Overview

overview

10

Static

static

3

41bbe0bbf7...22.exe

windows7-x64

10

41bbe0bbf7...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    69s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/10/2023, 12:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41bbe0bbf7897cf38ccccd701d9cf5c5bfc36b4ba9e519324c03e9d70fb12922.exe

  • Size

    247KB

  • MD5

    5f571f750931935ed68417426d8ca586

  • SHA1

    14dfbe8c4a05523b037af7357b41a444f9ebe700

  • SHA256

    41bbe0bbf7897cf38ccccd701d9cf5c5bfc36b4ba9e519324c03e9d70fb12922

  • SHA512

    da7e887450993cb2c76c840177751fe6902077850bae74df2176691ed8335a93b55d49ee97712dc48f85de7f04b84accb75fa59a94a6818a8b659434afd07964

  • SSDEEP

    3072:CTpKbW/eTbo4KZ1iFXJdjT+paAmlYKAF2:lbW/eY4S1KXH+znK

Score
10/10
smokeloaderup4backdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

up4

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-file0.com/

http://file-file-file1.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\41bbe0bbf7897cf38ccccd701d9cf5c5bfc36b4ba9e519324c03e9d70fb12922.exe
    "C:\Users\Admin\AppData\Local\Temp\41bbe0bbf7897cf38ccccd701d9cf5c5bfc36b4ba9e519324c03e9d70fb12922.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3756
    • C:\Users\Admin\AppData\Local\Temp\41bbe0bbf7897cf38ccccd701d9cf5c5bfc36b4ba9e519324c03e9d70fb12922.exe
      "C:\Users\Admin\AppData\Local\Temp\41bbe0bbf7897cf38ccccd701d9cf5c5bfc36b4ba9e519324c03e9d70fb12922.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1728
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3996
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:644
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:1092
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:1388
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
            PID:4368
          • C:\Users\Admin\AppData\Roaming\rvghgwc
            C:\Users\Admin\AppData\Roaming\rvghgwc
            1⤵
              PID:4120
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:4428
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:4648

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                  Filesize

                  471B

                  MD5

                  ecc3c9de4f6c2909d80c9a355c58a995

                  SHA1

                  205eb3c15c1e0338dee194e6b3de88fc61e8a503

                  SHA256

                  2d8dd41275cee7e1fc715eaab2e020c74e4d4640c5c7b25db31aa3a98519b966

                  SHA512

                  1e7138e5770573cf06796ffdd1811d9978c9d43dbfae2250c69b79b6a3b5d51b0f7e1e4c9fca5105629454586164e2c52b9624dbde93e21ebb69694a18a3bbd3

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                  Filesize

                  412B

                  MD5

                  0ca43fd7111e8453842c30095c275320

                  SHA1

                  77e742cea30a118111a3a2bba9a82dd15fa731ed

                  SHA256

                  15c9730f9f0f4cb0dd49000f2b97e7eb70a2949331e51b28581bd9d5edab0535

                  SHA512

                  6d478058788f9015eb4728d18bb0fd8564684ba35b24f376d531a2f94b4f23ea7c9f7bc24b66b4de7fd7bb65d1edf9af071841c2101a056f4b7f269047362b62

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\rvghgwc
                  Filesize

                  247KB

                  MD5

                  5f571f750931935ed68417426d8ca586

                  SHA1

                  14dfbe8c4a05523b037af7357b41a444f9ebe700

                  SHA256

                  41bbe0bbf7897cf38ccccd701d9cf5c5bfc36b4ba9e519324c03e9d70fb12922

                  SHA512

                  da7e887450993cb2c76c840177751fe6902077850bae74df2176691ed8335a93b55d49ee97712dc48f85de7f04b84accb75fa59a94a6818a8b659434afd07964

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\rvghgwc
                  Filesize

                  247KB

                  MD5

                  5f571f750931935ed68417426d8ca586

                  SHA1

                  14dfbe8c4a05523b037af7357b41a444f9ebe700

                  SHA256

                  41bbe0bbf7897cf38ccccd701d9cf5c5bfc36b4ba9e519324c03e9d70fb12922

                  SHA512

                  da7e887450993cb2c76c840177751fe6902077850bae74df2176691ed8335a93b55d49ee97712dc48f85de7f04b84accb75fa59a94a6818a8b659434afd07964

                  Download Submit

                • memory/1728-4-0x0000000000400000-0x0000000000409000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/1728-6-0x0000000000400000-0x0000000000409000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/1728-3-0x0000000000400000-0x0000000000409000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/3144-13-0x0000000002F10000-0x0000000002F11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3144-5-0x0000000002F60000-0x0000000002F76000-memory.dmp

                  Filesize

                  88KB

                  Download

                • memory/3756-1-0x0000000000720000-0x0000000000820000-memory.dmp

                  Filesize

                  1024KB

                  Download

                • memory/3756-2-0x0000000002450000-0x0000000002459000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/4368-27-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4648-34-0x000002144C460000-0x000002144C480000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4648-37-0x000002144C420000-0x000002144C440000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/4648-41-0x000002144C840000-0x000002144C860000-memory.dmp

                  Filesize

                  128KB

                  Download