ad8545e5397eff8bcde53238c2283905e7b49610f9cafa779800

      SHA512

      8654d91ab7c1d824c9802e2395dad3f224fc2417599c359c3d80a89b97b1331c78755369aacd2ec00dea757e165d0b7df87c3dc3ae92574ac735e5e4ee7f4da9

      Download Submit
    • \??\PIPE\srvsvc
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\CSCE6E6.tmp
      MD5

      4c86b88852339bedc0dafd8bdf5c5c1e

      SHA1

      2d13421fd55535067c78e6066e86237c505d87c2

      SHA256

      ced444d2266ffd4af456bdc828aa8465a6dc47c9e6bf074013dc958fdff0092f

      SHA512

      ebad92c06ffa6d7891876eae471d308adfcddad4bd190f8b09cc98508b3326dc28f158d7a2f53101bfb1bf69e7bc4813b2db6f29446075a02ee557160733cd3e

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\dfpc5t_b.0.cs
      MD5

      9f8ab7eb0ab21443a2fe06dab341510e

      SHA1

      2b88b3116a79e48bab7114e18c9b9674e8a52165

      SHA256

      e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9

      SHA512

      53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\dfpc5t_b.cmdline
      MD5

      5cf091d400aa3eab0ed688a86c9845ae

      SHA1

      553d3959f49cdec6ac712a037b08e02769a8ef2b

      SHA256

      3031fa8a2b4f5f8bb09eeb5c5a0f20a291ce153b7514e45d68e0fd5c1cda9feb

      SHA512

      36d03409313172570fd4479f19bd8663aa9266ede4aee2fb34fe8c4d1c3b40307ad45aabf471e2b84e9dc5d8770c498644fd7633adc052dd74dd93e7f8134c8c

      Download Submit
    • \Users\Admin\AppData\Local\Temp\B06B.exe
      MD5

      63151e4f7c3972f18a23c0e9996e14ef

      SHA1

      5d041fde6433a8ff8fc78a69fca1fd4630e3f270

      SHA256

      cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

      SHA512

      f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

      Download Submit
    • \Users\Admin\AppData\Local\Temp\B06B.exe
      MD5

      63151e4f7c3972f18a23c0e9996e14ef

      SHA1

      5d041fde6433a8ff8fc78a69fca1fd4630e3f270

      SHA256

      cc28e327610e9deb6551c99a32a44fec86220f2840276474ded747580af850d3

      SHA512

      f08c402f0a966cbe89fae0b5f9aa8536d6313dada788486a4db422a042769713a2896753acd47223348349b9960b5cde9470cc862668e2cdb90a6fcc1b87c8ec

      Download Submit
    • memory/296-96-0x000000001B970000-0x000000001BC6F000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/296-95-0x0000000002964000-0x0000000002967000-memory.dmp
      Filesize

      12KB

      Download
    • memory/296-89-0x0000000000000000-mapping.dmp
      Download
    • memory/296-92-0x000007FEEB1E0000-0x000007FEEBD3D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/296-94-0x0000000002962000-0x0000000002964000-memory.dmp
      Filesize

      8KB

      Download
    • memory/296-93-0x0000000002960000-0x0000000002962000-memory.dmp
      Filesize

      8KB

      Download
    • memory/296-97-0x0000000002967000-0x0000000002968000-memory.dmp
      Filesize

      4KB

      Download
    • memory/296-98-0x000000000296C000-0x000000000298B000-memory.dmp
      Filesize

      124KB

      Download
    • memory/540-77-0x0000000000000000-mapping.dmp
      Download
    • memory/540-81-0x0000000002240000-0x0000000002242000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1268-59-0x0000000002B60000-0x0000000002B76000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1268-126-0x0000000003C80000-0x0000000003C96000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1452-121-0x0000000000000000-mapping.dmp
      Download
    • memory/1452-123-0x0000000002D9D000-0x0000000002DAD000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1452-125-0x0000000000400000-0x0000000002BAF000-memory.dmp
      Filesize

      39.7MB

      Download
    • memory/1664-62-0x0000000000000000-mapping.dmp
      Download
    • memory/1664-69-0x00000000412C7000-0x00000000412C8000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1664-68-0x00000000412C6000-0x00000000412C7000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1664-66-0x00000000412C2000-0x00000000412C4000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1664-67-0x00000000412C4000-0x00000000412C6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1664-64-0x0000000041740000-0x0000000041B3F000-memory.dmp
      Filesize

      4.0MB

      Download
    • memory/1716-106-0x0000000002834000-0x0000000002837000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1716-113-0x000000000283C000-0x000000000285B000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1716-99-0x0000000000000000-mapping.dmp
      Download
    • memory/1716-102-0x000007FEEB1E0000-0x000007FEEBD3D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1716-103-0x0000000002830000-0x0000000002832000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1716-104-0x0000000002837000-0x0000000002838000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1716-105-0x0000000002832000-0x0000000002834000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1728-56-0x00000000764D1000-0x00000000764D3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1728-57-0x0000000000220000-0x0000000000229000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1728-58-0x0000000000400000-0x0000000002BAF000-memory.dmp
      Filesize

      39.7MB

      Download
    • memory/1728-55-0x0000000002D7D000-0x0000000002D8D000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1732-117-0x0000000002372000-0x0000000002374000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1732-119-0x0000000002377000-0x0000000002378000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1732-118-0x0000000002374000-0x0000000002377000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1732-112-0x000007FEEB1E0000-0x000007FEEBD3D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1732-114-0x000000001B8C0000-0x000000001BBBF000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1732-108-0x0000000000000000-mapping.dmp
      Download
    • memory/1732-115-0x0000000002370000-0x0000000002372000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1732-116-0x000000000237C000-0x000000000239B000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1948-88-0x00000000026BD000-0x00000000026BE000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1948-74-0x0000000002692000-0x0000000002694000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1948-75-0x0000000002694000-0x0000000002697000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1948-72-0x000007FEEB1E0000-0x000007FEEBD3D000-memory.dmp
      Filesize

      11.4MB

      Download
    • memory/1948-71-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1948-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1948-73-0x0000000002690000-0x0000000002692000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1948-80-0x000000000269B000-0x00000000026BA000-memory.dmp
      Filesize

      124KB

      Download
    • memory/1984-82-0x0000000000000000-mapping.dmp
      Download