Overview

overview

10

Static

static

3

e4e363ba2b...JC.exe

windows7-x64

10

e4e363ba2b...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    208s
  • max time network
    244s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 19:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e4e363ba2bf7ba09114982630a3de87d42ee99a9c3f2ca25f410477d83b354f5_JC.exe

  • Size

    239KB

  • MD5

    a870b3e4c3dc630b5f0149f633e45312

  • SHA1

    ac57e8e0dfc8dd7c1a7175b14021ade6ca546312

  • SHA256

    e4e363ba2bf7ba09114982630a3de87d42ee99a9c3f2ca25f410477d83b354f5

  • SHA512

    75e406ba06811f42dcb15c3353e2b906234a22fa29cc8bb5b76e84f0219fd2e85f3b21f6e70cd9ba8259f0c00a08d726d20fe5bb6b6efa202671c2ff88e44649

  • SSDEEP

    6144:tY46fuYXChoQTjlFgLuCY1dRuAOrKI7w8y0:tpYzXChdTbv1buAGw8y

Score
10/10
healersmokeloaderbackdoordropperpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4e363ba2bf7ba09114982630a3de87d42ee99a9c3f2ca25f410477d83b354f5_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\e4e363ba2bf7ba09114982630a3de87d42ee99a9c3f2ca25f410477d83b354f5_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 224
      2⤵
      • Program crash
      PID:3340
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2344 -ip 2344
    1⤵
      PID:3848
    • C:\Users\Admin\AppData\Local\Temp\4F4A.exe
      C:\Users\Admin\AppData\Local\Temp\4F4A.exe
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oD7bw4sf.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oD7bw4sf.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3448
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YJ0Yv5oC.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YJ0Yv5oC.exe
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dR2Ga5Es.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dR2Ga5Es.exe
            4⤵
            • Executes dropped EXE
            PID:460
    • C:\Users\Admin\AppData\Local\Temp\8705.exe
      C:\Users\Admin\AppData\Local\Temp\8705.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
          PID:2508
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 148
          2⤵
          • Program crash
          PID:2576
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2384 -ip 2384
        1⤵
          PID:4276
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BDB6.bat" "
          1⤵
            PID:2180
          • C:\Users\Admin\AppData\Local\Temp\E89F.exe
            C:\Users\Admin\AppData\Local\Temp\E89F.exe
            1⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4048
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              2⤵
                PID:4488
            • C:\Users\Admin\AppData\Local\Temp\F4C5.exe
              C:\Users\Admin\AppData\Local\Temp\F4C5.exe
              1⤵
              • Executes dropped EXE
              PID:2904

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\4F4A.exe
              Filesize

              1.5MB

              MD5

              97f8378c8e74b612239252ca10185d88

              SHA1

              9ee49b0042790ef1871ff5fa087bb6d9428b56ed

              SHA256

              73cbc01956844ae9b23ba8ac81059c56b216828d784ba840456105a4ab7e7b0a

              SHA512

              1e2488ee93e6b59b7785591df25e4ef813dbd3bacd9d7a986b83d5c28ede7e31ffe6a87d40ce054fc784ba7454ace6bf549085fb69e52cdfc127693ed71fb6d7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\4F4A.exe
              Filesize

              1.5MB

              MD5

              97f8378c8e74b612239252ca10185d88

              SHA1

              9ee49b0042790ef1871ff5fa087bb6d9428b56ed

              SHA256

              73cbc01956844ae9b23ba8ac81059c56b216828d784ba840456105a4ab7e7b0a

              SHA512

              1e2488ee93e6b59b7785591df25e4ef813dbd3bacd9d7a986b83d5c28ede7e31ffe6a87d40ce054fc784ba7454ace6bf549085fb69e52cdfc127693ed71fb6d7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\8705.exe
              Filesize

              1.1MB

              MD5

              b925109069a4fffbdbe822d08b036dd7

              SHA1

              3ff913f275faf1bdd65fd6b2aa0018aae2aae267

              SHA256

              b693a7f4c43cb7ceb52c661705dbd08c1cfcc1d84f6cf10fc8202beb590d0be0

              SHA512

              d671e2d0ab38207cd02f6fe06b63a22deda64216cefe07acf01f701c5028d04c356a50d63c1e2fcfba1c22ec046babeed500880a92248a0e9d34ae0f5256ae88

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\8705.exe
              Filesize

              1.1MB

              MD5

              b925109069a4fffbdbe822d08b036dd7

              SHA1

              3ff913f275faf1bdd65fd6b2aa0018aae2aae267

              SHA256

              b693a7f4c43cb7ceb52c661705dbd08c1cfcc1d84f6cf10fc8202beb590d0be0

              SHA512

              d671e2d0ab38207cd02f6fe06b63a22deda64216cefe07acf01f701c5028d04c356a50d63c1e2fcfba1c22ec046babeed500880a92248a0e9d34ae0f5256ae88

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\BDB6.bat
              Filesize

              79B

              MD5

              403991c4d18ac84521ba17f264fa79f2

              SHA1

              850cc068de0963854b0fe8f485d951072474fd45

              SHA256

              ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

              SHA512

              a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\E89F.exe
              Filesize

              1.1MB

              MD5

              9981b0049825abc68bf9500774309ef3

              SHA1

              cc00e57539b263bbe7f5a8c1b2809ec0841c7373

              SHA256

              569e9788082001592d4fa0643a829e3ecbbe29a02409157367bc0a9825d9a6b0

              SHA512

              1396b8474b6a8207326c815a4c7a2c905aec9734ea89311e8b19cbb888821adfec96d434d43295788ed31c0704d7cf4aa063d3dda94860719ccd483d085db4a8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\E89F.exe
              Filesize

              1.1MB

              MD5

              9981b0049825abc68bf9500774309ef3

              SHA1

              cc00e57539b263bbe7f5a8c1b2809ec0841c7373

              SHA256

              569e9788082001592d4fa0643a829e3ecbbe29a02409157367bc0a9825d9a6b0

              SHA512

              1396b8474b6a8207326c815a4c7a2c905aec9734ea89311e8b19cbb888821adfec96d434d43295788ed31c0704d7cf4aa063d3dda94860719ccd483d085db4a8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\F4C5.exe
              Filesize

              21KB

              MD5

              57543bf9a439bf01773d3d508a221fda

              SHA1

              5728a0b9f1856aa5183d15ba00774428be720c35

              SHA256

              70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

              SHA512

              28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\F4C5.exe
              Filesize

              21KB

              MD5

              57543bf9a439bf01773d3d508a221fda

              SHA1

              5728a0b9f1856aa5183d15ba00774428be720c35

              SHA256

              70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e

              SHA512

              28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oD7bw4sf.exe
              Filesize

              1.3MB

              MD5

              4db9de94bcf318b0d4f63e5aeebc691a

              SHA1

              b4f80219381d3983220b109c8489be28802fc53e

              SHA256

              bb19620f4a8c557ca5f90cdc5db435190a87c501c2a1f5f1015b782d3c1a3012

              SHA512

              57d07e4d030fe3e7d626f8c08d173a46b02aa7bb96614b66b0b2abe7f682287e779f2f8d2c25080b956f5ef762ca9a123d2771fcc78d761eba3d0190ce1e2ee7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oD7bw4sf.exe
              Filesize

              1.3MB

              MD5

              4db9de94bcf318b0d4f63e5aeebc691a

              SHA1

              b4f80219381d3983220b109c8489be28802fc53e

              SHA256

              bb19620f4a8c557ca5f90cdc5db435190a87c501c2a1f5f1015b782d3c1a3012

              SHA512

              57d07e4d030fe3e7d626f8c08d173a46b02aa7bb96614b66b0b2abe7f682287e779f2f8d2c25080b956f5ef762ca9a123d2771fcc78d761eba3d0190ce1e2ee7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YJ0Yv5oC.exe
              Filesize

              1.1MB

              MD5

              6ef2d0cda61383ec26da417e8ce550c0

              SHA1

              75b5dd59aab2badc1d034658ed1f6ee766170eac

              SHA256

              f8adaa4327867b65a247c407b85964836ea98c81ea3f18d96f7273ff7d9909fd

              SHA512

              928ac4364e38ec33dddbf126e6b4ec2b04605186ad2bf1158082da8ebdc832bb61881938840742ad376cc25f1e53b432329b4428eae86728a593a7db38b74dad

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YJ0Yv5oC.exe
              Filesize

              1.1MB

              MD5

              6ef2d0cda61383ec26da417e8ce550c0

              SHA1

              75b5dd59aab2badc1d034658ed1f6ee766170eac

              SHA256

              f8adaa4327867b65a247c407b85964836ea98c81ea3f18d96f7273ff7d9909fd

              SHA512

              928ac4364e38ec33dddbf126e6b4ec2b04605186ad2bf1158082da8ebdc832bb61881938840742ad376cc25f1e53b432329b4428eae86728a593a7db38b74dad

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dR2Ga5Es.exe
              Filesize

              755KB

              MD5

              e0c4f1cb82c48d688e5ef7c38862ba55

              SHA1

              9c764d6da7a0a81f5797cacc3e1ca1b542c6f122

              SHA256

              71f727a374a2570f749d7d3de49433cf407db9df9697f97ce142dd7129df3952

              SHA512

              741d2b371fefbecf2f59c41c85a98f0f540c377736864141f243891fabbc8968e24bc5b553ba0a356cd4b640e504c2f59f8781d1725142c9ffbd4b1e92a7f2d0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dR2Ga5Es.exe
              Filesize

              755KB

              MD5

              e0c4f1cb82c48d688e5ef7c38862ba55

              SHA1

              9c764d6da7a0a81f5797cacc3e1ca1b542c6f122

              SHA256

              71f727a374a2570f749d7d3de49433cf407db9df9697f97ce142dd7129df3952

              SHA512

              741d2b371fefbecf2f59c41c85a98f0f540c377736864141f243891fabbc8968e24bc5b553ba0a356cd4b640e504c2f59f8781d1725142c9ffbd4b1e92a7f2d0

              Download Submit

            • memory/2508-38-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2508-37-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2508-34-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2508-27-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/2904-56-0x00000000003F0000-0x00000000003FA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/3184-2-0x0000000003290000-0x00000000032A6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/3220-3-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/3220-0-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/3220-1-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download