Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-05-2022 14:48
Static task
static1
Behavioral task
behavioral1
Sample
5cc21139c643e1d2299cf569e4d0ff98.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
5cc21139c643e1d2299cf569e4d0ff98.exe
Resource
win10v2004-20220414-en
General
-
Target
5cc21139c643e1d2299cf569e4d0ff98.exe
-
Size
263KB
-
MD5
5cc21139c643e1d2299cf569e4d0ff98
-
SHA1
9254593f03a506444c3d3e29a74c4cf028ca625c
-
SHA256
cc0f6fa48f1bc9ffae208185fd4e568385a67c40a92a12c4a1bd00ad7adbb4b4
-
SHA512
cb6ce4976ffd5d19734ce941875817adcd603347cd09d1d5bf1e4413ce122b0e100afbb98a541f22465748f5ec7ecd4ca13d6c2bb8aeff3cc655a9152de84799
Malware Config
Extracted
smokeloader
2020
http://motionberry999xerz.ru/
http://happyday9risce.com/
http://kokihap7siexz3.com/
https://motionberry999xerz.ru/
https://happyday9risce.com/
https://kokihap7siexz3.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
D287.execwwdbucpid process 2496 D287.exe 936 cwwdbuc -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
D287.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation D287.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
D287.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lrjaaawiu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Cdyynpvt\\Lrjaaawiu.exe\"" D287.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
D287.exedescription pid process target process PID 2496 set thread context of 3460 2496 D287.exe InstallUtil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1044 1360 WerFault.exe explorer.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
5cc21139c643e1d2299cf569e4d0ff98.execwwdbucdescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cc21139c643e1d2299cf569e4d0ff98.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cc21139c643e1d2299cf569e4d0ff98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cwwdbuc Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cwwdbuc Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cwwdbuc Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cc21139c643e1d2299cf569e4d0ff98.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1832 timeout.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5cc21139c643e1d2299cf569e4d0ff98.exepid process 3416 5cc21139c643e1d2299cf569e4d0ff98.exe 3416 5cc21139c643e1d2299cf569e4d0ff98.exe 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2604 -
Suspicious behavior: MapViewOfSection 18 IoCs
Processes:
5cc21139c643e1d2299cf569e4d0ff98.execwwdbucpid process 3416 5cc21139c643e1d2299cf569e4d0ff98.exe 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 2604 936 cwwdbuc -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
D287.exeInstallUtil.exedescription pid process Token: SeShutdownPrivilege 2604 Token: SeCreatePagefilePrivilege 2604 Token: SeShutdownPrivilege 2604 Token: SeCreatePagefilePrivilege 2604 Token: SeDebugPrivilege 2496 D287.exe Token: SeDebugPrivilege 3460 InstallUtil.exe Token: SeShutdownPrivilege 2604 Token: SeCreatePagefilePrivilege 2604 Token: SeShutdownPrivilege 2604 Token: SeCreatePagefilePrivilege 2604 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 2604 2604 -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
D287.execmd.exedescription pid process target process PID 2604 wrote to memory of 2496 2604 D287.exe PID 2604 wrote to memory of 2496 2604 D287.exe PID 2604 wrote to memory of 2496 2604 D287.exe PID 2604 wrote to memory of 1360 2604 explorer.exe PID 2604 wrote to memory of 1360 2604 explorer.exe PID 2604 wrote to memory of 1360 2604 explorer.exe PID 2604 wrote to memory of 1360 2604 explorer.exe PID 2604 wrote to memory of 4024 2604 explorer.exe PID 2604 wrote to memory of 4024 2604 explorer.exe PID 2604 wrote to memory of 4024 2604 explorer.exe PID 2604 wrote to memory of 1508 2604 explorer.exe PID 2604 wrote to memory of 1508 2604 explorer.exe PID 2604 wrote to memory of 1508 2604 explorer.exe PID 2604 wrote to memory of 1508 2604 explorer.exe PID 2604 wrote to memory of 3220 2604 explorer.exe PID 2604 wrote to memory of 3220 2604 explorer.exe PID 2604 wrote to memory of 3220 2604 explorer.exe PID 2604 wrote to memory of 1808 2604 explorer.exe PID 2604 wrote to memory of 1808 2604 explorer.exe PID 2604 wrote to memory of 1808 2604 explorer.exe PID 2604 wrote to memory of 1808 2604 explorer.exe PID 2604 wrote to memory of 1992 2604 explorer.exe PID 2604 wrote to memory of 1992 2604 explorer.exe PID 2604 wrote to memory of 1992 2604 explorer.exe PID 2604 wrote to memory of 1992 2604 explorer.exe PID 2604 wrote to memory of 2040 2604 explorer.exe PID 2604 wrote to memory of 2040 2604 explorer.exe PID 2604 wrote to memory of 2040 2604 explorer.exe PID 2604 wrote to memory of 3044 2604 explorer.exe PID 2604 wrote to memory of 3044 2604 explorer.exe PID 2604 wrote to memory of 3044 2604 explorer.exe PID 2604 wrote to memory of 3044 2604 explorer.exe PID 2496 wrote to memory of 2592 2496 D287.exe cmd.exe PID 2496 wrote to memory of 2592 2496 D287.exe cmd.exe PID 2496 wrote to memory of 2592 2496 D287.exe cmd.exe PID 2592 wrote to memory of 1832 2592 cmd.exe timeout.exe PID 2592 wrote to memory of 1832 2592 cmd.exe timeout.exe PID 2592 wrote to memory of 1832 2592 cmd.exe timeout.exe PID 2496 wrote to memory of 3460 2496 D287.exe InstallUtil.exe PID 2496 wrote to memory of 3460 2496 D287.exe InstallUtil.exe PID 2496 wrote to memory of 3460 2496 D287.exe InstallUtil.exe PID 2496 wrote to memory of 3460 2496 D287.exe InstallUtil.exe PID 2496 wrote to memory of 3460 2496 D287.exe InstallUtil.exe PID 2496 wrote to memory of 3460 2496 D287.exe InstallUtil.exe PID 2496 wrote to memory of 3460 2496 D287.exe InstallUtil.exe PID 2496 wrote to memory of 3460 2496 D287.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5cc21139c643e1d2299cf569e4d0ff98.exe"C:\Users\Admin\AppData\Local\Temp\5cc21139c643e1d2299cf569e4d0ff98.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D287.exeC:\Users\Admin\AppData\Local\Temp\D287.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 202⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 203⤵
- Delays execution with timeout.exe
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 8762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1360 -ip 13601⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\cwwdbucC:\Users\Admin\AppData\Roaming\cwwdbuc1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D287.exeFilesize
1.2MB
MD5c52e23f559f027c6af598ff0a4c3497d
SHA10e6de0682ae5d89a6530a6c6e03054f5aaeb0662
SHA256409a345a063f2fc853b7b45c060970231d9fdc6b453444ae855b7fda4be50021
SHA512802159c0fa6034dfc4278ee470aef46a52947006b007ae6a90391377d6c9b3774c999c30ab8d62a10869bf4d459736da4b70ce97d7771bf849effff7714e6428
-
C:\Users\Admin\AppData\Local\Temp\D287.exeFilesize
1.2MB
MD5c52e23f559f027c6af598ff0a4c3497d
SHA10e6de0682ae5d89a6530a6c6e03054f5aaeb0662
SHA256409a345a063f2fc853b7b45c060970231d9fdc6b453444ae855b7fda4be50021
SHA512802159c0fa6034dfc4278ee470aef46a52947006b007ae6a90391377d6c9b3774c999c30ab8d62a10869bf4d459736da4b70ce97d7771bf849effff7714e6428
-
C:\Users\Admin\AppData\Roaming\cwwdbucFilesize
263KB
MD55cc21139c643e1d2299cf569e4d0ff98
SHA19254593f03a506444c3d3e29a74c4cf028ca625c
SHA256cc0f6fa48f1bc9ffae208185fd4e568385a67c40a92a12c4a1bd00ad7adbb4b4
SHA512cb6ce4976ffd5d19734ce941875817adcd603347cd09d1d5bf1e4413ce122b0e100afbb98a541f22465748f5ec7ecd4ca13d6c2bb8aeff3cc655a9152de84799
-
C:\Users\Admin\AppData\Roaming\cwwdbucFilesize
263KB
MD55cc21139c643e1d2299cf569e4d0ff98
SHA19254593f03a506444c3d3e29a74c4cf028ca625c
SHA256cc0f6fa48f1bc9ffae208185fd4e568385a67c40a92a12c4a1bd00ad7adbb4b4
SHA512cb6ce4976ffd5d19734ce941875817adcd603347cd09d1d5bf1e4413ce122b0e100afbb98a541f22465748f5ec7ecd4ca13d6c2bb8aeff3cc655a9152de84799
-
memory/936-164-0x00000000004D7000-0x00000000004E7000-memory.dmpFilesize
64KB
-
memory/936-165-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/1360-137-0x0000000000000000-mapping.dmp
-
memory/1508-140-0x0000000000000000-mapping.dmp
-
memory/1808-142-0x0000000000000000-mapping.dmp
-
memory/1832-147-0x0000000000000000-mapping.dmp
-
memory/1992-143-0x0000000000000000-mapping.dmp
-
memory/2040-144-0x0000000000000000-mapping.dmp
-
memory/2496-138-0x00000000006A0000-0x00000000007E4000-memory.dmpFilesize
1.3MB
-
memory/2496-134-0x0000000000000000-mapping.dmp
-
memory/2592-146-0x0000000000000000-mapping.dmp
-
memory/2604-166-0x00000000029C0000-0x00000000029D6000-memory.dmpFilesize
88KB
-
memory/2604-133-0x0000000000590000-0x00000000005A6000-memory.dmpFilesize
88KB
-
memory/3044-145-0x0000000000000000-mapping.dmp
-
memory/3220-141-0x0000000000000000-mapping.dmp
-
memory/3416-130-0x0000000000737000-0x0000000000747000-memory.dmpFilesize
64KB
-
memory/3416-132-0x0000000000400000-0x0000000000483000-memory.dmpFilesize
524KB
-
memory/3416-131-0x00000000006E0000-0x00000000006E9000-memory.dmpFilesize
36KB
-
memory/3460-157-0x0000000008600000-0x000000000861E000-memory.dmpFilesize
120KB
-
memory/3460-153-0x0000000007900000-0x000000000793C000-memory.dmpFilesize
240KB
-
memory/3460-154-0x0000000008A70000-0x0000000009014000-memory.dmpFilesize
5.6MB
-
memory/3460-155-0x0000000007D70000-0x0000000007E02000-memory.dmpFilesize
584KB
-
memory/3460-156-0x0000000007E10000-0x0000000007E86000-memory.dmpFilesize
472KB
-
memory/3460-152-0x00000000079D0000-0x0000000007ADA000-memory.dmpFilesize
1.0MB
-
memory/3460-158-0x00000000086F0000-0x0000000008756000-memory.dmpFilesize
408KB
-
memory/3460-159-0x0000000009370000-0x00000000093C0000-memory.dmpFilesize
320KB
-
memory/3460-160-0x000000000A170000-0x000000000A332000-memory.dmpFilesize
1.8MB
-
memory/3460-161-0x000000000A870000-0x000000000AD9C000-memory.dmpFilesize
5.2MB
-
memory/3460-151-0x00000000078A0000-0x00000000078B2000-memory.dmpFilesize
72KB
-
memory/3460-150-0x0000000007EA0000-0x00000000084B8000-memory.dmpFilesize
6.1MB
-
memory/3460-149-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3460-148-0x0000000000000000-mapping.dmp
-
memory/4024-139-0x0000000000000000-mapping.dmp