Analysis
-
max time kernel
153s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 07:52
Static task
static1
Behavioral task
behavioral1
Sample
39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe
Resource
win7-20220414-en
General
-
Target
39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe
-
Size
2.4MB
-
MD5
3d7c637e0e04b7f9e10414c227a2f102
-
SHA1
08e66ae0af9b16775fe9b614e2ed864934b74b2b
-
SHA256
39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4
-
SHA512
6e74ddf4e7e16e00bc8e60bf09ebbd9a0d29475c2cf20dafd8c7d5a82b1b3cb0083667a8b0de015f0eb88e8a46fced28856a315a7053a725b4dea9b528665373
Malware Config
Extracted
smokeloader
2018
http://converadm.bit/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
XMRig Miner Payload 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\1337\cpu.exe xmrig C:\Users\Admin\AppData\Roaming\1337\cpu.exe xmrig C:\Users\Admin\AppData\Roaming\1337\cpu.exe xmrig behavioral1/memory/936-72-0x0000000000B20000-0x0000000000FED000-memory.dmp xmrig behavioral1/memory/936-77-0x0000000000B20000-0x0000000000FED000-memory.dmp xmrig behavioral1/memory/936-79-0x0000000000B20000-0x0000000000FED000-memory.dmp xmrig C:\ProgramData\cpsvchost.exe xmrig C:\ProgramData\cpsvchost.exe xmrig behavioral1/memory/1216-85-0x0000000000A40000-0x0000000000F0D000-memory.dmp xmrig behavioral1/memory/1216-89-0x0000000000A40000-0x0000000000F0D000-memory.dmp xmrig -
Executes dropped EXE 3 IoCs
Processes:
cpu.exeloder0.execpsvchost.exepid process 936 cpu.exe 1708 loder0.exe 1216 cpsvchost.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\1337\cpu.exe vmprotect C:\Users\Admin\AppData\Roaming\1337\cpu.exe vmprotect C:\Users\Admin\AppData\Roaming\1337\cpu.exe vmprotect behavioral1/memory/936-72-0x0000000000B20000-0x0000000000FED000-memory.dmp vmprotect behavioral1/memory/936-77-0x0000000000B20000-0x0000000000FED000-memory.dmp vmprotect behavioral1/memory/936-79-0x0000000000B20000-0x0000000000FED000-memory.dmp vmprotect C:\ProgramData\cpsvchost.exe vmprotect C:\ProgramData\cpsvchost.exe vmprotect behavioral1/memory/1216-85-0x0000000000A40000-0x0000000000F0D000-memory.dmp vmprotect behavioral1/memory/1216-89-0x0000000000A40000-0x0000000000F0D000-memory.dmp vmprotect -
Loads dropped DLL 4 IoCs
Processes:
39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exepid process 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
loder0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum loder0.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 loder0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
loder0.exepid process 1708 loder0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
loder0.exedescription pid process target process PID 1708 set thread context of 836 1708 loder0.exe loder0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
loder0.execpu.execpsvchost.exepid process 1708 loder0.exe 936 cpu.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe 1216 cpsvchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
loder0.exepid process 836 loder0.exe 836 loder0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cpsvchost.exedescription pid process Token: SeLockMemoryPrivilege 1216 cpsvchost.exe Token: SeLockMemoryPrivilege 1216 cpsvchost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exeloder0.execpu.exetaskeng.execpsvchost.exedescription pid process target process PID 1684 wrote to memory of 936 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe cpu.exe PID 1684 wrote to memory of 936 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe cpu.exe PID 1684 wrote to memory of 936 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe cpu.exe PID 1684 wrote to memory of 936 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe cpu.exe PID 1684 wrote to memory of 1708 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe loder0.exe PID 1684 wrote to memory of 1708 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe loder0.exe PID 1684 wrote to memory of 1708 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe loder0.exe PID 1684 wrote to memory of 1708 1684 39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe loder0.exe PID 1708 wrote to memory of 836 1708 loder0.exe loder0.exe PID 1708 wrote to memory of 836 1708 loder0.exe loder0.exe PID 1708 wrote to memory of 836 1708 loder0.exe loder0.exe PID 1708 wrote to memory of 836 1708 loder0.exe loder0.exe PID 1708 wrote to memory of 836 1708 loder0.exe loder0.exe PID 1708 wrote to memory of 836 1708 loder0.exe loder0.exe PID 1708 wrote to memory of 836 1708 loder0.exe loder0.exe PID 936 wrote to memory of 268 936 cpu.exe schtasks.exe PID 936 wrote to memory of 268 936 cpu.exe schtasks.exe PID 936 wrote to memory of 268 936 cpu.exe schtasks.exe PID 936 wrote to memory of 268 936 cpu.exe schtasks.exe PID 472 wrote to memory of 1216 472 taskeng.exe cpsvchost.exe PID 472 wrote to memory of 1216 472 taskeng.exe cpsvchost.exe PID 472 wrote to memory of 1216 472 taskeng.exe cpsvchost.exe PID 472 wrote to memory of 1216 472 taskeng.exe cpsvchost.exe PID 1216 wrote to memory of 684 1216 cpsvchost.exe schtasks.exe PID 1216 wrote to memory of 684 1216 cpsvchost.exe schtasks.exe PID 1216 wrote to memory of 684 1216 cpsvchost.exe schtasks.exe PID 1216 wrote to memory of 684 1216 cpsvchost.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe"C:\Users\Admin\AppData\Local\Temp\39db8f99f438c93f7c1884efd0174499cae4ed0f972ee35bce41d0aa02a485e4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\cpu.exe"C:\Users\Admin\AppData\Roaming\1337\cpu.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN System\WindowsDefender /TR C:\ProgramData\cpsvchost.exe /F3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\1337\loder0.exe"C:\Users\Admin\AppData\Roaming\1337\loder0.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\loder0.exe"C:\Users\Admin\AppData\Roaming\1337\loder0.exe"3⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {57DA7AFE-86DA-4378-846C-11C746FA4694} S-1-5-21-2277218442-1199762539-2004043321-1000:AUVQQRRF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\cpsvchost.exeC:\ProgramData\cpsvchost.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN System\WindowsDefender /TR C:\ProgramData\cpsvchost.exe /F3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\cpsvchost.exeFilesize
2.3MB
MD538f70ac1cf4072da6e340dc50012596c
SHA1180dcd4b8d02db621886ccb7f038635341d545c7
SHA256af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd
SHA51230af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6
-
C:\ProgramData\cpsvchost.exeFilesize
2.3MB
MD538f70ac1cf4072da6e340dc50012596c
SHA1180dcd4b8d02db621886ccb7f038635341d545c7
SHA256af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd
SHA51230af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6
-
C:\Users\Admin\AppData\Roaming\1337\cpu.exeFilesize
2.3MB
MD538f70ac1cf4072da6e340dc50012596c
SHA1180dcd4b8d02db621886ccb7f038635341d545c7
SHA256af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd
SHA51230af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6
-
C:\Users\Admin\AppData\Roaming\1337\cpu.exeFilesize
2.3MB
MD538f70ac1cf4072da6e340dc50012596c
SHA1180dcd4b8d02db621886ccb7f038635341d545c7
SHA256af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd
SHA51230af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6
-
C:\Users\Admin\AppData\Roaming\1337\loder0.exeFilesize
177KB
MD5fd79a8140fdf8ff8946ca44767d79e0b
SHA1b9496b801c0e7f306ce4e56846a028a0403089ac
SHA2567c453968a71c194077b12cb30a000c93e6dbb18dc35dce842190170c1119dd73
SHA51216a0a3c98bdf4690d7257e4f52c2c74ff727d59a4c0fa4552de8937e135bf08395d39938eadc8f9a8ea7da2154fcadbd7137be82a29dd777068817932e25ce90
-
C:\Users\Admin\AppData\Roaming\1337\loder0.exeFilesize
177KB
MD5fd79a8140fdf8ff8946ca44767d79e0b
SHA1b9496b801c0e7f306ce4e56846a028a0403089ac
SHA2567c453968a71c194077b12cb30a000c93e6dbb18dc35dce842190170c1119dd73
SHA51216a0a3c98bdf4690d7257e4f52c2c74ff727d59a4c0fa4552de8937e135bf08395d39938eadc8f9a8ea7da2154fcadbd7137be82a29dd777068817932e25ce90
-
\Users\Admin\AppData\Local\Temp\nst2C03.tmp\System.dllFilesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
\Users\Admin\AppData\Roaming\1337\cpu.exeFilesize
2.3MB
MD538f70ac1cf4072da6e340dc50012596c
SHA1180dcd4b8d02db621886ccb7f038635341d545c7
SHA256af647f7792cc76974d8016eb25b303c41281f166c29af268a2fb5d6c9af409cd
SHA51230af5f95ed4f43d470046b311cb5057455c3ad515dcb93f72323be55d0250629ba42629e2937c16fc08c5bd51de79d222a14edc9b9de5e6fbbf3a0531e1136d6
-
\Users\Admin\AppData\Roaming\1337\loder0.exeFilesize
177KB
MD5fd79a8140fdf8ff8946ca44767d79e0b
SHA1b9496b801c0e7f306ce4e56846a028a0403089ac
SHA2567c453968a71c194077b12cb30a000c93e6dbb18dc35dce842190170c1119dd73
SHA51216a0a3c98bdf4690d7257e4f52c2c74ff727d59a4c0fa4552de8937e135bf08395d39938eadc8f9a8ea7da2154fcadbd7137be82a29dd777068817932e25ce90
-
\Users\Admin\AppData\Roaming\1337\loder0.exeFilesize
177KB
MD5fd79a8140fdf8ff8946ca44767d79e0b
SHA1b9496b801c0e7f306ce4e56846a028a0403089ac
SHA2567c453968a71c194077b12cb30a000c93e6dbb18dc35dce842190170c1119dd73
SHA51216a0a3c98bdf4690d7257e4f52c2c74ff727d59a4c0fa4552de8937e135bf08395d39938eadc8f9a8ea7da2154fcadbd7137be82a29dd777068817932e25ce90
-
memory/268-78-0x0000000000000000-mapping.dmp
-
memory/684-88-0x0000000000000000-mapping.dmp
-
memory/836-65-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/836-67-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/836-64-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/836-69-0x00000000004028F5-mapping.dmp
-
memory/836-74-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/936-77-0x0000000000B20000-0x0000000000FED000-memory.dmpFilesize
4.8MB
-
memory/936-79-0x0000000000B20000-0x0000000000FED000-memory.dmpFilesize
4.8MB
-
memory/936-72-0x0000000000B20000-0x0000000000FED000-memory.dmpFilesize
4.8MB
-
memory/936-57-0x0000000000000000-mapping.dmp
-
memory/1216-81-0x0000000000000000-mapping.dmp
-
memory/1216-85-0x0000000000A40000-0x0000000000F0D000-memory.dmpFilesize
4.8MB
-
memory/1216-89-0x0000000000A40000-0x0000000000F0D000-memory.dmpFilesize
4.8MB
-
memory/1268-76-0x0000000002670000-0x0000000002685000-memory.dmpFilesize
84KB
-
memory/1684-54-0x00000000752A1000-0x00000000752A3000-memory.dmpFilesize
8KB
-
memory/1708-61-0x0000000000000000-mapping.dmp