Analysis
-
max time kernel
154s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
26-01-2022 20:42
Static task
static1
Behavioral task
behavioral1
Sample
c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe
Resource
win10v2004-en-20220112
General
-
Target
c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe
-
Size
333KB
-
MD5
5442c936447943b763574d001e77a70b
-
SHA1
b0dd0c3c0642bc5c175b4ef593b14ef36a6818bb
-
SHA256
c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d
-
SHA512
decf02649002a0e7f468a15ee074cd6bb4eed3af47167fe619cd42bd042f1c9707c9b6536ebdff12e14ac5851be2b48fc72e5a70d62c3033573d1523c1c3e83e
Malware Config
Extracted
smokeloader
2020
http://kotabuki.com/
http://slusextense.com/
http://purekidboo.com/
http://wildzipcode.biz/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2184 created 2128 2184 WerFault.exe explorer.exe -
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 1 IoCs
Processes:
WerFault.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2364 2128 WerFault.exe explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exepid process 3488 c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe 3488 c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 2308 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2308 -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exepid process 3488 c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe 2308 2308 2308 2308 -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2364 WerFault.exe Token: SeBackupPrivilege 2364 WerFault.exe Token: SeBackupPrivilege 2364 WerFault.exe Token: SeShutdownPrivilege 2308 Token: SeCreatePagefilePrivilege 2308 Token: SeShutdownPrivilege 2308 Token: SeCreatePagefilePrivilege 2308 -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
WerFault.exedescription pid process target process PID 2308 wrote to memory of 2128 2308 explorer.exe PID 2308 wrote to memory of 2128 2308 explorer.exe PID 2308 wrote to memory of 2128 2308 explorer.exe PID 2308 wrote to memory of 2128 2308 explorer.exe PID 2308 wrote to memory of 2176 2308 explorer.exe PID 2308 wrote to memory of 2176 2308 explorer.exe PID 2308 wrote to memory of 2176 2308 explorer.exe PID 2184 wrote to memory of 2128 2184 WerFault.exe explorer.exe PID 2184 wrote to memory of 2128 2184 WerFault.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe"C:\Users\Admin\AppData\Local\Temp\c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 9ad774db45cc7e04bd9dd4004e39e18e IAiw3QMFREyAlT8sP+zOFQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 8042⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2128 -ip 21281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2128-134-0x00000000034C0000-0x0000000003534000-memory.dmpFilesize
464KB
-
memory/2128-135-0x0000000003450000-0x00000000034BB000-memory.dmpFilesize
428KB
-
memory/2176-136-0x0000000000100000-0x000000000010C000-memory.dmpFilesize
48KB
-
memory/2308-133-0x0000000000CB0000-0x0000000000CC6000-memory.dmpFilesize
88KB
-
memory/3488-130-0x00000000005B0000-0x00000000005DB000-memory.dmpFilesize
172KB
-
memory/3488-131-0x0000000000540000-0x0000000000549000-memory.dmpFilesize
36KB
-
memory/3488-132-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB