Overview

overview

10

Static

static

10

1.bin/1.exe

windows10_x64

10

2019-09-02...10.exe

windows10_x64

10

31.exe

windows10_x64

10

3DMark 11 ...on.exe

windows10_x64

1

5da0116af4...18.exe

windows10_x64

10

Archive.zi...3e.exe

windows10_x64

6

CVE-2018-1...oC.swf

windows10_x64

3

CVWSHSetup...1].exe

windows10_x64

4

DiskIntern...en.exe

windows10_x64

1

ForceOp 2....ce.exe

windows10_x64

10

HYDRA.exe

windows10_x64

10

Keygen.exe

windows10_x64

10

Lonelyscre...ox.exe

windows10_x64

1

LtHv0O2KZDK4M637.exe

windows10_x64

10

Magic_File...ja.exe

windows10_x64

1

OnlineInstaller.exe

windows10_x64

10

Remouse.Mi...cg.exe

windows10_x64

1

SecurityTa...up.exe

windows10_x64

8

Treasure.V...ox.exe

windows10_x64

1

VyprVPN.exe

windows10_x64

10

WSHSetup[1].exe

windows10_x64

3

___ _ ____...��.exe

windows10_x64

10

___ _ ____...��.exe

windows10_x64

10

amtemu.v0....ed.exe

windows10_x64

10

api.exe

windows10_x64

1

default.exe

windows10_x64

10

efd97b1038...ea4.js

windows10_x64

3

good.exe

windows10_x64

10

infected d...er.exe

windows10_x64

8

oof.exe

windows10_x64

10

ou55sg33s_1.exe

windows10_x64

10

update.exe

windows10_x64

10

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

  • max time kernel
    336s
  • max time network
    354s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    12-11-2021 18:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HYDRA.exe

  • Size

    2.6MB

  • MD5

    c52bc39684c52886712971a92f339b23

  • SHA1

    c5cb39850affb7ed322bfb0a4900e17c54f95a11

  • SHA256

    f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

  • SHA512

    2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

Score
10/10
smokeloaderbackdoorpersistencesuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2017

C2

http://92.53.105.14/

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • suricata: ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check M3

    suricata: ET MALWARE Possible Sharik/Smoke Loader Microsoft Connectivity check M3

    suricata
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 9

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 9

    suricata
  • Executes dropped EXE 7 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HYDRA.exe
    "C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Users\Admin\AppData\Roaming\yaya.exe
      C:\Users\Admin\AppData\Roaming\yaya.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
        "C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zltwkivr.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3692
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6A2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF6A1.tmp"
            5⤵
              PID:760
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:640
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe"
              4⤵
                PID:1384
          • C:\Users\Admin\AppData\Roaming\va.exe
            C:\Users\Admin\AppData\Roaming\va.exe
            2⤵
            • Executes dropped EXE
            • Drops startup file
            PID:1172
          • C:\Users\Admin\AppData\Roaming\ufx.exe
            C:\Users\Admin\AppData\Roaming\ufx.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1564
            • C:\ProgramData\ucp\usc.exe
              "C:\ProgramData\ucp\usc.exe" /ucp/usc.exe
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1732
              • C:\Windows\SysWOW64\SCHTASKS.exe
                SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
                4⤵
                • Creates scheduled task(s)
                PID:2484
          • C:\Users\Admin\AppData\Roaming\sant.exe
            C:\Users\Admin\AppData\Roaming\sant.exe
            2⤵
            • Executes dropped EXE
            • Maps connected drives based on registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:4088
            • C:\Windows\SysWOW64\explorer.exe
              explorer.exe
              3⤵
              • Adds Run key to start application
              PID:3668
          • C:\Users\Admin\AppData\Roaming\power.exe
            C:\Users\Admin\AppData\Roaming\power.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2204
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1084

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1084-167-0x0000000008350000-0x0000000008351000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-178-0x0000000008C10000-0x0000000008C11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-166-0x0000000008040000-0x0000000008041000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-165-0x00000000080B0000-0x00000000080B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-164-0x00000000079E0000-0x00000000079E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-163-0x0000000004EF2000-0x0000000004EF3000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-168-0x0000000008770000-0x0000000008771000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-169-0x00000000087C0000-0x00000000087C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-162-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-161-0x0000000007A10000-0x0000000007A11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-160-0x0000000004F90000-0x0000000004F91000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-170-0x0000000004E50000-0x0000000004E51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-158-0x0000000004E50000-0x0000000004E51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-209-0x0000000009920000-0x0000000009921000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-159-0x0000000004E50000-0x0000000004E51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1688-144-0x0000000002702000-0x0000000002704000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1688-142-0x0000000002700000-0x0000000002702000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1688-143-0x00007FF9E21A0000-0x00007FF9E2CFD000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/2204-134-0x0000000000490000-0x00000000005DA000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3668-149-0x00000000011B0000-0x00000000015EF000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/3668-150-0x0000000000380000-0x000000000038A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3692-156-0x0000000000920000-0x0000000000922000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4088-130-0x00000000001D0000-0x00000000001DA000-memory.dmp

          Filesize

          40KB

          Download