Analysis
-
max time kernel
154s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
26-01-2022 05:03
General
-
Target
b83c559b04351fdebcbc5c9c5ff033cd783815bb6bd6ff4e4ffa9f953c49ee5e.exe
-
Size
333KB
-
MD5
b35fd6523045221e87128a6c132a75a8
-
SHA1
993c1672f4ee6cecdb240473cf802e481b9d033d
-
SHA256
b83c559b04351fdebcbc5c9c5ff033cd783815bb6bd6ff4e4ffa9f953c49ee5e
-
SHA512
24cc1df4ef99c86d36f148613ff9859c434f0678323ec73ee27c75fb2018546993c4608bc478a90b734dd65389dcbcacc41e8e80e0a49291d073e7381e235916
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 1 IoCs
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 10 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 59 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2800 -s 10042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\b83c559b04351fdebcbc5c9c5ff033cd783815bb6bd6ff4e4ffa9f953c49ee5e.exe"C:\Users\Admin\AppData\Local\Temp\b83c559b04351fdebcbc5c9c5ff033cd783815bb6bd6ff4e4ffa9f953c49ee5e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 22a505ca8b43bbbdcd03f331255694a4 1OLgPN8KXEeFI7dsC0Hckw.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\672E.exeC:\Users\Admin\AppData\Local\Temp\672E.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Users\Admin\AppData\Roaming\thfttfcC:\Users\Admin\AppData\Roaming\thfttfc1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1856 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 8802⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3668 -ip 36681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 2800 -ip 28001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3996 -s 8362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 3996 -ip 39961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1148 -s 8122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 1148 -ip 11481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2664 -s 8082⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 2664 -ip 26641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
005e445db353075922c066d7a792f78f
SHA179aa6671076b491c0b016275161e6145b7a7a7c1
SHA256e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0
SHA512d355882916d84b8b848394851bd48f9ed74d6c715f09efe0e25b1e392e1bc148d683dc3ef5bb2aa80654bba7f7361c1d9d541b777c81b3f5e02dce3cd251d29a
-
MD5
005e445db353075922c066d7a792f78f
SHA179aa6671076b491c0b016275161e6145b7a7a7c1
SHA256e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0
SHA512d355882916d84b8b848394851bd48f9ed74d6c715f09efe0e25b1e392e1bc148d683dc3ef5bb2aa80654bba7f7361c1d9d541b777c81b3f5e02dce3cd251d29a
-
MD5
005e445db353075922c066d7a792f78f
SHA179aa6671076b491c0b016275161e6145b7a7a7c1
SHA256e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0
SHA512d355882916d84b8b848394851bd48f9ed74d6c715f09efe0e25b1e392e1bc148d683dc3ef5bb2aa80654bba7f7361c1d9d541b777c81b3f5e02dce3cd251d29a
-
MD5
005e445db353075922c066d7a792f78f
SHA179aa6671076b491c0b016275161e6145b7a7a7c1
SHA256e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0
SHA512d355882916d84b8b848394851bd48f9ed74d6c715f09efe0e25b1e392e1bc148d683dc3ef5bb2aa80654bba7f7361c1d9d541b777c81b3f5e02dce3cd251d29a
-
Filesize
172KB
-
Filesize
36KB
-
Filesize
504KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
172KB
-
Filesize
36KB
-
Filesize
500KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
172KB
-
Filesize
504KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
56KB
-
Filesize
36KB
-
Filesize
428KB
-
Filesize
468KB
-
Filesize
44KB
-
Filesize
28KB