Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2022 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    183KB

  • MD5

    03e1befa49991fc477e5ae01b67070de

  • SHA1

    48117841d5cb73303a3004eaa613cb8d82ef1ced

  • SHA256

    c7c2e54acf6ef2957553c06322623811574476d51b9f09005e35803867b8b96b

  • SHA512

    ad621c0a66f7ed6e64ecca34daef9ec3d62ad240ae3ade9015b1829492aee0a249b549106ee9da0bc23ac7321f2bd39ddea163ac6b0c50bdb9031f1e5183a87b

  • SSDEEP

    3072:dexJOfoGr2L5LjeChfx556/PJYNsK9Szx5co4hSRjsLK2pI8OJ:debAzr2FLCChF62NsKwRjsxpI8O

Score
10/10
smokeloadersystembcbackdoordiscoverytrojan

Malware Config

Extracted

Family

systembc

C2

89.248.165.79:443

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 42 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4816
  • C:\Users\Admin\AppData\Local\Temp\466F.exe
    C:\Users\Admin\AppData\Local\Temp\466F.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 816
      2⤵
      • Program crash
      PID:4716
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 816
      2⤵
      • Program crash
      PID:4628
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      PID:1268
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 856
      2⤵
      • Program crash
      PID:992
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2676 -ip 2676
    1⤵
      PID:1596
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2676 -ip 2676
      1⤵
        PID:1356
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2676 -ip 2676
        1⤵
          PID:4084
        • C:\Users\Admin\AppData\Local\Temp\ABF0.exe
          C:\Users\Admin\AppData\Local\Temp\ABF0.exe
          1⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:4020
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 492
            2⤵
            • Program crash
            PID:360
        • C:\ProgramData\xjupbui\qwsx.exe
          C:\ProgramData\xjupbui\qwsx.exe start
          1⤵
          • Executes dropped EXE
          PID:1264
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4020 -ip 4020
          1⤵
            PID:2636

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\xjupbui\qwsx.exe
            Filesize

            209KB

            MD5

            cb5376549056d659a798cb9dd7464ffc

            SHA1

            12e8955e0e155c2e57d78955ad0924917b37ccba

            SHA256

            ab4707313627a925d7a67ee8acb04981d558f1ce2a110dea9ba8f02d15f8bc0a

            SHA512

            12130446a1f3a6edd8c68c26a83f0dcb5414aa629ed9f14ccdd99ace33202a79d958484aac12abe70d5810895e31365fbd7ce829d34c8a48e22ebd037a955be7

            Download Submit

          • C:\ProgramData\xjupbui\qwsx.exe
            Filesize

            209KB

            MD5

            cb5376549056d659a798cb9dd7464ffc

            SHA1

            12e8955e0e155c2e57d78955ad0924917b37ccba

            SHA256

            ab4707313627a925d7a67ee8acb04981d558f1ce2a110dea9ba8f02d15f8bc0a

            SHA512

            12130446a1f3a6edd8c68c26a83f0dcb5414aa629ed9f14ccdd99ace33202a79d958484aac12abe70d5810895e31365fbd7ce829d34c8a48e22ebd037a955be7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\0d502779-c529-4ae0-a0cb-e70926e21349.tmp
            Filesize

            22KB

            MD5

            99e972f6d63ded5a9f3d6a06ff481bec

            SHA1

            b3c98ed6975c649454bce3d88806ad1883e22327

            SHA256

            d6f11c606729d553e9c9b3d0db9e5d51567ea969bedd98008cce7b9415a17490

            SHA512

            ecc322a906b25ea835fdfcb528fb0bc11ade80112b9d0783f0c02100a83368b718c45ca5bdbe38c106e3559db7723dc2fdf38e2bf473fb461ddade999d02f416

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\466F.exe
            Filesize

            4.8MB

            MD5

            a6e7bf3dec2f21cc68a1426a1098a749

            SHA1

            6479e0fd7c5c6f257da6ae7b44a99e2e697437c3

            SHA256

            41b26641c07a8c5de0cb8572a432cb6831c3f7c8d8b7de2056d920b1b1722083

            SHA512

            c7482ab6daffc8773bf4612320cffb0d4c6195ff591ca590ecf73249d2d5fb975e85515a75223547379cdc492a335e3c9b6d28b150783ca36697b7ff7768e991

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\466F.exe
            Filesize

            4.8MB

            MD5

            a6e7bf3dec2f21cc68a1426a1098a749

            SHA1

            6479e0fd7c5c6f257da6ae7b44a99e2e697437c3

            SHA256

            41b26641c07a8c5de0cb8572a432cb6831c3f7c8d8b7de2056d920b1b1722083

            SHA512

            c7482ab6daffc8773bf4612320cffb0d4c6195ff591ca590ecf73249d2d5fb975e85515a75223547379cdc492a335e3c9b6d28b150783ca36697b7ff7768e991

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ABF0.exe
            Filesize

            209KB

            MD5

            cb5376549056d659a798cb9dd7464ffc

            SHA1

            12e8955e0e155c2e57d78955ad0924917b37ccba

            SHA256

            ab4707313627a925d7a67ee8acb04981d558f1ce2a110dea9ba8f02d15f8bc0a

            SHA512

            12130446a1f3a6edd8c68c26a83f0dcb5414aa629ed9f14ccdd99ace33202a79d958484aac12abe70d5810895e31365fbd7ce829d34c8a48e22ebd037a955be7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\ABF0.exe
            Filesize

            209KB

            MD5

            cb5376549056d659a798cb9dd7464ffc

            SHA1

            12e8955e0e155c2e57d78955ad0924917b37ccba

            SHA256

            ab4707313627a925d7a67ee8acb04981d558f1ce2a110dea9ba8f02d15f8bc0a

            SHA512

            12130446a1f3a6edd8c68c26a83f0dcb5414aa629ed9f14ccdd99ace33202a79d958484aac12abe70d5810895e31365fbd7ce829d34c8a48e22ebd037a955be7

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
            Filesize

            25KB

            MD5

            6f6eb502bc56ef0c6af70970cab6b6bd

            SHA1

            80b18c9e92eec4d3efb993baa1cbb65b9f2efefe

            SHA256

            fae1c05269e8dd5949302a1ec38625e70e8167a0cfe0734bb0aaf8533ce6bf1e

            SHA512

            1865e8155bb6838f068d29cdb33eddbae49e5cfc94e8a3f97ea50d008ef0cd34b0fc3cffec43cea7b104dd8673ab77c9d3103a2272ec6c418b3da4c4b6a023d3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Rpiidpytrto.tmp
            Filesize

            3.5MB

            MD5

            c597ca48af580cb2755914474a787ddf

            SHA1

            427cdbd19eadb94f1f89b51a7c3647a3ff7d3925

            SHA256

            8c67a70fe070595fda6ec977af7da0085d40df299f04cdd5669156752fee3f31

            SHA512

            c41ab851b712c484184934b2dab7015d329ec485b454b645411f69a97ef4a46351fe892f86522abf19c08cf1b7b6a5212954053b8218046cdfab24ef734e47ab

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
            Filesize

            1KB

            MD5

            f42f2a2ee390bc203d1984162fd57a8f

            SHA1

            4cfad4d5561b33d6afcaf06a374ba8cc5b7da289

            SHA256

            90d944e4a4aa77a6d376114db46b8b3b47fb7e46e7769d34c978c93ec27b0cd1

            SHA512

            387f2b06a71bd2680b851c69812e9b3af4a41f15d0731d316b258f5453bfb24579dbee389573fbed9d1b775072daec16255ad541e8956608b2e7574de45d27f9

            Download Submit

          • memory/1264-179-0x0000000000768000-0x0000000000778000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1264-177-0x0000000000768000-0x0000000000778000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1264-178-0x0000000000400000-0x0000000000590000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/1268-154-0x0000000000000000-mapping.dmp

            Download

          • memory/1268-164-0x0000000003B10000-0x0000000003C50000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1268-165-0x0000000003B10000-0x0000000003C50000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1268-166-0x0000000002E60000-0x00000000039C9000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1268-163-0x0000000002E60000-0x00000000039C9000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/1268-158-0x0000000000A00000-0x000000000144A000-memory.dmp

            Filesize

            10.3MB

            Download

          • memory/1268-157-0x0000000003B10000-0x0000000003C50000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1268-156-0x0000000003B10000-0x0000000003C50000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1268-155-0x0000000002E60000-0x00000000039C9000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/2676-144-0x0000000003870000-0x00000000043D9000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/2676-167-0x0000000000400000-0x0000000000A61000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/2676-152-0x00000000044A0000-0x00000000045E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2676-151-0x00000000044A0000-0x00000000045E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2676-150-0x00000000044A0000-0x00000000045E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2676-149-0x00000000044A0000-0x00000000045E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2676-148-0x00000000044A0000-0x00000000045E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2676-147-0x00000000044A0000-0x00000000045E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2676-146-0x00000000044A0000-0x00000000045E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2676-145-0x0000000003870000-0x00000000043D9000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/2676-136-0x0000000000000000-mapping.dmp

            Download

          • memory/2676-143-0x0000000003870000-0x00000000043D9000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/2676-142-0x0000000000400000-0x0000000000A61000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/2676-153-0x00000000044A0000-0x00000000045E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2676-168-0x0000000003870000-0x00000000043D9000-memory.dmp

            Filesize

            11.4MB

            Download

          • memory/2676-141-0x0000000000400000-0x0000000000A61000-memory.dmp

            Filesize

            6.4MB

            Download

          • memory/2676-140-0x0000000002BE0000-0x0000000003235000-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/2676-139-0x0000000002734000-0x0000000002BDE000-memory.dmp

            Filesize

            4.7MB

            Download

          • memory/4020-173-0x0000000000690000-0x0000000000699000-memory.dmp

            Filesize

            36KB

            Download

          • memory/4020-172-0x000000000089D000-0x00000000008AD000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4020-174-0x0000000000400000-0x0000000000590000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/4020-169-0x0000000000000000-mapping.dmp

            Download

          • memory/4816-132-0x00000000008CD000-0x00000000008DE000-memory.dmp

            Filesize

            68KB

            Download

          • memory/4816-135-0x0000000000400000-0x0000000000588000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4816-134-0x0000000000400000-0x0000000000588000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4816-133-0x00000000006D0000-0x00000000006D9000-memory.dmp

            Filesize

            36KB

            Download