Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 13:00
Static task
static1
Behavioral task
behavioral1
Sample
954c9a84081ee955881bbd4f13d70fe2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
954c9a84081ee955881bbd4f13d70fe2.exe
Resource
win10v2004-20231215-en
General
-
Target
954c9a84081ee955881bbd4f13d70fe2.exe
-
Size
187KB
-
MD5
954c9a84081ee955881bbd4f13d70fe2
-
SHA1
eaf4d0c7a777c849352e020f16e25ac61ea46379
-
SHA256
a09973818d133a17fc00542bf00d38a75e9b235d6e3d05b099d955f814c66e80
-
SHA512
8d46acccbe61352da60715208f7f8e108fad5b2748c9a0f2fb25f36cc5a7cc87b848590414781299cf953d72893c8cd98c3645c0ce038621e6aaa7fc65a65294
-
SSDEEP
3072:wtYR9pLhV6v//e5O5Z5ev99l9ENPGdwDYTuKJIX:zRfLhV6v//e5OG99lMGd7TuK
Malware Config
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
explorer.exeABA1.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "frcvfzfmpe.exe" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wu3iy3u19ausy.exe ABA1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wu3iy3u19ausy.exe\DisableExceptionChainValidation ABA1.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Deletes itself 1 IoCs
Processes:
pid process 3364 -
Executes dropped EXE 1 IoCs
Processes:
ABA1.exepid process 5104 ABA1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\wu3iy3u19ausy.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\wu3iy3u19ausy.exe\"" explorer.exe -
Processes:
ABA1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ABA1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
ABA1.exeexplorer.exepid process 5104 ABA1.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe 2960 explorer.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2376 1308 WerFault.exe 954c9a84081ee955881bbd4f13d70fe2.exe 4312 2960 WerFault.exe explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
954c9a84081ee955881bbd4f13d70fe2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 954c9a84081ee955881bbd4f13d70fe2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 954c9a84081ee955881bbd4f13d70fe2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 954c9a84081ee955881bbd4f13d70fe2.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ABA1.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ABA1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ABA1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
954c9a84081ee955881bbd4f13d70fe2.exepid process 1308 954c9a84081ee955881bbd4f13d70fe2.exe 1308 954c9a84081ee955881bbd4f13d70fe2.exe 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 3364 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
954c9a84081ee955881bbd4f13d70fe2.exeABA1.exepid process 1308 954c9a84081ee955881bbd4f13d70fe2.exe 5104 ABA1.exe 5104 ABA1.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
ABA1.exeexplorer.exedescription pid process Token: SeShutdownPrivilege 3364 Token: SeCreatePagefilePrivilege 3364 Token: SeDebugPrivilege 5104 ABA1.exe Token: SeRestorePrivilege 5104 ABA1.exe Token: SeBackupPrivilege 5104 ABA1.exe Token: SeLoadDriverPrivilege 5104 ABA1.exe Token: SeCreatePagefilePrivilege 5104 ABA1.exe Token: SeShutdownPrivilege 5104 ABA1.exe Token: SeTakeOwnershipPrivilege 5104 ABA1.exe Token: SeChangeNotifyPrivilege 5104 ABA1.exe Token: SeCreateTokenPrivilege 5104 ABA1.exe Token: SeMachineAccountPrivilege 5104 ABA1.exe Token: SeSecurityPrivilege 5104 ABA1.exe Token: SeAssignPrimaryTokenPrivilege 5104 ABA1.exe Token: SeCreateGlobalPrivilege 5104 ABA1.exe Token: 33 5104 ABA1.exe Token: SeDebugPrivilege 2960 explorer.exe Token: SeRestorePrivilege 2960 explorer.exe Token: SeBackupPrivilege 2960 explorer.exe Token: SeLoadDriverPrivilege 2960 explorer.exe Token: SeCreatePagefilePrivilege 2960 explorer.exe Token: SeShutdownPrivilege 2960 explorer.exe Token: SeTakeOwnershipPrivilege 2960 explorer.exe Token: SeChangeNotifyPrivilege 2960 explorer.exe Token: SeCreateTokenPrivilege 2960 explorer.exe Token: SeMachineAccountPrivilege 2960 explorer.exe Token: SeSecurityPrivilege 2960 explorer.exe Token: SeAssignPrimaryTokenPrivilege 2960 explorer.exe Token: SeCreateGlobalPrivilege 2960 explorer.exe Token: 33 2960 explorer.exe Token: SeShutdownPrivilege 3364 Token: SeCreatePagefilePrivilege 3364 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3364 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ABA1.exedescription pid process target process PID 3364 wrote to memory of 5104 3364 ABA1.exe PID 3364 wrote to memory of 5104 3364 ABA1.exe PID 3364 wrote to memory of 5104 3364 ABA1.exe PID 5104 wrote to memory of 2960 5104 ABA1.exe explorer.exe PID 5104 wrote to memory of 2960 5104 ABA1.exe explorer.exe PID 5104 wrote to memory of 2960 5104 ABA1.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\954c9a84081ee955881bbd4f13d70fe2.exe"C:\Users\Admin\AppData\Local\Temp\954c9a84081ee955881bbd4f13d70fe2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 3682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1308 -ip 13081⤵
-
C:\Users\Admin\AppData\Local\Temp\ABA1.exeC:\Users\Admin\AppData\Local\Temp\ABA1.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 11403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2960 -ip 29601⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ABA1.exeFilesize
138KB
MD5e61ff360a1413c6c2b3781f81bcdc992
SHA10be0c3e6dedae604faeaecbe743ce9fef220bbd3
SHA256a3d8f5b9571ae65abf4032c43f08278686e714f04ade77372384e0d97ff27840
SHA512fb84f3b4b6a2cc4f7c523fd8facdc9172c3b4d9d7cd9f5b59a5b58526b4008e70c3fe5411e27c8be616eb84ac5b4cb10790fc97b24d75e7f717fbe7466468b5d
-
C:\Users\Admin\AppData\Local\Temp\ABA1.exeFilesize
108KB
MD5493c594a1cfc363250f8516031c578fb
SHA181143f22fac361a91ceff9913789717bc0c6dabf
SHA2563af6674ec7f8da81cfa780c2f3694ae25b3f088c5108294daaebc18a19b52eda
SHA5121ae5b63a8bb32620a00dc7c5ea29e02d7ea6bbf0245223849449fb1d4f6aefed95f92b801ffbd936481f5105ad601fd3dc706dd33b38a192b36ee46fcea53ca2
-
memory/1308-1-0x00000000023C0000-0x00000000024C0000-memory.dmpFilesize
1024KB
-
memory/1308-2-0x00000000021D0000-0x00000000021D9000-memory.dmpFilesize
36KB
-
memory/1308-3-0x0000000000400000-0x000000000214C000-memory.dmpFilesize
29.3MB
-
memory/1308-7-0x0000000000400000-0x000000000214C000-memory.dmpFilesize
29.3MB
-
memory/2960-34-0x0000000002EC0000-0x0000000002EC2000-memory.dmpFilesize
8KB
-
memory/2960-36-0x00000000004E0000-0x0000000000913000-memory.dmpFilesize
4.2MB
-
memory/2960-37-0x0000000001000000-0x00000000010C4000-memory.dmpFilesize
784KB
-
memory/2960-24-0x00000000004E0000-0x0000000000914000-memory.dmpFilesize
4.2MB
-
memory/2960-31-0x0000000001590000-0x0000000001591000-memory.dmpFilesize
4KB
-
memory/2960-28-0x0000000001000000-0x00000000010C4000-memory.dmpFilesize
784KB
-
memory/2960-30-0x0000000001000000-0x00000000010C4000-memory.dmpFilesize
784KB
-
memory/2960-26-0x00000000004E0000-0x0000000000914000-memory.dmpFilesize
4.2MB
-
memory/3364-4-0x0000000002E10000-0x0000000002E25000-memory.dmpFilesize
84KB
-
memory/5104-14-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/5104-18-0x0000000002280000-0x00000000022E6000-memory.dmpFilesize
408KB
-
memory/5104-20-0x00000000772A4000-0x00000000772A5000-memory.dmpFilesize
4KB
-
memory/5104-21-0x0000000002800000-0x0000000002801000-memory.dmpFilesize
4KB
-
memory/5104-33-0x0000000002280000-0x00000000022E6000-memory.dmpFilesize
408KB
-
memory/5104-22-0x0000000002830000-0x000000000283C000-memory.dmpFilesize
48KB
-
memory/5104-23-0x0000000002280000-0x00000000022E6000-memory.dmpFilesize
408KB
-
memory/5104-16-0x0000000002280000-0x00000000022E6000-memory.dmpFilesize
408KB
-
memory/5104-17-0x0000000002640000-0x000000000264D000-memory.dmpFilesize
52KB