Analysis
-
max time kernel
4265100s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
17/01/2022, 09:07
Static task
static1
Behavioral task
behavioral1
Sample
91409398a37f95ac3501f372a7d9a6b8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
91409398a37f95ac3501f372a7d9a6b8.exe
Resource
win10v2004-en-20220112
General
-
Target
91409398a37f95ac3501f372a7d9a6b8.exe
-
Size
277KB
-
MD5
91409398a37f95ac3501f372a7d9a6b8
-
SHA1
fc8089310ec1d3c1a42d7aa5d343c8fe2f2b7731
-
SHA256
39e1259929a3470b6d064daadf4742ddd59065fa1d72aa334ed298648f27697f
-
SHA512
5e8d9d69da0a23f21f611272fe035e52ceec87fa0ae3ec5c07dcddaa908c41fc36ce67a64cc1de19b2ba69822ca5b43b4b18ab0ab25dcdd1b1dbb1a42c9a1282
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Extracted
tofsee
patmushta.info
parubey.info
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 1356 created 3384 1356 WerFault.exe 63 -
Arkei Stealer Payload 2 IoCs
resource yara_rule behavioral2/memory/3384-149-0x0000000000400000-0x00000000005D0000-memory.dmp family_arkei behavioral2/memory/3384-148-0x0000000000720000-0x000000000073C000-memory.dmp family_arkei -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
pid Process 3084 3D69.exe 3384 4421.exe 3024 472F.exe 744 48E5.exe 1208 gnizejvc.exe 1376 48E5.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 472F.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 764 set thread context of 4064 764 91409398a37f95ac3501f372a7d9a6b8.exe 53 PID 1208 set thread context of 1324 1208 gnizejvc.exe 83 PID 744 set thread context of 1376 744 48E5.exe 76 -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 1392 3024 WerFault.exe 64 436 1208 WerFault.exe 77 1084 3384 WerFault.exe 63 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3D69.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3D69.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 91409398a37f95ac3501f372a7d9a6b8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 91409398a37f95ac3501f372a7d9a6b8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 91409398a37f95ac3501f372a7d9a6b8.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3D69.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Buses\Config0 = 64fdd43f3b75c80724edb47d450dd49d084297dce82e72baa4c06d8ad73e781d4444a98b80cd945d24edb47d470dd49d024195daf71261adc06d04fda6e22673bbc9154961cda56815db844f7134e5a8644490bdb57c2ce493590cc4f4bd54758df21d5904fca16411dd824f753eec9d084295d9e13f4bb4c06d0cfdadfd542cd19c4d0e31faa16e10edc70f3252a0f40948f490b37d23e5965906c4f68d387287cc186270a4f93824dc814c723de6a85d1ccdbd606d2add9bd568a7c48d541de5ad743d73a2e6367b9ec60b440dd49d642df4bd679019d0e16d34fdc48e980fe7ad743d05fcac680ada9a4f7539faa8552df4bd844d14dda46d34fdc48d541de4ad743d04cd945d24edb47d440dd49d642df4bd844d14dda46d34fdc48d541de4ad743d0429955d24 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Buses svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4064 91409398a37f95ac3501f372a7d9a6b8.exe 4064 91409398a37f95ac3501f372a7d9a6b8.exe 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found 2508 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2508 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4064 91409398a37f95ac3501f372a7d9a6b8.exe 3084 3D69.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeShutdownPrivilege 3132 MusNotification.exe Token: SeCreatePagefilePrivilege 3132 MusNotification.exe Token: SeShutdownPrivilege 2508 Process not Found Token: SeCreatePagefilePrivilege 2508 Process not Found Token: SeDebugPrivilege 744 48E5.exe Token: SeShutdownPrivilege 2508 Process not Found Token: SeCreatePagefilePrivilege 2508 Process not Found Token: SeShutdownPrivilege 2508 Process not Found Token: SeCreatePagefilePrivilege 2508 Process not Found Token: SeShutdownPrivilege 2508 Process not Found Token: SeCreatePagefilePrivilege 2508 Process not Found Token: SeShutdownPrivilege 2508 Process not Found Token: SeCreatePagefilePrivilege 2508 Process not Found Token: SeShutdownPrivilege 2508 Process not Found Token: SeCreatePagefilePrivilege 2508 Process not Found Token: SeShutdownPrivilege 2508 Process not Found Token: SeCreatePagefilePrivilege 2508 Process not Found Token: SeRestorePrivilege 1084 WerFault.exe Token: SeBackupPrivilege 1084 WerFault.exe Token: SeShutdownPrivilege 2508 Process not Found Token: SeCreatePagefilePrivilege 2508 Process not Found -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 764 wrote to memory of 4064 764 91409398a37f95ac3501f372a7d9a6b8.exe 53 PID 764 wrote to memory of 4064 764 91409398a37f95ac3501f372a7d9a6b8.exe 53 PID 764 wrote to memory of 4064 764 91409398a37f95ac3501f372a7d9a6b8.exe 53 PID 764 wrote to memory of 4064 764 91409398a37f95ac3501f372a7d9a6b8.exe 53 PID 764 wrote to memory of 4064 764 91409398a37f95ac3501f372a7d9a6b8.exe 53 PID 764 wrote to memory of 4064 764 91409398a37f95ac3501f372a7d9a6b8.exe 53 PID 2508 wrote to memory of 3084 2508 Process not Found 62 PID 2508 wrote to memory of 3084 2508 Process not Found 62 PID 2508 wrote to memory of 3084 2508 Process not Found 62 PID 2508 wrote to memory of 3384 2508 Process not Found 63 PID 2508 wrote to memory of 3384 2508 Process not Found 63 PID 2508 wrote to memory of 3384 2508 Process not Found 63 PID 2508 wrote to memory of 3024 2508 Process not Found 64 PID 2508 wrote to memory of 3024 2508 Process not Found 64 PID 2508 wrote to memory of 3024 2508 Process not Found 64 PID 2508 wrote to memory of 744 2508 Process not Found 65 PID 2508 wrote to memory of 744 2508 Process not Found 65 PID 2508 wrote to memory of 744 2508 Process not Found 65 PID 3024 wrote to memory of 3652 3024 472F.exe 66 PID 3024 wrote to memory of 3652 3024 472F.exe 66 PID 3024 wrote to memory of 3652 3024 472F.exe 66 PID 3024 wrote to memory of 2152 3024 472F.exe 68 PID 3024 wrote to memory of 2152 3024 472F.exe 68 PID 3024 wrote to memory of 2152 3024 472F.exe 68 PID 3024 wrote to memory of 1880 3024 472F.exe 70 PID 3024 wrote to memory of 1880 3024 472F.exe 70 PID 3024 wrote to memory of 1880 3024 472F.exe 70 PID 3024 wrote to memory of 3252 3024 472F.exe 72 PID 3024 wrote to memory of 3252 3024 472F.exe 72 PID 3024 wrote to memory of 3252 3024 472F.exe 72 PID 3024 wrote to memory of 2964 3024 472F.exe 74 PID 3024 wrote to memory of 2964 3024 472F.exe 74 PID 3024 wrote to memory of 2964 3024 472F.exe 74 PID 744 wrote to memory of 1376 744 48E5.exe 76 PID 744 wrote to memory of 1376 744 48E5.exe 76 PID 744 wrote to memory of 1376 744 48E5.exe 76 PID 3024 wrote to memory of 520 3024 472F.exe 78 PID 3024 wrote to memory of 520 3024 472F.exe 78 PID 3024 wrote to memory of 520 3024 472F.exe 78 PID 1208 wrote to memory of 1324 1208 gnizejvc.exe 83 PID 1208 wrote to memory of 1324 1208 gnizejvc.exe 83 PID 1208 wrote to memory of 1324 1208 gnizejvc.exe 83 PID 1208 wrote to memory of 1324 1208 gnizejvc.exe 83 PID 1208 wrote to memory of 1324 1208 gnizejvc.exe 83 PID 744 wrote to memory of 1376 744 48E5.exe 76 PID 744 wrote to memory of 1376 744 48E5.exe 76 PID 744 wrote to memory of 1376 744 48E5.exe 76 PID 744 wrote to memory of 1376 744 48E5.exe 76 PID 744 wrote to memory of 1376 744 48E5.exe 76 PID 1356 wrote to memory of 3384 1356 WerFault.exe 63 PID 1356 wrote to memory of 3384 1356 WerFault.exe 63
Processes
-
C:\Users\Admin\AppData\Local\Temp\91409398a37f95ac3501f372a7d9a6b8.exe"C:\Users\Admin\AppData\Local\Temp\91409398a37f95ac3501f372a7d9a6b8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\91409398a37f95ac3501f372a7d9a6b8.exe"C:\Users\Admin\AppData\Local\Temp\91409398a37f95ac3501f372a7d9a6b8.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4064
-
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
C:\Users\Admin\AppData\Local\Temp\3D69.exeC:\Users\Admin\AppData\Local\Temp\3D69.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3084
-
C:\Users\Admin\AppData\Local\Temp\4421.exeC:\Users\Admin\AppData\Local\Temp\4421.exe1⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 5522⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1084
-
-
C:\Users\Admin\AppData\Local\Temp\472F.exeC:\Users\Admin\AppData\Local\Temp\472F.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jmtvfxng\2⤵PID:3652
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gnizejvc.exe" C:\Windows\SysWOW64\jmtvfxng\2⤵PID:2152
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jmtvfxng binPath= "C:\Windows\SysWOW64\jmtvfxng\gnizejvc.exe /d\"C:\Users\Admin\AppData\Local\Temp\472F.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:1880
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jmtvfxng "wifi internet conection"2⤵PID:3252
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jmtvfxng2⤵PID:2964
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 6642⤵
- Program crash
PID:1392
-
-
C:\Users\Admin\AppData\Local\Temp\48E5.exeC:\Users\Admin\AppData\Local\Temp\48E5.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Users\Admin\AppData\Local\Temp\48E5.exeC:\Users\Admin\AppData\Local\Temp\48E5.exe2⤵
- Executes dropped EXE
PID:1376
-
-
C:\Windows\SysWOW64\jmtvfxng\gnizejvc.exeC:\Windows\SysWOW64\jmtvfxng\gnizejvc.exe /d"C:\Users\Admin\AppData\Local\Temp\472F.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1324
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 5202⤵
- Program crash
PID:436
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3024 -ip 30241⤵PID:3352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1208 -ip 12081⤵PID:1540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3384 -ip 33841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1356