Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 17:35
Static task
static1
Behavioral task
behavioral1
Sample
3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe
Resource
win10-en-20211208
General
-
Target
3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe
-
Size
317KB
-
MD5
cf8ea443ae6c0a8367f3836a79ed9182
-
SHA1
455aa80e99b3546942fb7460404ac5205d08c282
-
SHA256
3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331
-
SHA512
98e601de70a6a93b28eec138023d6153311785eb2950ac1ef7402baea2c1cc47f1a07779aaf32a8d09708e2cbd71bf515aaf095994b50e7fde9ed310329ccde7
Malware Config
Extracted
smokeloader
2020
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
5B27.exepid process 1708 5B27.exe -
Modifies Windows Firewall 1 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 2164 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe5B27.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5B27.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5B27.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5B27.exe -
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXENETSTAT.EXEipconfig.exeipconfig.exepid process 404 NETSTAT.EXE 1028 NETSTAT.EXE 1268 ipconfig.exe 3804 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exepid process 3992 3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe 3992 3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 2164 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2164 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe5B27.exepid process 3992 3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe 1708 5B27.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 1544 WMIC.exe Token: SeSecurityPrivilege 1544 WMIC.exe Token: SeTakeOwnershipPrivilege 1544 WMIC.exe Token: SeLoadDriverPrivilege 1544 WMIC.exe Token: SeSystemProfilePrivilege 1544 WMIC.exe Token: SeSystemtimePrivilege 1544 WMIC.exe Token: SeProfSingleProcessPrivilege 1544 WMIC.exe Token: SeIncBasePriorityPrivilege 1544 WMIC.exe Token: SeCreatePagefilePrivilege 1544 WMIC.exe Token: SeBackupPrivilege 1544 WMIC.exe Token: SeRestorePrivilege 1544 WMIC.exe Token: SeShutdownPrivilege 1544 WMIC.exe Token: SeDebugPrivilege 1544 WMIC.exe Token: SeSystemEnvironmentPrivilege 1544 WMIC.exe Token: SeRemoteShutdownPrivilege 1544 WMIC.exe Token: SeUndockPrivilege 1544 WMIC.exe Token: SeManageVolumePrivilege 1544 WMIC.exe Token: 33 1544 WMIC.exe Token: 34 1544 WMIC.exe Token: 35 1544 WMIC.exe Token: 36 1544 WMIC.exe Token: SeIncreaseQuotaPrivilege 1544 WMIC.exe Token: SeSecurityPrivilege 1544 WMIC.exe Token: SeTakeOwnershipPrivilege 1544 WMIC.exe Token: SeLoadDriverPrivilege 1544 WMIC.exe Token: SeSystemProfilePrivilege 1544 WMIC.exe Token: SeSystemtimePrivilege 1544 WMIC.exe Token: SeProfSingleProcessPrivilege 1544 WMIC.exe Token: SeIncBasePriorityPrivilege 1544 WMIC.exe Token: SeCreatePagefilePrivilege 1544 WMIC.exe Token: SeBackupPrivilege 1544 WMIC.exe Token: SeRestorePrivilege 1544 WMIC.exe Token: SeShutdownPrivilege 1544 WMIC.exe Token: SeDebugPrivilege 1544 WMIC.exe Token: SeSystemEnvironmentPrivilege 1544 WMIC.exe Token: SeRemoteShutdownPrivilege 1544 WMIC.exe Token: SeUndockPrivilege 1544 WMIC.exe Token: SeManageVolumePrivilege 1544 WMIC.exe Token: 33 1544 WMIC.exe Token: 34 1544 WMIC.exe Token: 35 1544 WMIC.exe Token: 36 1544 WMIC.exe Token: SeIncreaseQuotaPrivilege 2044 WMIC.exe Token: SeSecurityPrivilege 2044 WMIC.exe Token: SeTakeOwnershipPrivilege 2044 WMIC.exe Token: SeLoadDriverPrivilege 2044 WMIC.exe Token: SeSystemProfilePrivilege 2044 WMIC.exe Token: SeSystemtimePrivilege 2044 WMIC.exe Token: SeProfSingleProcessPrivilege 2044 WMIC.exe Token: SeIncBasePriorityPrivilege 2044 WMIC.exe Token: SeCreatePagefilePrivilege 2044 WMIC.exe Token: SeBackupPrivilege 2044 WMIC.exe Token: SeRestorePrivilege 2044 WMIC.exe Token: SeShutdownPrivilege 2044 WMIC.exe Token: SeDebugPrivilege 2044 WMIC.exe Token: SeSystemEnvironmentPrivilege 2044 WMIC.exe Token: SeRemoteShutdownPrivilege 2044 WMIC.exe Token: SeUndockPrivilege 2044 WMIC.exe Token: SeManageVolumePrivilege 2044 WMIC.exe Token: 33 2044 WMIC.exe Token: 34 2044 WMIC.exe Token: 35 2044 WMIC.exe Token: 36 2044 WMIC.exe Token: SeIncreaseQuotaPrivilege 2044 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 2164 wrote to memory of 1708 2164 5B27.exe PID 2164 wrote to memory of 1708 2164 5B27.exe PID 2164 wrote to memory of 1708 2164 5B27.exe PID 2164 wrote to memory of 1816 2164 cmd.exe PID 2164 wrote to memory of 1816 2164 cmd.exe PID 1816 wrote to memory of 1544 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 1544 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2044 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2044 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2660 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2660 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 872 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 872 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2300 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2300 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 3924 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 3924 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2144 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2144 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 4052 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 4052 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2416 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2416 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 3228 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 3228 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 3196 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 3196 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 4020 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 4020 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2208 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 2208 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 3092 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 3092 1816 cmd.exe WMIC.exe PID 1816 wrote to memory of 3804 1816 cmd.exe ipconfig.exe PID 1816 wrote to memory of 3804 1816 cmd.exe ipconfig.exe PID 1816 wrote to memory of 2160 1816 cmd.exe ROUTE.EXE PID 1816 wrote to memory of 2160 1816 cmd.exe ROUTE.EXE PID 1816 wrote to memory of 2424 1816 cmd.exe netsh.exe PID 1816 wrote to memory of 2424 1816 cmd.exe netsh.exe PID 1816 wrote to memory of 1388 1816 cmd.exe systeminfo.exe PID 1816 wrote to memory of 1388 1816 cmd.exe systeminfo.exe PID 1816 wrote to memory of 1280 1816 cmd.exe tasklist.exe PID 1816 wrote to memory of 1280 1816 cmd.exe tasklist.exe PID 1816 wrote to memory of 1640 1816 cmd.exe net.exe PID 1816 wrote to memory of 1640 1816 cmd.exe net.exe PID 1640 wrote to memory of 3268 1640 net.exe net1.exe PID 1640 wrote to memory of 3268 1640 net.exe net1.exe PID 1816 wrote to memory of 1292 1816 cmd.exe net.exe PID 1816 wrote to memory of 1292 1816 cmd.exe net.exe PID 1292 wrote to memory of 516 1292 net.exe net1.exe PID 1292 wrote to memory of 516 1292 net.exe net1.exe PID 1816 wrote to memory of 3616 1816 cmd.exe net.exe PID 1816 wrote to memory of 3616 1816 cmd.exe net.exe PID 3616 wrote to memory of 328 3616 net.exe net1.exe PID 3616 wrote to memory of 328 3616 net.exe net1.exe PID 1816 wrote to memory of 64 1816 cmd.exe net.exe PID 1816 wrote to memory of 64 1816 cmd.exe net.exe PID 64 wrote to memory of 1868 64 net.exe net1.exe PID 64 wrote to memory of 1868 64 net.exe net1.exe PID 1816 wrote to memory of 2272 1816 cmd.exe net.exe PID 1816 wrote to memory of 2272 1816 cmd.exe net.exe PID 1816 wrote to memory of 1340 1816 cmd.exe net.exe PID 1816 wrote to memory of 1340 1816 cmd.exe net.exe PID 1340 wrote to memory of 616 1340 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe"C:\Users\Admin\AppData\Local\Temp\3dcf108338c4887a1724411bcce869d4ef03a393481c51581782d6eb312d2331.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3992
-
C:\Users\Admin\AppData\Local\Temp\5B27.exeC:\Users\Admin\AppData\Local\Temp\5B27.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1708
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵PID:2660
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵PID:872
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵PID:2300
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵PID:3924
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵PID:2144
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵PID:4052
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵PID:2416
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵PID:3228
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵PID:3196
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵PID:4020
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵PID:2208
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵PID:3092
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
PID:3804 -
C:\Windows\system32\ROUTE.EXEroute print2⤵PID:2160
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵PID:2424
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:1388 -
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
PID:1280 -
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵PID:3268
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵PID:516
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵PID:328
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵PID:1868
-
C:\Windows\system32\net.exenet use2⤵PID:2272
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵PID:616
-
C:\Windows\system32\net.exenet localgroup2⤵PID:2032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵PID:60
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
PID:404 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵PID:1828
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵PID:1132
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
PID:1028 -
C:\Windows\system32\schtasks.exeschtasks /query2⤵PID:836
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
PID:1268
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:2728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5B27.exeMD5
a3c870847b4131ad8320eba44d0b3013
SHA14be979a1d12e4d7deaff5165ce14e6d8449d0302
SHA256454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855
SHA512e7495fb42f109d402ef46eee2ed6edb1b2a4b8549a8883e5b884c3cc0c0d0b8a38888d4cc4d72583eaa79de78d4517ae8a56dee90403e5af94978f46f165d86f
-
C:\Users\Admin\AppData\Local\Temp\5B27.exeMD5
a3c870847b4131ad8320eba44d0b3013
SHA14be979a1d12e4d7deaff5165ce14e6d8449d0302
SHA256454db6cd57478f184108ce2d5a9a9f8032ff784be1b79fddfecc57e9bd6b3855
SHA512e7495fb42f109d402ef46eee2ed6edb1b2a4b8549a8883e5b884c3cc0c0d0b8a38888d4cc4d72583eaa79de78d4517ae8a56dee90403e5af94978f46f165d86f
-
memory/1708-121-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/1708-122-0x0000000000460000-0x0000000000469000-memory.dmpFilesize
36KB
-
memory/1708-123-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB
-
memory/2164-118-0x0000000000980000-0x0000000000996000-memory.dmpFilesize
88KB
-
memory/2164-124-0x0000000002B20000-0x0000000002B36000-memory.dmpFilesize
88KB
-
memory/2164-127-0x00000000043C0000-0x00000000043CF000-memory.dmpFilesize
60KB
-
memory/3992-116-0x0000000000570000-0x0000000000579000-memory.dmpFilesize
36KB
-
memory/3992-115-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/3992-117-0x0000000000400000-0x0000000000456000-memory.dmpFilesize
344KB