Analysis
-
max time kernel
151s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-12-2021 11:33
General
-
Target
7d3c4da80454fa8f539373d5d5827d11c423e17274e4b2aec6621c60b2c4db66.exe
-
Size
133KB
-
MD5
7c03c97735fb70b3f30612a33716d68d
-
SHA1
e347bc8aa043efd3ee5575dd3753b1ec4583b3f5
-
SHA256
7d3c4da80454fa8f539373d5d5827d11c423e17274e4b2aec6621c60b2c4db66
-
SHA512
0551b90dcf8514d70e433fa45f55f0d792d5870da9088c809049facb0c46475f1cad02175989084bc97cf9c85a82ba70a25d7079d6a034811576b2d37486b504
Malware Config
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
systembc
185.70.184.41:4001
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Deletes itself 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d3c4da80454fa8f539373d5d5827d11c423e17274e4b2aec6621c60b2c4db66.exe"C:\Users\Admin\AppData\Local\Temp\7d3c4da80454fa8f539373d5d5827d11c423e17274e4b2aec6621c60b2c4db66.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BEC3.exeC:\Users\Admin\AppData\Local\Temp\BEC3.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\BEC3.exeC:\Users\Admin\AppData\Local\Temp\BEC3.exe start1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2b8c1c80169614e46daf2791ae19b0bf
SHA1f3f5b926b2ae173c6345f6555c0c54b89901353c
SHA2563c642364e0da70a678aea937735f5bc945c8973820e6cc4ff8a3a31eae45d4fa
SHA5129505c0568ff4d8e96cf0365b316a9a4787552042ec4621b9cff17f8ee1b96658896b85809b37b6514919f1ec86f4980a6d301079cd02dc44f9bf550da5d4fbcc
-
MD5
2b8c1c80169614e46daf2791ae19b0bf
SHA1f3f5b926b2ae173c6345f6555c0c54b89901353c
SHA2563c642364e0da70a678aea937735f5bc945c8973820e6cc4ff8a3a31eae45d4fa
SHA5129505c0568ff4d8e96cf0365b316a9a4787552042ec4621b9cff17f8ee1b96658896b85809b37b6514919f1ec86f4980a6d301079cd02dc44f9bf550da5d4fbcc
-
MD5
2b8c1c80169614e46daf2791ae19b0bf
SHA1f3f5b926b2ae173c6345f6555c0c54b89901353c
SHA2563c642364e0da70a678aea937735f5bc945c8973820e6cc4ff8a3a31eae45d4fa
SHA5129505c0568ff4d8e96cf0365b316a9a4787552042ec4621b9cff17f8ee1b96658896b85809b37b6514919f1ec86f4980a6d301079cd02dc44f9bf550da5d4fbcc
-
Filesize
88KB
-
Filesize
1.3MB
-
Filesize
32KB
-
Filesize
4.1MB
-
-
Filesize
24KB
-
Filesize
20KB
-
Filesize
4.1MB
-
Filesize
4.1MB