Resubmissions

13/09/2023, 15:04

230913-sfmrnsch51 10

13/09/2023, 14:04

230913-rdegvacd7v 10

Analysis

  • max time kernel
    115s
  • max time network
    117s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/09/2023, 15:04

General

  • Target

    b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe

  • Size

    216KB

  • MD5

    9a96d0e2f9c295ab676be283a7e93565

  • SHA1

    1e39acd938959c92da53e009969da54e2b43c308

  • SHA256

    b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d

  • SHA512

    b917419f203ef118f13e087a7eeba4ff1925a684fe34137fe9e583cfb6836adfa0e4dc7a59ae022c2d19e03a1955ba48d7ddb97b463eae88890f86af03f4cda2

  • SSDEEP

    3072:e/ea4aZjLd76DboYo1cLCaw+GInmm8w57XjcC1hsy34ik/kwsurE5W7n:QZjLd6oDcLbGIm8Qu34ik/Ourv7

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://potunulit.org/

http://hutnilior.net/

http://bulimu55t.net/

http://soryytlic4.net/

http://novanosa5org.org/

http://nuljjjnuli.org/

http://tolilolihul.net/

http://somatoka51hub.net/

http://hujukui3.net/

http://bukubuka1.net/

http://golilopaster.org/

http://newzelannd66.org/

http://otriluyttn.org/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 60 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d_JC.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3084
  • C:\Users\Admin\AppData\Roaming\fvtwbde
    C:\Users\Admin\AppData\Roaming\fvtwbde
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:1792
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
    1⤵
      PID:4684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\fvtwbde

      Filesize

      216KB

      MD5

      9a96d0e2f9c295ab676be283a7e93565

      SHA1

      1e39acd938959c92da53e009969da54e2b43c308

      SHA256

      b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d

      SHA512

      b917419f203ef118f13e087a7eeba4ff1925a684fe34137fe9e583cfb6836adfa0e4dc7a59ae022c2d19e03a1955ba48d7ddb97b463eae88890f86af03f4cda2

    • C:\Users\Admin\AppData\Roaming\fvtwbde

      Filesize

      216KB

      MD5

      9a96d0e2f9c295ab676be283a7e93565

      SHA1

      1e39acd938959c92da53e009969da54e2b43c308

      SHA256

      b8cdfcaa86af18796eeed2fc83818f6af8dd1f4685d1942bc599792f55e1b11d

      SHA512

      b917419f203ef118f13e087a7eeba4ff1925a684fe34137fe9e583cfb6836adfa0e4dc7a59ae022c2d19e03a1955ba48d7ddb97b463eae88890f86af03f4cda2

    • memory/1792-53-0x0000000000400000-0x0000000002083000-memory.dmp

      Filesize

      28.5MB

    • memory/1792-49-0x0000000000400000-0x0000000002083000-memory.dmp

      Filesize

      28.5MB

    • memory/3084-0-0x0000000002330000-0x0000000002345000-memory.dmp

      Filesize

      84KB

    • memory/3084-1-0x0000000002350000-0x0000000002359000-memory.dmp

      Filesize

      36KB

    • memory/3084-2-0x0000000000400000-0x0000000002083000-memory.dmp

      Filesize

      28.5MB

    • memory/3084-4-0x0000000000400000-0x0000000002083000-memory.dmp

      Filesize

      28.5MB

    • memory/3084-8-0x0000000002330000-0x0000000002345000-memory.dmp

      Filesize

      84KB

    • memory/3084-9-0x0000000002350000-0x0000000002359000-memory.dmp

      Filesize

      36KB

    • memory/3212-28-0x000000000E490000-0x000000000E4A0000-memory.dmp

      Filesize

      64KB

    • memory/3212-37-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-18-0x000000000E400000-0x000000000E410000-memory.dmp

      Filesize

      64KB

    • memory/3212-20-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-21-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-22-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-24-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-26-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-16-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-25-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-27-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-32-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-30-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-34-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-29-0x000000000E490000-0x000000000E4A0000-memory.dmp

      Filesize

      64KB

    • memory/3212-17-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-36-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-38-0x000000000E400000-0x000000000E410000-memory.dmp

      Filesize

      64KB

    • memory/3212-40-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-39-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-42-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-43-0x000000000E490000-0x000000000E4A0000-memory.dmp

      Filesize

      64KB

    • memory/3212-45-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-44-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-47-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-48-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-15-0x000000000C0C0000-0x000000000C0D0000-memory.dmp

      Filesize

      64KB

    • memory/3212-50-0x000000000E3D0000-0x000000000E3E6000-memory.dmp

      Filesize

      88KB

    • memory/3212-3-0x00000000010B0000-0x00000000010C6000-memory.dmp

      Filesize

      88KB