Analysis
-
max time kernel
151s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 07:04
Behavioral task
behavioral1
Sample
9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
Resource
win7-20220414-en
General
-
Target
9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe
-
Size
87KB
-
MD5
79c2c4246b1db86c53592afcf57a6ce4
-
SHA1
f37eb98147abae0a8fa5d27d9f0d43b276ebda84
-
SHA256
9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b
-
SHA512
6dafe326c3251aef997d39ca2c4dd2c4abfc05ff13b3a86e852d3267f1275167eebdda9c3a1779602a053ddaa3e8f044bbcadacf382547fec1d21d87b198809d
Malware Config
Extracted
smokeloader
2020
http://lendojekam.xyz/index.php
http://lpequdeliren.fun/index.php
http://lgrarcosbann.club/index.php
http://flablenitev.site/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\egaafac cryptone C:\Users\Admin\AppData\Roaming\egaafac cryptone -
Executes dropped EXE 1 IoCs
Processes:
egaafacpid process 3128 egaafac -
Loads dropped DLL 2 IoCs
Processes:
9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exeegaafacpid process 2352 9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe 3128 egaafac -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exeegaafacdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI egaafac Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI egaafac Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI egaafac -
Modifies registry class 3 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exepid process 2352 9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe 2352 9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3032 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exeegaafacpid process 2352 9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe 3128 egaafac -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 3032 3032 3032 3032
Processes
-
C:\Users\Admin\AppData\Local\Temp\9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe"C:\Users\Admin\AppData\Local\Temp\9af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\egaafacC:\Users\Admin\AppData\Roaming\egaafac1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9A26.tmpFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\9A26.tmpFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\9A26.tmpFilesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Roaming\egaafacFilesize
87KB
MD579c2c4246b1db86c53592afcf57a6ce4
SHA1f37eb98147abae0a8fa5d27d9f0d43b276ebda84
SHA2569af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b
SHA5126dafe326c3251aef997d39ca2c4dd2c4abfc05ff13b3a86e852d3267f1275167eebdda9c3a1779602a053ddaa3e8f044bbcadacf382547fec1d21d87b198809d
-
C:\Users\Admin\AppData\Roaming\egaafacFilesize
87KB
MD579c2c4246b1db86c53592afcf57a6ce4
SHA1f37eb98147abae0a8fa5d27d9f0d43b276ebda84
SHA2569af532248c2db561580f9a451a072a9863d03650924e83c1451bb3d4471ad97b
SHA5126dafe326c3251aef997d39ca2c4dd2c4abfc05ff13b3a86e852d3267f1275167eebdda9c3a1779602a053ddaa3e8f044bbcadacf382547fec1d21d87b198809d
-
memory/2352-130-0x0000000002160000-0x000000000216A000-memory.dmpFilesize
40KB
-
memory/2352-131-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3032-133-0x00000000033D0000-0x00000000033E6000-memory.dmpFilesize
88KB
-
memory/3032-139-0x0000000003480000-0x0000000003496000-memory.dmpFilesize
88KB
-
memory/3128-138-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB