Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
22-12-2021 13:40
General
-
Target
f29b9318b3be3c7017d20e72e0e7f060d77d8de05de7982203a9ef7275de8d89.exe
-
Size
326KB
-
MD5
98f68f3fd92f13094b4341600a31d136
-
SHA1
85d39680e430390ceae1e1da3b9134df669c5d2d
-
SHA256
f29b9318b3be3c7017d20e72e0e7f060d77d8de05de7982203a9ef7275de8d89
-
SHA512
68da4b80456c40dc307b5a69140716a22ee770f24dcbbbcc9dec6b5e1447cb1fe50a79e9d3974a98e8c7fc578dafeb51df46ac4e9d43be001268180d5c74f227
Malware Config
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
systembc
185.70.184.41:4001
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Deletes itself 1 IoCs
-
Drops file in Windows directory 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f29b9318b3be3c7017d20e72e0e7f060d77d8de05de7982203a9ef7275de8d89.exe"C:\Users\Admin\AppData\Local\Temp\f29b9318b3be3c7017d20e72e0e7f060d77d8de05de7982203a9ef7275de8d89.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\7DA3.exeC:\Users\Admin\AppData\Local\Temp\7DA3.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\7DA3.exeC:\Users\Admin\AppData\Local\Temp\7DA3.exe start1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8d91326c99f8cb867f886e065f88509f
SHA1a6d0b07a91cc81c6729cc0b01fba0a5ac743e606
SHA256086e9bc0fa2ae515cced5d746de30c0b8389e29ef756af95da84ec8e7c7359ec
SHA5128a3ea897ae19a957ed27157b460f05eb459b6397dbd1016bb1e9dbdbd25424bfcdcd7342cc4e64a51b002fbefc6d2746b4754b2dfde48e6d20c1d2065664b103
-
MD5
8d91326c99f8cb867f886e065f88509f
SHA1a6d0b07a91cc81c6729cc0b01fba0a5ac743e606
SHA256086e9bc0fa2ae515cced5d746de30c0b8389e29ef756af95da84ec8e7c7359ec
SHA5128a3ea897ae19a957ed27157b460f05eb459b6397dbd1016bb1e9dbdbd25424bfcdcd7342cc4e64a51b002fbefc6d2746b4754b2dfde48e6d20c1d2065664b103
-
MD5
8d91326c99f8cb867f886e065f88509f
SHA1a6d0b07a91cc81c6729cc0b01fba0a5ac743e606
SHA256086e9bc0fa2ae515cced5d746de30c0b8389e29ef756af95da84ec8e7c7359ec
SHA5128a3ea897ae19a957ed27157b460f05eb459b6397dbd1016bb1e9dbdbd25424bfcdcd7342cc4e64a51b002fbefc6d2746b4754b2dfde48e6d20c1d2065664b103
-
-
Filesize
20KB
-
Filesize
840KB
-
Filesize
64KB
-
Filesize
840KB
-
Filesize
1.3MB
-
Filesize
68KB
-
Filesize
840KB
-
Filesize
88KB