Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
08-01-2022 15:51
Static task
static1
Behavioral task
behavioral1
Sample
42c9365b1284d5e5e95be8c82e3eb480.exe
Resource
win7-en-20211208
General
-
Target
42c9365b1284d5e5e95be8c82e3eb480.exe
-
Size
271KB
-
MD5
42c9365b1284d5e5e95be8c82e3eb480
-
SHA1
af966c6db72acf8ccdab4d39f7f328043c3ad592
-
SHA256
47c2ec67d40d8e342db29823981ab4539c758486d30d00bd15106acdb39a96cc
-
SHA512
b5fd84c5fc5b2fa94227f9732af2b5ced856349f37a1a1175a3bcd4065a016bc5c129b8e52ade6ec8bfe2c7a11f5bd2a0af527cb6901320f7e2136b81022a660
Malware Config
Extracted
smokeloader
2020
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
Extracted
danabot
4
192.119.110.4:443
192.236.194.72:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\3777.exe.dll DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\3777.exe.dll DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\4DB0.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\4DB0.exe.dll DanabotLoader2021 -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
3777.exe4DB0.exepid process 4368 3777.exe 4344 4DB0.exe -
Deletes itself 1 IoCs
Processes:
pid process 396 -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3980 rundll32.exe 4524 rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
42c9365b1284d5e5e95be8c82e3eb480.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 42c9365b1284d5e5e95be8c82e3eb480.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 42c9365b1284d5e5e95be8c82e3eb480.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 42c9365b1284d5e5e95be8c82e3eb480.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
42c9365b1284d5e5e95be8c82e3eb480.exepid process 3440 42c9365b1284d5e5e95be8c82e3eb480.exe 3440 42c9365b1284d5e5e95be8c82e3eb480.exe 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 396 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 396 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
42c9365b1284d5e5e95be8c82e3eb480.exepid process 3440 42c9365b1284d5e5e95be8c82e3eb480.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3777.exe4DB0.exedescription pid process target process PID 396 wrote to memory of 4368 396 3777.exe PID 396 wrote to memory of 4368 396 3777.exe PID 396 wrote to memory of 4368 396 3777.exe PID 396 wrote to memory of 4344 396 4DB0.exe PID 396 wrote to memory of 4344 396 4DB0.exe PID 396 wrote to memory of 4344 396 4DB0.exe PID 4368 wrote to memory of 3980 4368 3777.exe rundll32.exe PID 4368 wrote to memory of 3980 4368 3777.exe rundll32.exe PID 4368 wrote to memory of 3980 4368 3777.exe rundll32.exe PID 4344 wrote to memory of 4524 4344 4DB0.exe rundll32.exe PID 4344 wrote to memory of 4524 4344 4DB0.exe rundll32.exe PID 4344 wrote to memory of 4524 4344 4DB0.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\42c9365b1284d5e5e95be8c82e3eb480.exe"C:\Users\Admin\AppData\Local\Temp\42c9365b1284d5e5e95be8c82e3eb480.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3777.exeC:\Users\Admin\AppData\Local\Temp\3777.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3777.exe.dll,z C:\Users\Admin\AppData\Local\Temp\3777.exe2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\4DB0.exeC:\Users\Admin\AppData\Local\Temp\4DB0.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4DB0.exe.dll,z C:\Users\Admin\AppData\Local\Temp\4DB0.exe2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3777.exeMD5
f8151b5d4c4e62166a8c2e914f54cbb7
SHA1ee9da83f51b904db29d14847a013c4cff7ea6711
SHA2567d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0
SHA5120e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084
-
C:\Users\Admin\AppData\Local\Temp\3777.exeMD5
f8151b5d4c4e62166a8c2e914f54cbb7
SHA1ee9da83f51b904db29d14847a013c4cff7ea6711
SHA2567d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0
SHA5120e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084
-
C:\Users\Admin\AppData\Local\Temp\3777.exe.dllMD5
77114117c5084723a9a731b042520d7a
SHA1b46be9611f81365bc88c096afd4f90ab377c1ab6
SHA2569cc189ff5873f6836dad2de1dc92fa2b7251de4813cf27a947193c2c0a3f04ad
SHA5120748a7f41cbb181fae96d38abf7655662313dec63a1578ce660ef0a923db3f620598918f4dc910c3e78dcbb8654d891edf0c6d8e3e652d13083fd3aca7d9c62d
-
C:\Users\Admin\AppData\Local\Temp\4DB0.exeMD5
f8151b5d4c4e62166a8c2e914f54cbb7
SHA1ee9da83f51b904db29d14847a013c4cff7ea6711
SHA2567d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0
SHA5120e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084
-
C:\Users\Admin\AppData\Local\Temp\4DB0.exeMD5
f8151b5d4c4e62166a8c2e914f54cbb7
SHA1ee9da83f51b904db29d14847a013c4cff7ea6711
SHA2567d3b2e91c3cfb16df02f63b973c69a2047b8031295a49e4fffa0fad3dba975f0
SHA5120e141cee03549a768d284381bd8751b3b3b18805bffa1ada7e4a7c44c3d50fae190d6a4d82ddaee76c82f2a853190549a2d6d1f3a3fdfef425cff3499933b084
-
C:\Users\Admin\AppData\Local\Temp\4DB0.exe.dllMD5
990d9475a4c1ce154a351e07928514f2
SHA1b94a23d4170084f948a168e70d6b9f62745ec7c9
SHA256ed08e1bad85fac0f1b9dc1aa4694d687a49489b7193818c7ec7fc6e0af3eda0d
SHA512cc440f14314da96a88a9c6539da6ae4829b7506ae2e593b22a5a8739bd510ff9b67b823962f480268a63c7bbc774c65347a7051ab9001590073620c3b42649ba
-
\Users\Admin\AppData\Local\Temp\3777.exe.dllMD5
77114117c5084723a9a731b042520d7a
SHA1b46be9611f81365bc88c096afd4f90ab377c1ab6
SHA2569cc189ff5873f6836dad2de1dc92fa2b7251de4813cf27a947193c2c0a3f04ad
SHA5120748a7f41cbb181fae96d38abf7655662313dec63a1578ce660ef0a923db3f620598918f4dc910c3e78dcbb8654d891edf0c6d8e3e652d13083fd3aca7d9c62d
-
\Users\Admin\AppData\Local\Temp\4DB0.exe.dllMD5
990d9475a4c1ce154a351e07928514f2
SHA1b94a23d4170084f948a168e70d6b9f62745ec7c9
SHA256ed08e1bad85fac0f1b9dc1aa4694d687a49489b7193818c7ec7fc6e0af3eda0d
SHA512cc440f14314da96a88a9c6539da6ae4829b7506ae2e593b22a5a8739bd510ff9b67b823962f480268a63c7bbc774c65347a7051ab9001590073620c3b42649ba
-
memory/396-118-0x0000000000B20000-0x0000000000B36000-memory.dmpFilesize
88KB
-
memory/3440-115-0x0000000002B80000-0x0000000002CCA000-memory.dmpFilesize
1.3MB
-
memory/3440-117-0x0000000000400000-0x0000000002B79000-memory.dmpFilesize
39.5MB
-
memory/3440-116-0x0000000002B80000-0x0000000002CCA000-memory.dmpFilesize
1.3MB
-
memory/3980-129-0x0000000000000000-mapping.dmp
-
memory/4344-125-0x0000000000000000-mapping.dmp
-
memory/4344-128-0x0000000000400000-0x0000000002C53000-memory.dmpFilesize
40.3MB
-
memory/4368-119-0x0000000000000000-mapping.dmp
-
memory/4368-122-0x00000000049C0000-0x0000000004AA2000-memory.dmpFilesize
904KB
-
memory/4368-124-0x0000000000400000-0x0000000002C53000-memory.dmpFilesize
40.3MB
-
memory/4368-123-0x0000000004AB0000-0x0000000004BAA000-memory.dmpFilesize
1000KB
-
memory/4524-132-0x0000000000000000-mapping.dmp