Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 00:30
Static task
static1
Behavioral task
behavioral1
Sample
376349c30b19dea794469cf65f012ca0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
376349c30b19dea794469cf65f012ca0.exe
Resource
win10v2004-20231222-en
General
-
Target
376349c30b19dea794469cf65f012ca0.exe
-
Size
203KB
-
MD5
376349c30b19dea794469cf65f012ca0
-
SHA1
0eac406b118bb4a35e7501306577d689d2dbb85e
-
SHA256
06b7da2a21d1375abfb7d433fe0acd3816524390605df00ae4d01660bbe92923
-
SHA512
996a9eb46fa22413aec5741d1f70deae1d59539a79cb362eefd472c3b860971cecef8270af6a4203c7f39499c0fc957076f5728682b97666bff26b1dc7bb82d4
-
SSDEEP
3072:UL4yhYY/3d0wTF29H9jmHd7cxatBgGgS/lPYxAxAU:UL4yhB/3dg9gFVg8FY6xA
Malware Config
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
ABD0.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sya5i9m7k5w.exe ABD0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sya5i9m7k5w.exe\DisableExceptionChainValidation ABD0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "vul.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Deletes itself 1 IoCs
Processes:
pid process 3404 -
Executes dropped EXE 1 IoCs
Processes:
ABD0.exepid process 2316 ABD0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\sya5i9m7k5w.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\sya5i9m7k5w.exe\"" explorer.exe -
Processes:
ABD0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ABD0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
ABD0.exeexplorer.exepid process 2316 ABD0.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe 4376 explorer.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5060 4168 WerFault.exe 376349c30b19dea794469cf65f012ca0.exe 4704 4376 WerFault.exe explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
376349c30b19dea794469cf65f012ca0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 376349c30b19dea794469cf65f012ca0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 376349c30b19dea794469cf65f012ca0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 376349c30b19dea794469cf65f012ca0.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exeABD0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ABD0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ABD0.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
376349c30b19dea794469cf65f012ca0.exepid process 4168 376349c30b19dea794469cf65f012ca0.exe 4168 376349c30b19dea794469cf65f012ca0.exe 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
376349c30b19dea794469cf65f012ca0.exeABD0.exepid process 4168 376349c30b19dea794469cf65f012ca0.exe 2316 ABD0.exe 2316 ABD0.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
ABD0.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 3404 Token: SeCreatePagefilePrivilege 3404 Token: SeDebugPrivilege 2316 ABD0.exe Token: SeRestorePrivilege 2316 ABD0.exe Token: SeBackupPrivilege 2316 ABD0.exe Token: SeLoadDriverPrivilege 2316 ABD0.exe Token: SeCreatePagefilePrivilege 2316 ABD0.exe Token: SeShutdownPrivilege 2316 ABD0.exe Token: SeTakeOwnershipPrivilege 2316 ABD0.exe Token: SeChangeNotifyPrivilege 2316 ABD0.exe Token: SeCreateTokenPrivilege 2316 ABD0.exe Token: SeMachineAccountPrivilege 2316 ABD0.exe Token: SeSecurityPrivilege 2316 ABD0.exe Token: SeAssignPrimaryTokenPrivilege 2316 ABD0.exe Token: SeCreateGlobalPrivilege 2316 ABD0.exe Token: 33 2316 ABD0.exe Token: SeDebugPrivilege 4376 explorer.exe Token: SeRestorePrivilege 4376 explorer.exe Token: SeBackupPrivilege 4376 explorer.exe Token: SeLoadDriverPrivilege 4376 explorer.exe Token: SeCreatePagefilePrivilege 4376 explorer.exe Token: SeShutdownPrivilege 4376 explorer.exe Token: SeTakeOwnershipPrivilege 4376 explorer.exe Token: SeChangeNotifyPrivilege 4376 explorer.exe Token: SeCreateTokenPrivilege 4376 explorer.exe Token: SeMachineAccountPrivilege 4376 explorer.exe Token: SeSecurityPrivilege 4376 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4376 explorer.exe Token: SeCreateGlobalPrivilege 4376 explorer.exe Token: 33 4376 explorer.exe Token: SeShutdownPrivilege 3404 Token: SeCreatePagefilePrivilege 3404 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ABD0.exedescription pid process target process PID 3404 wrote to memory of 2316 3404 ABD0.exe PID 3404 wrote to memory of 2316 3404 ABD0.exe PID 3404 wrote to memory of 2316 3404 ABD0.exe PID 2316 wrote to memory of 4376 2316 ABD0.exe explorer.exe PID 2316 wrote to memory of 4376 2316 ABD0.exe explorer.exe PID 2316 wrote to memory of 4376 2316 ABD0.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\376349c30b19dea794469cf65f012ca0.exe"C:\Users\Admin\AppData\Local\Temp\376349c30b19dea794469cf65f012ca0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 3682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4168 -ip 41681⤵
-
C:\Users\Admin\AppData\Local\Temp\ABD0.exeC:\Users\Admin\AppData\Local\Temp\ABD0.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 11403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4376 -ip 43761⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ABD0.exeFilesize
30KB
MD5a4e7ac0800a8ab24290a7060d1198e10
SHA138e3d79639bf2b6fe4d62f77bfdec1760f7e022c
SHA256c7d665db307fdee1654495216284ac9f498c88c3155324466eb641fff5c08fed
SHA5120641f2dbcb97eb925486975c5b9247aa1162931047aa808056d7f85879b05fece5625b902a2cb64300c8fb24ca72b41f9a739ea8c334187edba8003de1ae7de7
-
C:\Users\Admin\AppData\Local\Temp\ABD0.exeFilesize
35KB
MD586cac1959b70f02bd8ccac3661e70a76
SHA17feabe2ca7674f22317017b9f4b24feab1eb90e0
SHA256d2ef6940e22d1041162b55a01bc4687266762af3a48b119293229010bdffa2db
SHA5124ad2488f89a75af3db955033f5dd9ca21dfc43c0dbc62ddce58c1986fdb67b75d153b4168c85fd25beedf73537f8a118b62851979ea679524ae7cc66070cb431
-
memory/2316-20-0x0000000077214000-0x0000000077215000-memory.dmpFilesize
4KB
-
memory/2316-23-0x00000000022A0000-0x0000000002306000-memory.dmpFilesize
408KB
-
memory/2316-19-0x00000000005E0000-0x00000000005ED000-memory.dmpFilesize
52KB
-
memory/2316-14-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/2316-16-0x00000000022A0000-0x0000000002306000-memory.dmpFilesize
408KB
-
memory/2316-17-0x00000000022A0000-0x0000000002306000-memory.dmpFilesize
408KB
-
memory/2316-24-0x00000000022A0000-0x0000000002306000-memory.dmpFilesize
408KB
-
memory/2316-33-0x00000000022A0000-0x0000000002306000-memory.dmpFilesize
408KB
-
memory/2316-22-0x0000000002830000-0x000000000283C000-memory.dmpFilesize
48KB
-
memory/2316-21-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB
-
memory/3404-4-0x0000000003180000-0x0000000003195000-memory.dmpFilesize
84KB
-
memory/4168-7-0x0000000000400000-0x0000000001D80000-memory.dmpFilesize
25.5MB
-
memory/4168-1-0x0000000001E20000-0x0000000001F20000-memory.dmpFilesize
1024KB
-
memory/4168-3-0x0000000000400000-0x0000000001D80000-memory.dmpFilesize
25.5MB
-
memory/4168-2-0x0000000001F40000-0x0000000001F49000-memory.dmpFilesize
36KB
-
memory/4376-34-0x0000000003FE0000-0x0000000003FE2000-memory.dmpFilesize
8KB
-
memory/4376-30-0x0000000000110000-0x00000000001D4000-memory.dmpFilesize
784KB
-
memory/4376-28-0x0000000000110000-0x00000000001D4000-memory.dmpFilesize
784KB
-
memory/4376-31-0x0000000000BE0000-0x0000000000BE1000-memory.dmpFilesize
4KB
-
memory/4376-27-0x0000000000C80000-0x00000000010B4000-memory.dmpFilesize
4.2MB
-
memory/4376-37-0x0000000000110000-0x00000000001D4000-memory.dmpFilesize
784KB
-
memory/4376-36-0x0000000000C80000-0x00000000010B3000-memory.dmpFilesize
4.2MB
-
memory/4376-25-0x0000000000C80000-0x00000000010B4000-memory.dmpFilesize
4.2MB