Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    294s
  • max time network
    284s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-06-2023 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    835089cc52af94cdcdf26ab335f8a4fe4719071746539acf472579fa2fc8e4f9.exe

  • Size

    248KB

  • MD5

    aba61284cec3036dae80ece91256cf35

  • SHA1

    1ccbcd2605d623ada8ecbcace5c1ff1f082c9e2d

  • SHA256

    835089cc52af94cdcdf26ab335f8a4fe4719071746539acf472579fa2fc8e4f9

  • SHA512

    8f57b93b11df6d5aa2686afeb156310bea2f65ed6e17f6b27d1a5089a0d729057f255c9169d797f62c72263ccd4a90fa7203708ebaf3c13521825e1f65a42331

  • SSDEEP

    3072:bnwpjZ/aX+tl/w8aKwg/6K0HXDZh/TKHXwdDlsv5HyVSeR/:Epd/aX+t9w8av13D7/TK3nYR

Score
10/10
smokeloadersystembcbackdoorpersistencetrojan

Malware Config

Extracted

Family

systembc

C2

admex1955x.xyz:4044

servx2785x.xyz:4044

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\835089cc52af94cdcdf26ab335f8a4fe4719071746539acf472579fa2fc8e4f9.exe
    "C:\Users\Admin\AppData\Local\Temp\835089cc52af94cdcdf26ab335f8a4fe4719071746539acf472579fa2fc8e4f9.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    PID:4220
  • C:\Users\Admin\AppData\Local\Temp\cgmgaq.exe
    C:\Users\Admin\AppData\Local\Temp\cgmgaq.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Users\Admin\AppData\Local\Temp\cgmgaq.exe
      C:\Users\Admin\AppData\Local\Temp\cgmgaq.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      PID:3996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\cgmgaq.exe
    Filesize

    248KB

    MD5

    b7a27f7fb7e89d794ae09acbfed3745a

    SHA1

    aaa6004d82ef20fbd8f19859cf1dc738a90234b1

    SHA256

    757b0254c3a04feabe3c7866f59e522bd8c8b0fa5c51d7f8d2cf61a298d4f6bd

    SHA512

    be61ed786ce3ae62efd012f3c76d9be6761e3fdd03709737b0b0ed546c6b5301ce5c786372305766cae28ad20208ab11799ae5a3a81554270e6f7dcbec97f3e9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cgmgaq.exe
    Filesize

    248KB

    MD5

    b7a27f7fb7e89d794ae09acbfed3745a

    SHA1

    aaa6004d82ef20fbd8f19859cf1dc738a90234b1

    SHA256

    757b0254c3a04feabe3c7866f59e522bd8c8b0fa5c51d7f8d2cf61a298d4f6bd

    SHA512

    be61ed786ce3ae62efd012f3c76d9be6761e3fdd03709737b0b0ed546c6b5301ce5c786372305766cae28ad20208ab11799ae5a3a81554270e6f7dcbec97f3e9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cgmgaq.exe
    Filesize

    248KB

    MD5

    b7a27f7fb7e89d794ae09acbfed3745a

    SHA1

    aaa6004d82ef20fbd8f19859cf1dc738a90234b1

    SHA256

    757b0254c3a04feabe3c7866f59e522bd8c8b0fa5c51d7f8d2cf61a298d4f6bd

    SHA512

    be61ed786ce3ae62efd012f3c76d9be6761e3fdd03709737b0b0ed546c6b5301ce5c786372305766cae28ad20208ab11799ae5a3a81554270e6f7dcbec97f3e9

    Download Submit
  • memory/2072-143-0x0000000000A90000-0x0000000000A99000-memory.dmp
    Filesize

    36KB

    Download
  • memory/3996-141-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/3996-144-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/3996-146-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4220-116-0x0000000000A10000-0x0000000000A25000-memory.dmp
    Filesize

    84KB

    Download
  • memory/4220-117-0x0000000000AC0000-0x0000000000AC5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/4220-118-0x0000000000400000-0x0000000000924000-memory.dmp
    Filesize

    5.1MB

    Download