Analysis
-
max time kernel
4265104s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15/01/2022, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe
Resource
win10v2004-en-20220112
General
-
Target
4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe
-
Size
319KB
-
MD5
8f18b3951ebf449691a64b31cdb19f3e
-
SHA1
299884e381f8d243430b00732de3d6374a8cb245
-
SHA256
4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c
-
SHA512
26e979d335d72954550915efe62fad1d07a0981ec4f9502ed81115cefaf329fb5bfd161cf4f5e634dc389fb77f1a186c7827f3bd2c8ac167821f6fd266570b89
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Extracted
tofsee
patmushta.info
parubey.info
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 3016 created 1020 3016 WerFault.exe 62 -
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
Arkei Stealer Payload 2 IoCs
resource yara_rule behavioral1/memory/1020-151-0x0000000000770000-0x000000000078C000-memory.dmp family_arkei behavioral1/memory/1020-152-0x0000000000400000-0x0000000000560000-memory.dmp family_arkei -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
pid Process 4012 7472.exe 1020 7A8D.exe 2912 7DDA.exe 3112 7FBF.exe 3956 rchhlcno.exe 3528 7FBF.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 7DDA.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2696 set thread context of 1940 2696 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe 54 PID 3956 set thread context of 4048 3956 rchhlcno.exe 81 PID 3112 set thread context of 3528 3112 7FBF.exe 73 -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 3756 3956 WerFault.exe 76 3844 2912 WerFault.exe 63 3316 1020 WerFault.exe 62 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7472.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7472.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7472.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 6cefb53f7fe1c80724edb47d450dd49d084297dce82e72baa4c0a78a2bff451ddc24ee3a81cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56815d88d44743ce7ab644490bdb57d25e89c5e00cef5b854758df21d5904e0a56a1ddc814e753de7aa64419bdce0286682cd0934c5c4e4241dd594410831fba16c11ddb40e367b8be90d4091bdb57920e4905b02c8f5ba54718bce15515bb9fd3041ed85487538eda4541cc78484a934a0a61118a19e8d541de4ac743d04bafb2f4fb2c70f320dd49d642df4bd8417f107342834fdc48d57d1f6ae743d04cca56511c38353763ce0b3511cf4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d04cd775c24ed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1940 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe 1940 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found 2484 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2484 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1940 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe 4012 7472.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeShutdownPrivilege 776 MusNotification.exe Token: SeCreatePagefilePrivilege 776 MusNotification.exe Token: SeShutdownPrivilege 2484 Process not Found Token: SeCreatePagefilePrivilege 2484 Process not Found Token: SeDebugPrivilege 3112 7FBF.exe Token: SeShutdownPrivilege 2484 Process not Found Token: SeCreatePagefilePrivilege 2484 Process not Found Token: SeShutdownPrivilege 2484 Process not Found Token: SeCreatePagefilePrivilege 2484 Process not Found Token: SeShutdownPrivilege 2484 Process not Found Token: SeCreatePagefilePrivilege 2484 Process not Found Token: SeShutdownPrivilege 2484 Process not Found Token: SeCreatePagefilePrivilege 2484 Process not Found Token: SeShutdownPrivilege 2484 Process not Found Token: SeCreatePagefilePrivilege 2484 Process not Found Token: SeShutdownPrivilege 2484 Process not Found Token: SeCreatePagefilePrivilege 2484 Process not Found Token: SeShutdownPrivilege 2484 Process not Found Token: SeCreatePagefilePrivilege 2484 Process not Found Token: SeRestorePrivilege 3316 WerFault.exe Token: SeBackupPrivilege 3316 WerFault.exe Token: SeShutdownPrivilege 2484 Process not Found Token: SeCreatePagefilePrivilege 2484 Process not Found -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2696 wrote to memory of 1940 2696 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe 54 PID 2696 wrote to memory of 1940 2696 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe 54 PID 2696 wrote to memory of 1940 2696 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe 54 PID 2696 wrote to memory of 1940 2696 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe 54 PID 2696 wrote to memory of 1940 2696 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe 54 PID 2696 wrote to memory of 1940 2696 4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe 54 PID 2484 wrote to memory of 4012 2484 Process not Found 61 PID 2484 wrote to memory of 4012 2484 Process not Found 61 PID 2484 wrote to memory of 4012 2484 Process not Found 61 PID 2484 wrote to memory of 1020 2484 Process not Found 62 PID 2484 wrote to memory of 1020 2484 Process not Found 62 PID 2484 wrote to memory of 1020 2484 Process not Found 62 PID 2484 wrote to memory of 2912 2484 Process not Found 63 PID 2484 wrote to memory of 2912 2484 Process not Found 63 PID 2484 wrote to memory of 2912 2484 Process not Found 63 PID 2484 wrote to memory of 3112 2484 Process not Found 64 PID 2484 wrote to memory of 3112 2484 Process not Found 64 PID 2484 wrote to memory of 3112 2484 Process not Found 64 PID 2912 wrote to memory of 844 2912 7DDA.exe 65 PID 2912 wrote to memory of 844 2912 7DDA.exe 65 PID 2912 wrote to memory of 844 2912 7DDA.exe 65 PID 2912 wrote to memory of 3396 2912 7DDA.exe 67 PID 2912 wrote to memory of 3396 2912 7DDA.exe 67 PID 2912 wrote to memory of 3396 2912 7DDA.exe 67 PID 2912 wrote to memory of 3088 2912 7DDA.exe 69 PID 2912 wrote to memory of 3088 2912 7DDA.exe 69 PID 2912 wrote to memory of 3088 2912 7DDA.exe 69 PID 2912 wrote to memory of 2004 2912 7DDA.exe 71 PID 2912 wrote to memory of 2004 2912 7DDA.exe 71 PID 2912 wrote to memory of 2004 2912 7DDA.exe 71 PID 3112 wrote to memory of 3528 3112 7FBF.exe 73 PID 3112 wrote to memory of 3528 3112 7FBF.exe 73 PID 3112 wrote to memory of 3528 3112 7FBF.exe 73 PID 2912 wrote to memory of 236 2912 7DDA.exe 74 PID 2912 wrote to memory of 236 2912 7DDA.exe 74 PID 2912 wrote to memory of 236 2912 7DDA.exe 74 PID 2912 wrote to memory of 552 2912 7DDA.exe 77 PID 2912 wrote to memory of 552 2912 7DDA.exe 77 PID 2912 wrote to memory of 552 2912 7DDA.exe 77 PID 3956 wrote to memory of 4048 3956 rchhlcno.exe 81 PID 3956 wrote to memory of 4048 3956 rchhlcno.exe 81 PID 3956 wrote to memory of 4048 3956 rchhlcno.exe 81 PID 3956 wrote to memory of 4048 3956 rchhlcno.exe 81 PID 3956 wrote to memory of 4048 3956 rchhlcno.exe 81 PID 3112 wrote to memory of 3528 3112 7FBF.exe 73 PID 3112 wrote to memory of 3528 3112 7FBF.exe 73 PID 3112 wrote to memory of 3528 3112 7FBF.exe 73 PID 3112 wrote to memory of 3528 3112 7FBF.exe 73 PID 3112 wrote to memory of 3528 3112 7FBF.exe 73 PID 3016 wrote to memory of 1020 3016 WerFault.exe 62 PID 3016 wrote to memory of 1020 3016 WerFault.exe 62
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe"C:\Users\Admin\AppData\Local\Temp\4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\AppData\Local\Temp\4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe"C:\Users\Admin\AppData\Local\Temp\4fd9309f1c39c28d69415f834c167a3fc943f1abf428e7c131f1b2f16bbb536c.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1940
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:776
-
C:\Users\Admin\AppData\Local\Temp\7472.exeC:\Users\Admin\AppData\Local\Temp\7472.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4012
-
C:\Users\Admin\AppData\Local\Temp\7A8D.exeC:\Users\Admin\AppData\Local\Temp\7A8D.exe1⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 5522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3316
-
-
C:\Users\Admin\AppData\Local\Temp\7DDA.exeC:\Users\Admin\AppData\Local\Temp\7DDA.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ckyvzhyv\2⤵PID:844
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rchhlcno.exe" C:\Windows\SysWOW64\ckyvzhyv\2⤵PID:3396
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create ckyvzhyv binPath= "C:\Windows\SysWOW64\ckyvzhyv\rchhlcno.exe /d\"C:\Users\Admin\AppData\Local\Temp\7DDA.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:3088
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description ckyvzhyv "wifi internet conection"2⤵PID:2004
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start ckyvzhyv2⤵PID:236
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 7842⤵
- Program crash
PID:3844
-
-
C:\Users\Admin\AppData\Local\Temp\7FBF.exeC:\Users\Admin\AppData\Local\Temp\7FBF.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Users\Admin\AppData\Local\Temp\7FBF.exeC:\Users\Admin\AppData\Local\Temp\7FBF.exe2⤵
- Executes dropped EXE
PID:3528
-
-
C:\Windows\SysWOW64\ckyvzhyv\rchhlcno.exeC:\Windows\SysWOW64\ckyvzhyv\rchhlcno.exe /d"C:\Users\Admin\AppData\Local\Temp\7DDA.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4048
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 5282⤵
- Program crash
PID:3756
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2912 -ip 29121⤵PID:1152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3956 -ip 39561⤵PID:100
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1020 -ip 10201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3016