Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 16:37
General
-
Target
3449d9a2873d48c3297e2d0f86ad634978aaaefcc80a669fe9efedbd859f7f30.exe
-
Size
304KB
-
MD5
78ab6d406247d0b80c6dfad070772768
-
SHA1
21a72ad164710c0a3bb55031f1c3dd8d5f4e4ad7
-
SHA256
3449d9a2873d48c3297e2d0f86ad634978aaaefcc80a669fe9efedbd859f7f30
-
SHA512
4ca27a427f2667d6d6ab8b813a651600633b2575e144557b35bf259c9944c45a98d9236d59c5d6f5d00288b8c024949c1a17b6d2cf6ac98ecff19e7121b71ac3
Malware Config
Extracted
smokeloader
2020
http://bahninfo.at/upload/
http://img4mobi.com/upload/
http://equix.ru/upload/
http://worldalltv.com/upload/
http://negarehgallery.com/upload/
http://lite-server.ru/upload/
http://piratia/su/upload/
http://go-piratia.ru/upload/
http://monsutiur4.com/
http://nusurionuy5ff.at/
http://moroitomo4.net/
http://susuerulianita1.net/
http://cucumbetuturel4.com/
http://nunuslushau.com/
http://linislominyt11.at/
http://luxulixionus.net/
http://lilisjjoer44.com/
http://nikogminut88.at/
http://limo00ruling.org/
http://mini55tunul.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3449d9a2873d48c3297e2d0f86ad634978aaaefcc80a669fe9efedbd859f7f30.exe"C:\Users\Admin\AppData\Local\Temp\3449d9a2873d48c3297e2d0f86ad634978aaaefcc80a669fe9efedbd859f7f30.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\A930.exeC:\Users\Admin\AppData\Local\Temp\A930.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1970.exeC:\Users\Admin\AppData\Local\Temp\1970.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\gtbdbdaC:\Users\Admin\AppData\Roaming\gtbdbda1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\evbdbdaC:\Users\Admin\AppData\Roaming\evbdbda1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 3402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1508 -ip 15081⤵
-
C:\Windows\system32\cmd.execmd1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /format:csv2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 Path AntiSpywareProduct Get displayName /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Processor Get Name,DeviceID,NumberOfCores /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Product Get Name,Version /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_NetworkAdapter Where PhysicalAdapter=TRUE Get Name,MACAddress,ProductName,ServiceName,NetConnectionID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_StartupCommand Get Name,Location,Command /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_OperatingSystem Get Caption,CSDVersion,BuildNumber,Version,BuildType,CountryCode,CurrentTimeZone,InstallDate,LastBootUpTime,Locale,OSArchitecture,OSLanguage,OSProductSuite,OSType,SystemDirectory,Organization,RegisteredUser,SerialNumber /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Process Get Caption,CommandLine,ExecutablePath,ProcessId /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_Volume Get Name,Label,FileSystem,SerialNumber,BootVolume,Capacity,DriveType /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_UserAccount Get Name,Domain,AccountType,LocalAccount,Disabled,Status,SID /format:csv2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:\\root\cimv2 Path Win32_GroupUser Get GroupComponent,PartComponent /format:csv2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Users\Admin\AppData\Local\Temp\A303.exeC:\Users\Admin\AppData\Local\Temp\A303.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode 65,103⤵
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e file.zip -p283462270827100258722140325330 -oextracted3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exe7z.exe e extracted/file_3.zip -oextracted3⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 8882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2896 -ip 28961⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1970.exeFilesize
304KB
MD5cfbe64a303fb6e0000c7859bfb13a1a2
SHA1a6b85217a3bd9ef76f1235a9ab92384b96b7fede
SHA256256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135
SHA512c411656d43d9b709db77c153da224e2930d26200dc081082d0a4beb0be23b6e63c9e747ec3d650cd670f72c08d79ba40d49c9091344e305a01657916109284b1
-
C:\Users\Admin\AppData\Local\Temp\1970.exeFilesize
304KB
MD5cfbe64a303fb6e0000c7859bfb13a1a2
SHA1a6b85217a3bd9ef76f1235a9ab92384b96b7fede
SHA256256340cafa360c86852d0f2b648e85a9e0957a66f58c0bc572f6b7482bb75135
SHA512c411656d43d9b709db77c153da224e2930d26200dc081082d0a4beb0be23b6e63c9e747ec3d650cd670f72c08d79ba40d49c9091344e305a01657916109284b1
-
C:\Users\Admin\AppData\Local\Temp\A303.exeFilesize
3.9MB
MD54f8a7c030aa8784e5f9726de742be5b5
SHA1b458828a0383defa2b1c79dc043d7e7e8cc712c4
SHA256b8885e1a627026d5ebbce5dfc321358a1d339e0b30c887ab39e4b9e972f90952
SHA5120c74b22a46d6362fc8e5a9d919c8d32f6a2e21e9c3bdbfb0be679407a753f8995cc929956c7bd0351e6f4b8e224ea7fa4ebdc9b8d07c324608ffa2e20b4b8d69
-
C:\Users\Admin\AppData\Local\Temp\A303.exeFilesize
3.9MB
MD54f8a7c030aa8784e5f9726de742be5b5
SHA1b458828a0383defa2b1c79dc043d7e7e8cc712c4
SHA256b8885e1a627026d5ebbce5dfc321358a1d339e0b30c887ab39e4b9e972f90952
SHA5120c74b22a46d6362fc8e5a9d919c8d32f6a2e21e9c3bdbfb0be679407a753f8995cc929956c7bd0351e6f4b8e224ea7fa4ebdc9b8d07c324608ffa2e20b4b8d69
-
C:\Users\Admin\AppData\Local\Temp\A930.exeFilesize
305KB
MD526337dba80f6771e3a16b16903e57b7c
SHA18b11d6a96d6e409456cb00f6e46e227426b29c08
SHA25605aa0199c301a1971d1972af7210922af9ae6886e1333c9d4b463e889bd9eda1
SHA51245c320ece64bfd88acab6ca44ccca042e888bce09ea34e342b5e86c7f6b522e0c61a6bfa4affdc7e14ddceab8ec4d20cfc5fb0d9d42de37752610af3c91b85bc
-
C:\Users\Admin\AppData\Local\Temp\A930.exeFilesize
305KB
MD526337dba80f6771e3a16b16903e57b7c
SHA18b11d6a96d6e409456cb00f6e46e227426b29c08
SHA25605aa0199c301a1971d1972af7210922af9ae6886e1333c9d4b463e889bd9eda1
SHA51245c320ece64bfd88acab6ca44ccca042e888bce09ea34e342b5e86c7f6b522e0c61a6bfa4affdc7e14ddceab8ec4d20cfc5fb0d9d42de37752610af3c91b85bc
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
448KB
MD5ebb140695a8e29bf947327db342b2ffe
SHA1a8ffd5ece5a14db77e830284c763ae096f42c677
SHA256ae31fdcfb3468581bc4189ff71bf22e2c97f71f24126e9f83891120e0c6aba54
SHA512fdb05e452dff66c349d1d3da26ebcacccbf96287eb297a3ae6177bf22aeb8bafa8c66f3b77e582e3d9d3bc14c0263ec049f7673b2645a0362db2976000b5138d
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
452KB
MD5b92c091e6c9f8dccf6e6ba4998a21393
SHA1f8f70c18a25e7d636c76f6fa5dd09570bd473514
SHA2562877ddbd7678ef80b14ddd72e924bc14f90ffc2a296eecc2c2e30a97e9cf90a9
SHA512842371d9869144176b046089dfa3ecc02a1520ed2bc81c4af60fa8c588b1b7e969c080c92bbcf2fd0d46f908b36d2a5e355c4364ddd0ef9d15f3dc99f770c5d3
-
C:\Users\Admin\AppData\Local\Temp\main\7z.dllFilesize
64KB
MD545a69bb8879875788b9f943a3b999c2a
SHA1b26026841c91f96e3669d8ba1f5d601896ed8c2a
SHA2563070fb5290897c35fdbfe604eaa195d92c8ff64f0ff8ce30891aeb5cbb7d197c
SHA512bdf4d17a1ce13c83c11fc9063bbc91a5a29cb6e341142d55eabba984bd464cce9bff7db5e1bae6d74502219731ffde24622482955581eb1267de27de78a20913
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
458KB
MD5619f7135621b50fd1900ff24aade1524
SHA16c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA5122c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628
-
C:\Users\Admin\AppData\Local\Temp\main\7z.exeFilesize
128KB
MD5f617039c0fd6e0e2fc42445b8c3197f5
SHA176d66e5de0ada6e0b14362bf2291fed85fd38827
SHA256aee95ecd5db79fd586ebfb4f44edf0ee01fc80da4b45632f565bb23d712a4797
SHA51286b8057cef764a48341c08781f778b5e439d49bfd7f9f8493674331e3efd9594112707bccc8fa986b7f74fe668742d07f2af3b14e0890d8e9b35e3a49895a326
-
C:\Users\Admin\AppData\Local\Temp\main\file.binFilesize
1.1MB
MD52bd9dc0c6c6030f0aae3663e89f5f8c7
SHA1e00cac4c324dcaa71aef98137e9689c7a18894e5
SHA2569c6db910439987df8f7e4a3c451c4df01b269303d1aa099864508d3c90321aad
SHA5125c1549709cd10d15174ec0509b934fa7a612957a31174aa009e3daf76639edfbcecd47072bcfac6d8aca1a2e0b1f254eba4069bf88b701bb6adcde6914dc5c8b
-
C:\Users\Admin\AppData\Local\Temp\main\main.batFilesize
476B
MD521b6341d2b4fc3c54bca293b71545d0c
SHA1ba66216cd3552de6b3ad254f65ccb834188347b0
SHA256432347ce4e632e70cc0cb988ed72c43a17b81f8955a3905e43a93708029a0daf
SHA51204842ab2240d782fe7f3336f4776576f67f3a30ae522713b2bfb8e5c86ca30a2706f2c73ede5647495b8cde06ad36b6499bf8bd9c8908e794fdbdb8bd0d534d1
-
C:\Users\Admin\AppData\Roaming\evbdbdaFilesize
304KB
MD578ab6d406247d0b80c6dfad070772768
SHA121a72ad164710c0a3bb55031f1c3dd8d5f4e4ad7
SHA2563449d9a2873d48c3297e2d0f86ad634978aaaefcc80a669fe9efedbd859f7f30
SHA5124ca27a427f2667d6d6ab8b813a651600633b2575e144557b35bf259c9944c45a98d9236d59c5d6f5d00288b8c024949c1a17b6d2cf6ac98ecff19e7121b71ac3
-
C:\Users\Admin\AppData\Roaming\evbdbdaFilesize
304KB
MD578ab6d406247d0b80c6dfad070772768
SHA121a72ad164710c0a3bb55031f1c3dd8d5f4e4ad7
SHA2563449d9a2873d48c3297e2d0f86ad634978aaaefcc80a669fe9efedbd859f7f30
SHA5124ca27a427f2667d6d6ab8b813a651600633b2575e144557b35bf259c9944c45a98d9236d59c5d6f5d00288b8c024949c1a17b6d2cf6ac98ecff19e7121b71ac3
-
C:\Users\Admin\AppData\Roaming\gtbdbdaFilesize
305KB
MD526337dba80f6771e3a16b16903e57b7c
SHA18b11d6a96d6e409456cb00f6e46e227426b29c08
SHA25605aa0199c301a1971d1972af7210922af9ae6886e1333c9d4b463e889bd9eda1
SHA51245c320ece64bfd88acab6ca44ccca042e888bce09ea34e342b5e86c7f6b522e0c61a6bfa4affdc7e14ddceab8ec4d20cfc5fb0d9d42de37752610af3c91b85bc
-
C:\Users\Admin\AppData\Roaming\gtbdbdaFilesize
305KB
MD526337dba80f6771e3a16b16903e57b7c
SHA18b11d6a96d6e409456cb00f6e46e227426b29c08
SHA25605aa0199c301a1971d1972af7210922af9ae6886e1333c9d4b463e889bd9eda1
SHA51245c320ece64bfd88acab6ca44ccca042e888bce09ea34e342b5e86c7f6b522e0c61a6bfa4affdc7e14ddceab8ec4d20cfc5fb0d9d42de37752610af3c91b85bc
-
memory/304-152-0x00000000005F3000-0x0000000000604000-memory.dmpFilesize
68KB
-
memory/304-153-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/656-160-0x0000000000000000-mapping.dmp
-
memory/1064-140-0x00000000029E0000-0x00000000029F6000-memory.dmpFilesize
88KB
-
memory/1064-133-0x0000000000780000-0x0000000000796000-memory.dmpFilesize
88KB
-
memory/1064-147-0x0000000007660000-0x0000000007676000-memory.dmpFilesize
88KB
-
memory/1064-156-0x0000000008710000-0x0000000008726000-memory.dmpFilesize
88KB
-
memory/1064-157-0x00000000088B0000-0x00000000088BF000-memory.dmpFilesize
60KB
-
memory/1172-170-0x0000000000000000-mapping.dmp
-
memory/1300-174-0x0000000000000000-mapping.dmp
-
memory/1504-162-0x0000000000000000-mapping.dmp
-
memory/1508-155-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/1508-154-0x00000000005F3000-0x0000000000604000-memory.dmpFilesize
68KB
-
memory/1548-158-0x0000000000000000-mapping.dmp
-
memory/2020-163-0x0000000000000000-mapping.dmp
-
memory/2436-167-0x0000000000000000-mapping.dmp
-
memory/2600-159-0x0000000000000000-mapping.dmp
-
memory/2680-130-0x0000000000742000-0x0000000000752000-memory.dmpFilesize
64KB
-
memory/2680-132-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/2680-131-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/2824-184-0x0000000000000000-mapping.dmp
-
memory/2896-168-0x0000000000000000-mapping.dmp
-
memory/3064-175-0x0000000000000000-mapping.dmp
-
memory/3500-178-0x0000000000000000-mapping.dmp
-
memory/3544-164-0x0000000000000000-mapping.dmp
-
memory/3624-172-0x0000000000000000-mapping.dmp
-
memory/3972-169-0x0000000000000000-mapping.dmp
-
memory/4104-177-0x0000000000000000-mapping.dmp
-
memory/4112-161-0x0000000000000000-mapping.dmp
-
memory/4412-144-0x0000000000653000-0x0000000000664000-memory.dmpFilesize
68KB
-
memory/4412-146-0x0000000000400000-0x000000000048D000-memory.dmpFilesize
564KB
-
memory/4412-145-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/4412-141-0x0000000000000000-mapping.dmp
-
memory/4576-180-0x0000000000000000-mapping.dmp
-
memory/4584-139-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/4584-138-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/4584-137-0x0000000000663000-0x0000000000674000-memory.dmpFilesize
68KB
-
memory/4584-134-0x0000000000000000-mapping.dmp
-
memory/4588-173-0x0000000000000000-mapping.dmp
-
memory/5052-171-0x0000000000000000-mapping.dmp