Overview

overview

10

Static

static

5cc21139c6...98.exe

windows7_x64

10

5cc21139c6...98.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    14-05-2022 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5cc21139c643e1d2299cf569e4d0ff98.exe

  • Size

    263KB

  • MD5

    5cc21139c643e1d2299cf569e4d0ff98

  • SHA1

    9254593f03a506444c3d3e29a74c4cf028ca625c

  • SHA256

    cc0f6fa48f1bc9ffae208185fd4e568385a67c40a92a12c4a1bd00ad7adbb4b4

  • SHA512

    cb6ce4976ffd5d19734ce941875817adcd603347cd09d1d5bf1e4413ce122b0e100afbb98a541f22465748f5ec7ecd4ca13d6c2bb8aeff3cc655a9152de84799

Score
10/10
smokeloaderbackdoorpersistencespywaresuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://motionberry999xerz.ru/

http://happyday9risce.com/

http://kokihap7siexz3.com/

https://motionberry999xerz.ru/

https://happyday9risce.com/

https://kokihap7siexz3.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5cc21139c643e1d2299cf569e4d0ff98.exe
    "C:\Users\Admin\AppData\Local\Temp\5cc21139c643e1d2299cf569e4d0ff98.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3840
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:4844
  • C:\Users\Admin\AppData\Local\Temp\D650.exe
    C:\Users\Admin\AppData\Local\Temp\D650.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 20
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4728
      • C:\Windows\SysWOW64\timeout.exe
        timeout 20
        3⤵
        • Delays execution with timeout.exe
        PID:800
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1536
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:4180
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 876
        2⤵
        • Program crash
        PID:4268
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:1676
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:2212
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4180 -ip 4180
          1⤵
            PID:4372
          • C:\Windows\explorer.exe
            C:\Windows\explorer.exe
            1⤵
              PID:4848
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              1⤵
                PID:1988
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:5052
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:1944
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:5096

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Privilege Escalation

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Credentials in Files

                    1
                    T1081

                    Discovery

                    Query Registry

                    4
                    T1012

                    System Information Discovery

                    5
                    T1082

                    Peripheral Device Discovery

                    1
                    T1120

                    Lateral Movement

                    Collection

                    Data from Local System

                    1
                    T1005

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\D650.exe
                      Filesize

                      1.2MB

                      MD5

                      c52e23f559f027c6af598ff0a4c3497d

                      SHA1

                      0e6de0682ae5d89a6530a6c6e03054f5aaeb0662

                      SHA256

                      409a345a063f2fc853b7b45c060970231d9fdc6b453444ae855b7fda4be50021

                      SHA512

                      802159c0fa6034dfc4278ee470aef46a52947006b007ae6a90391377d6c9b3774c999c30ab8d62a10869bf4d459736da4b70ce97d7771bf849effff7714e6428

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\D650.exe
                      Filesize

                      1.2MB

                      MD5

                      c52e23f559f027c6af598ff0a4c3497d

                      SHA1

                      0e6de0682ae5d89a6530a6c6e03054f5aaeb0662

                      SHA256

                      409a345a063f2fc853b7b45c060970231d9fdc6b453444ae855b7fda4be50021

                      SHA512

                      802159c0fa6034dfc4278ee470aef46a52947006b007ae6a90391377d6c9b3774c999c30ab8d62a10869bf4d459736da4b70ce97d7771bf849effff7714e6428

                      Download Submit
                    • memory/800-147-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1536-156-0x0000000008640000-0x00000000086D2000-memory.dmp
                      Filesize

                      584KB

                      Download
                    • memory/1536-154-0x0000000007750000-0x00000000077B6000-memory.dmp
                      Filesize

                      408KB

                      Download
                    • memory/1536-159-0x0000000009A60000-0x0000000009AB0000-memory.dmp
                      Filesize

                      320KB

                      Download
                    • memory/1536-160-0x0000000009C80000-0x0000000009E42000-memory.dmp
                      Filesize

                      1.8MB

                      Download
                    • memory/1536-157-0x0000000008C90000-0x0000000009234000-memory.dmp
                      Filesize

                      5.6MB

                      Download
                    • memory/1536-161-0x000000000A380000-0x000000000A8AC000-memory.dmp
                      Filesize

                      5.2MB

                      Download
                    • memory/1536-155-0x0000000008520000-0x0000000008596000-memory.dmp
                      Filesize

                      472KB

                      Download
                    • memory/1536-158-0x0000000008800000-0x000000000881E000-memory.dmp
                      Filesize

                      120KB

                      Download
                    • memory/1536-153-0x0000000007420000-0x000000000745C000-memory.dmp
                      Filesize

                      240KB

                      Download
                    • memory/1536-152-0x00000000074F0000-0x00000000075FA000-memory.dmp
                      Filesize

                      1.0MB

                      Download
                    • memory/1536-151-0x00000000073C0000-0x00000000073D2000-memory.dmp
                      Filesize

                      72KB

                      Download
                    • memory/1536-150-0x0000000007940000-0x0000000007F58000-memory.dmp
                      Filesize

                      6.1MB

                      Download
                    • memory/1536-149-0x0000000000400000-0x0000000000418000-memory.dmp
                      Filesize

                      96KB

                      Download
                    • memory/1536-148-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1676-138-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1944-144-0x0000000000000000-mapping.dmp
                      Download
                    • memory/1988-142-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2212-140-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3052-133-0x0000000000BB0000-0x0000000000BC6000-memory.dmp
                      Filesize

                      88KB

                      Download
                    • memory/3204-134-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3204-139-0x0000000000BE0000-0x0000000000D24000-memory.dmp
                      Filesize

                      1.3MB

                      Download
                    • memory/3840-131-0x00000000006E0000-0x00000000006E9000-memory.dmp
                      Filesize

                      36KB

                      Download
                    • memory/3840-132-0x0000000000400000-0x0000000000483000-memory.dmp
                      Filesize

                      524KB

                      Download
                    • memory/3840-130-0x0000000000777000-0x0000000000787000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/4180-137-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4728-146-0x0000000000000000-mapping.dmp
                      Download
                    • memory/4848-141-0x0000000000000000-mapping.dmp
                      Download
                    • memory/5052-143-0x0000000000000000-mapping.dmp
                      Download
                    • memory/5096-145-0x0000000000000000-mapping.dmp
                      Download