Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
27-01-2022 10:00
General
-
Target
89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe
-
Size
187KB
-
MD5
d8f237129cb99cd73238d67b150f893f
-
SHA1
3dc170727eec382c42d0651f4af2362879a82de7
-
SHA256
89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9
-
SHA512
76cae32216d433e3c0102aa62bec83a8d176c260ec02e059152b69e08a90b927617259ad28e997a12a982025d669b9be4983cacff8025ec2223ca311eef0c509
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
https://oakland-studio.video/search.php
https://seattle-university.video/search.php
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 7 IoCs
-
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows dir Microsoft Windows DOS prompt command exit OUTBOUND
-
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
suricata: ET MALWARE Windows route Microsoft Windows DOS prompt command exit OUTBOUND
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Drops file in Windows directory 2 IoCs
-
Program crash 7 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 14 IoCs
-
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Modifies Internet Explorer settings 1 TTPs 38 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 63 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2768 -s 10002⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Users\Admin\AppData\Local\Temp\89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe"C:\Users\Admin\AppData\Local\Temp\89381e65ee999ab00da2d330f1832edac6542a5d4bb75f40fc2a6ece6c9a84c9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 5c022a1c2ac19736fe47f6e6e3984ab7 xorpv0a6MUWbGFSXMdI1yQ.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_ComputerSystem Get Caption,Manufacturer,PrimaryOwnerName,UserName,Workgroup /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_PnPEntity Where ClassGuid="{50dd5230-ba8a-11d1-bf5d-0000f805f530}" Get Name,DeviceID,PNPDeviceID,Manufacturer,Description /format:csv2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /displaydns2⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print2⤵
-
C:\Windows\system32\netsh.exenetsh firewall show state2⤵
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
-
C:\Windows\system32\tasklist.exetasklist /v2⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\net.exenet accounts /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /domain3⤵
-
C:\Windows\system32\net.exenet share2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 share3⤵
-
C:\Windows\system32\net.exenet user2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user3⤵
-
C:\Windows\system32\net.exenet user /domain2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /domain3⤵
-
C:\Windows\system32\net.exenet use2⤵
-
C:\Windows\system32\net.exenet group2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 group3⤵
-
C:\Windows\system32\net.exenet localgroup2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup3⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -r2⤵
- Gathers network information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print3⤵
-
C:\Windows\system32\ROUTE.EXEC:\Windows\system32\route.exe print4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -nao2⤵
- Gathers network information
-
C:\Windows\system32\schtasks.exeschtasks /query2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /all2⤵
- Gathers network information
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3312 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 8762⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3360 -ip 33601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 2768 -ip 27681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3252 -s 5882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 3252 -ip 32521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1352 -s 8482⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 1352 -ip 13521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 700 -s 8162⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 700 -ip 7001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 544 -s 6362⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 540 -p 544 -ip 5441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3960 -s 8402⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 3960 -ip 39601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chkMD5
4c270d024453cd40e1ac151e91d0ad5e
SHA1ab23ec87f9863d80617aa8a2f27638050315e4b3
SHA256e8b31dfadf74c81ed41f74e9bf3a4ac0b8399dd7ecabcb6340678916a0f0599b
SHA5126ba305fe8a02b7a09fe718289039219717b7573fc2706eca45f9f2cec33fd031d0ebddb9fa0f484911d01ebb5198ed68239a660d37d4e0f8f900ef6fb42a6e09
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.datMD5
0cc9eb8ccbf7715bad26c80b64761af4
SHA1537e2ef92704582f0aadb637a6889286b05c4250
SHA2567ec4efb1990ded09d7fc776b48a345081a59550c9184acd8f89b97bf159bd6b2
SHA512e872432c12ee249a6145dcc7bea5a3ba324bdb398dba6d7de510c620949cf864ed0c1b669a58632c74abf53e7edeee11a7e2967b53ece67befb6d332febfe74c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfmMD5
bf896def9f030ba892030ef1153c05df
SHA142eb21ad6484871b52cdd372296be9ad4e386cb0
SHA256728fdbbf7720ee5c09d916f7f8f241c1c91cb5a0e4c610c61801e3bb58e32e0b
SHA512d9c761afe34e36a8f994c4dd55938e14debb12542fa75703cc8afecf70bac302ffb37336ac7fcd6e8a1469b38bf3b783f8f3a9511b461a57fe0645ce9cd238e9
-
\??\PIPE\lsarpcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/972-140-0x0000000000CC0000-0x0000000000CCC000-memory.dmpFilesize
48KB
-
memory/1248-143-0x00000000008E0000-0x00000000008E9000-memory.dmpFilesize
36KB
-
memory/1248-144-0x00000000008D0000-0x00000000008DE000-memory.dmpFilesize
56KB
-
memory/1920-150-0x0000000003120000-0x000000000312B000-memory.dmpFilesize
44KB
-
memory/1920-149-0x0000000003130000-0x0000000003136000-memory.dmpFilesize
24KB
-
memory/2268-155-0x000002312BB80000-0x000002312BB81000-memory.dmpFilesize
4KB
-
memory/2288-156-0x0000025822EB0000-0x0000025822EB1000-memory.dmpFilesize
4KB
-
memory/2324-157-0x000001D519F80000-0x000001D519F81000-memory.dmpFilesize
4KB
-
memory/2476-134-0x0000000002DE0000-0x0000000002DEF000-memory.dmpFilesize
60KB
-
memory/2476-133-0x0000000000F30000-0x0000000000F46000-memory.dmpFilesize
88KB
-
memory/2572-158-0x0000022E61CE0000-0x0000022E61CE1000-memory.dmpFilesize
4KB
-
memory/2820-161-0x000001F2EBDD0000-0x000001F2EBDD1000-memory.dmpFilesize
4KB
-
memory/2864-159-0x000002482A750000-0x000002482A751000-memory.dmpFilesize
4KB
-
memory/2952-160-0x0000022319860000-0x0000022319861000-memory.dmpFilesize
4KB
-
memory/3216-451-0x000002ABC41B0000-0x000002ABC47B1000-memory.dmpFilesize
6.0MB
-
memory/3216-459-0x000002ABC2410000-0x000002ABC3E62000-memory.dmpFilesize
26.3MB
-
memory/3252-166-0x000001C7A1C90000-0x000001C7A1C98000-memory.dmpFilesize
32KB
-
memory/3252-163-0x000001C7A0190000-0x000001C7A01A0000-memory.dmpFilesize
64KB
-
memory/3252-167-0x000001C7A1C80000-0x000001C7A1C81000-memory.dmpFilesize
4KB
-
memory/3252-165-0x000001C7A19A0000-0x000001C7A19A8000-memory.dmpFilesize
32KB
-
memory/3252-164-0x000001C7A01F0000-0x000001C7A0200000-memory.dmpFilesize
64KB
-
memory/3328-147-0x0000000000700000-0x0000000000706000-memory.dmpFilesize
24KB
-
memory/3328-148-0x00000000006F0000-0x00000000006FC000-memory.dmpFilesize
48KB
-
memory/3332-142-0x0000000003120000-0x000000000312B000-memory.dmpFilesize
44KB
-
memory/3332-141-0x0000000003130000-0x0000000003137000-memory.dmpFilesize
28KB
-
memory/3360-139-0x0000000003120000-0x000000000318B000-memory.dmpFilesize
428KB
-
memory/3360-138-0x0000000003400000-0x0000000003475000-memory.dmpFilesize
468KB
-
memory/3372-152-0x0000000004600000-0x000000000460B000-memory.dmpFilesize
44KB
-
memory/3372-151-0x0000000004610000-0x0000000004611000-memory.dmpFilesize
4KB
-
memory/3380-162-0x00000255154D0000-0x00000255154D1000-memory.dmpFilesize
4KB
-
memory/3380-169-0x00000255154D0000-0x00000255154D1000-memory.dmpFilesize
4KB
-
memory/3540-146-0x0000000000140000-0x0000000000149000-memory.dmpFilesize
36KB
-
memory/3540-145-0x0000000000150000-0x0000000000155000-memory.dmpFilesize
20KB
-
memory/3600-130-0x0000000000650000-0x0000000000678000-memory.dmpFilesize
160KB
-
memory/3600-132-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3600-131-0x00000000005D0000-0x00000000005D9000-memory.dmpFilesize
36KB
-
memory/3668-154-0x00000000004D0000-0x00000000004DD000-memory.dmpFilesize
52KB
-
memory/3668-153-0x00000000004E0000-0x00000000004E7000-memory.dmpFilesize
28KB