Analysis
-
max time kernel
109s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
-
submitted
07-09-2023 08:19
General
-
Target
6Js1.exe
-
Size
618KB
-
MD5
3f6d5376b6d40c82644287c7621dfc5b
-
SHA1
f54b9ed42b60eb6793cd55ed25e6f2bd6120218f
-
SHA256
94dbf6089ceccafd34ec1011941f18682361d71a9fbc54d1495dc0f9ec52169e
-
SHA512
3ea3e7c045c015e8c455ed9f550784d7af75c2cba263913ffaa210652f74ed036a6541b71f95d11663ee6dd062059cbcad94c1148243852d01722dd8780d010c
-
SSDEEP
12288:vbNq3U22k24PnuBvJTvfIVcmaBhIaQBanLFHL4UhnPtJHKFm5fto1XGTI:zI24PuvJTEYHLzhnPwU1cL
Malware Config
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 2 IoCs
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 4 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 27 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6Js1.exe"C:\Users\Admin\AppData\Local\Temp\6Js1.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\6Js1.exeC:\Users\Admin\AppData\Local\Temp\6Js1.exe3⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\AppData\Local\Temp\C02E.exeC:\Users\Admin\AppData\Local\Temp\C02E.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\D34A.exeC:\Users\Admin\AppData\Local\Temp\D34A.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\FA6.tmp\svchost.exeC:\Users\Admin\AppData\Local\Temp\FA6.tmp\svchost.exe -debug3⤵
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#sqltdrz#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 416 -p 372 -ip 3721⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 372 -s 32801⤵
- Program crash
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
298KB
MD5966f6925f2e2ea12f260ad305d5bfc69
SHA1baeadfda934497ddc676a78e886935e4a70ce214
SHA2560bae6a5e4eb4347a99a45dcc9bec3d11da7f3f3e1743e3533c83cf9154b5d635
SHA5129fadab42dabc13b3e65ef99e4a5feaa8af18c09fec710409091a8aeb48d3f1e8462c31cdca553eb584f1a1475506645cf52f510bd624197a5a9e742afab0ce74
-
Filesize
298KB
MD5966f6925f2e2ea12f260ad305d5bfc69
SHA1baeadfda934497ddc676a78e886935e4a70ce214
SHA2560bae6a5e4eb4347a99a45dcc9bec3d11da7f3f3e1743e3533c83cf9154b5d635
SHA5129fadab42dabc13b3e65ef99e4a5feaa8af18c09fec710409091a8aeb48d3f1e8462c31cdca553eb584f1a1475506645cf52f510bd624197a5a9e742afab0ce74
-
Filesize
9.9MB
MD54c328b215a84c1b2c982a3268b4a0cea
SHA1addaaa78ce3f457d008a4958b2c1a404dcc62eaa
SHA2563761032e760a2bcc61854a0c7cf22e8e991af0ed60fac92b981853eadda00d1a
SHA512bd1a0bb98487781d8a6a5145e30544112d511c4510eda59150f23ff605db4ded5f42869a5be9ff0ff7fc570ab2d9f05c13223f3a420a7fa3b3ad7258f2084598
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
798KB
MD590aadf2247149996ae443e2c82af3730
SHA1050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
18KB
MD5994669c5737b25c26642c94180e92fa2
SHA1d8a1836914a446b0e06881ce1be8631554adafde
SHA256bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
-
Filesize
18KB
MD5994669c5737b25c26642c94180e92fa2
SHA1d8a1836914a446b0e06881ce1be8631554adafde
SHA256bf01a1f272e0daf82df3407690b646e0ff6b2c562e36e47cf177eda71ccb6f6c
SHA512d0ab7ca7f890ef9e59015c33e6b400a0a4d1ce0d24599537e09e845f4b953e3ecd44bf3e3cbe584f57c2948743e689ed67d2d40e6caf923bd630886e89c38563
-
Filesize
7.7MB
-
Filesize
640KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
64KB
-
Filesize
760KB
-
Filesize
164KB
-
Filesize
2.0MB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
132KB
-
Filesize
156KB
-
Filesize
132KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
88KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
40KB
-
Filesize
468KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
16KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
48KB
-
Filesize
28KB
-
Filesize
48KB
-
Filesize
10.0MB
-
Filesize
10.0MB