Analysis
-
max time kernel
154s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
26-01-2022 05:03
General
-
Target
b83c559b04351fdebcbc5c9c5ff033cd783815bb6bd6ff4e4ffa9f953c49ee5e.exe
-
Size
333KB
-
MD5
b35fd6523045221e87128a6c132a75a8
-
SHA1
993c1672f4ee6cecdb240473cf802e481b9d033d
-
SHA256
b83c559b04351fdebcbc5c9c5ff033cd783815bb6bd6ff4e4ffa9f953c49ee5e
-
SHA512
24cc1df4ef99c86d36f148613ff9859c434f0678323ec73ee27c75fb2018546993c4608bc478a90b734dd65389dcbcacc41e8e80e0a49291d073e7381e235916
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://abpa.at/upload/
http://emaratghajari.com/upload/
http://d7qw.cn/upload/
http://alumik-group.ru/upload/
http://zamkikurgan.ru/upload/
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 1 IoCs
-
Program crash 5 IoCs
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 15 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 10 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 59 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2800 -s 10042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\b83c559b04351fdebcbc5c9c5ff033cd783815bb6bd6ff4e4ffa9f953c49ee5e.exe"C:\Users\Admin\AppData\Local\Temp\b83c559b04351fdebcbc5c9c5ff033cd783815bb6bd6ff4e4ffa9f953c49ee5e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 22a505ca8b43bbbdcd03f331255694a4 1OLgPN8KXEeFI7dsC0Hckw.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\672E.exeC:\Users\Admin\AppData\Local\Temp\672E.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Users\Admin\AppData\Roaming\thfttfcC:\Users\Admin\AppData\Roaming\thfttfc1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1856 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 8802⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3668 -ip 36681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 412 -p 2800 -ip 28001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3996 -s 8362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 3996 -ip 39961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1148 -s 8122⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 1148 -ip 11481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2664 -s 8082⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 2664 -ip 26641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\672E.exeMD5
005e445db353075922c066d7a792f78f
SHA179aa6671076b491c0b016275161e6145b7a7a7c1
SHA256e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0
SHA512d355882916d84b8b848394851bd48f9ed74d6c715f09efe0e25b1e392e1bc148d683dc3ef5bb2aa80654bba7f7361c1d9d541b777c81b3f5e02dce3cd251d29a
-
C:\Users\Admin\AppData\Local\Temp\672E.exeMD5
005e445db353075922c066d7a792f78f
SHA179aa6671076b491c0b016275161e6145b7a7a7c1
SHA256e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0
SHA512d355882916d84b8b848394851bd48f9ed74d6c715f09efe0e25b1e392e1bc148d683dc3ef5bb2aa80654bba7f7361c1d9d541b777c81b3f5e02dce3cd251d29a
-
C:\Users\Admin\AppData\Roaming\thfttfcMD5
005e445db353075922c066d7a792f78f
SHA179aa6671076b491c0b016275161e6145b7a7a7c1
SHA256e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0
SHA512d355882916d84b8b848394851bd48f9ed74d6c715f09efe0e25b1e392e1bc148d683dc3ef5bb2aa80654bba7f7361c1d9d541b777c81b3f5e02dce3cd251d29a
-
C:\Users\Admin\AppData\Roaming\thfttfcMD5
005e445db353075922c066d7a792f78f
SHA179aa6671076b491c0b016275161e6145b7a7a7c1
SHA256e073d3debf3ced92c55317b98b6a4d31c8757af4edbddf97c405f555d6d264c0
SHA512d355882916d84b8b848394851bd48f9ed74d6c715f09efe0e25b1e392e1bc148d683dc3ef5bb2aa80654bba7f7361c1d9d541b777c81b3f5e02dce3cd251d29a
-
memory/532-138-0x0000000000500000-0x000000000052B000-memory.dmpFilesize
172KB
-
memory/532-139-0x00000000004F0000-0x00000000004F9000-memory.dmpFilesize
36KB
-
memory/532-140-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/576-276-0x000001EC69110000-0x000001EC69111000-memory.dmpFilesize
4KB
-
memory/576-275-0x000001EC69110000-0x000001EC69111000-memory.dmpFilesize
4KB
-
memory/808-265-0x00000000045E0000-0x00000000045EB000-memory.dmpFilesize
44KB
-
memory/808-264-0x00000000045F0000-0x00000000045F1000-memory.dmpFilesize
4KB
-
memory/1368-253-0x00000000012D0000-0x00000000012DC000-memory.dmpFilesize
48KB
-
memory/1744-267-0x0000000000570000-0x000000000057D000-memory.dmpFilesize
52KB
-
memory/1744-266-0x0000000000580000-0x0000000000587000-memory.dmpFilesize
28KB
-
memory/2236-130-0x0000000000720000-0x000000000074B000-memory.dmpFilesize
172KB
-
memory/2236-131-0x0000000000710000-0x0000000000719000-memory.dmpFilesize
36KB
-
memory/2236-132-0x0000000000400000-0x000000000047D000-memory.dmpFilesize
500KB
-
memory/2296-268-0x000001F3AC7D0000-0x000001F3AC7D1000-memory.dmpFilesize
4KB
-
memory/2320-269-0x0000023857160000-0x0000023857161000-memory.dmpFilesize
4KB
-
memory/2368-270-0x000001B0D63D0000-0x000001B0D63D1000-memory.dmpFilesize
4KB
-
memory/2520-141-0x0000000003220000-0x0000000003236000-memory.dmpFilesize
88KB
-
memory/2520-133-0x00000000013B0000-0x00000000013C6000-memory.dmpFilesize
88KB
-
memory/2552-218-0x0000000000830000-0x000000000085B000-memory.dmpFilesize
172KB
-
memory/2552-241-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/2612-271-0x0000019E3DA00000-0x0000019E3DA01000-memory.dmpFilesize
4KB
-
memory/2908-272-0x000002AD98970000-0x000002AD98971000-memory.dmpFilesize
4KB
-
memory/2972-273-0x000002699BAE0000-0x000002699BAE1000-memory.dmpFilesize
4KB
-
memory/3088-259-0x00000000030F0000-0x00000000030F9000-memory.dmpFilesize
36KB
-
memory/3088-258-0x0000000003100000-0x0000000003105000-memory.dmpFilesize
20KB
-
memory/3208-262-0x0000000003100000-0x0000000003106000-memory.dmpFilesize
24KB
-
memory/3208-263-0x00000000030F0000-0x00000000030FB000-memory.dmpFilesize
44KB
-
memory/3236-274-0x0000021BD08F0000-0x0000021BD08F1000-memory.dmpFilesize
4KB
-
memory/3272-261-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/3272-260-0x00000000003E0000-0x00000000003E6000-memory.dmpFilesize
24KB
-
memory/3400-257-0x0000000000190000-0x000000000019E000-memory.dmpFilesize
56KB
-
memory/3400-256-0x00000000001A0000-0x00000000001A9000-memory.dmpFilesize
36KB
-
memory/3668-252-0x0000000000600000-0x000000000066B000-memory.dmpFilesize
428KB
-
memory/3668-251-0x0000000000670000-0x00000000006E5000-memory.dmpFilesize
468KB
-
memory/3832-255-0x0000000002FF0000-0x0000000002FFB000-memory.dmpFilesize
44KB
-
memory/3832-254-0x0000000003200000-0x0000000003207000-memory.dmpFilesize
28KB