Overview

overview

10

Static

static

1

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01-05-2024 23:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548.exe

  • Size

    651KB

  • MD5

    292883544ecb6516789ac22f40fb3fb2

  • SHA1

    29dd18c9388ff86eed94d6b75716b2600df5e280

  • SHA256

    cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548

  • SHA512

    08313e51d65175a7c93bf81da3b568bec104b610aedab69e2bc49cbc3bad46838e559846e879a0e9965531a4d5704fb492f01ffc70172b9a261c54fff314000b

  • SSDEEP

    12288:fXi+JKgD3+EB4yuBnJvI+aXM8Kz13SjZIBa0deoPdoYn9clL1:fXi+hj4y+JSMBz1CjD0d56jd1

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 20 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1368
    • C:\Users\Admin\AppData\Local\Temp\cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548.exe
      "C:\Users\Admin\AppData\Local\Temp\cd18f6507d1618aeab81f86569c00b3b38d84bd18202525e93dd37e7f2d1b548.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k move Thunder Thunder.cmd & Thunder.cmd & exit
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2256
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          4⤵
            PID:2940
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2680
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            4⤵
              PID:2792
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 22402
              4⤵
                PID:2660
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "DATINGHAPPENEDTOKYOCHICAGO" Zen
                4⤵
                  PID:2700
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Rain + Johnny + Its + Warrant 22402\i
                  4⤵
                    PID:2468
                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22402\Edt.pif
                    22402\Edt.pif 22402\i
                    4⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Modifies system certificate store
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:2604
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 5 127.0.0.1
                    4⤵
                    • Runs ping.exe
                    PID:2596
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22402\Edt.pif
                "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22402\Edt.pif"
                2⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:1608
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {2262B0C5-0A96-4166-A1CC-8D0787032B5F} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2012
              • C:\Users\Admin\AppData\Roaming\sweshhe
                C:\Users\Admin\AppData\Roaming\sweshhe
                2⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:2140

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Subvert Trust Controls

            1
            T1553

            Install Root Certificate

            1
            T1553.004

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            System Information Discovery

            2
            T1082

            Query Registry

            2
            T1012

            Peripheral Device Discovery

            1
            T1120

            Process Discovery

            1
            T1057

            Remote System Discovery

            1
            T1018

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
              Filesize

              68KB

              MD5

              29f65ba8e88c063813cc50a4ea544e93

              SHA1

              05a7040d5c127e68c25d81cc51271ffb8bef3568

              SHA256

              1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

              SHA512

              e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22402\i
              Filesize

              201KB

              MD5

              5708e8f2c81ab33fd33465ccf6e62b00

              SHA1

              51e525c14907d02a1602329e4ed1e94cc808c275

              SHA256

              06b15e863b9677e358f4b2304f80237d89ef079720e4414db45da64b3de6e482

              SHA512

              03be1d1a5f76d418754adef92916d026f3884d0b02fd298dd8f412fe6151a92002509a3c040354516d54cfb9663dfa1f748d61f73f986461d5f48f314d5915b1

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Approval
              Filesize

              245KB

              MD5

              309fa7a25eb9f8fb80421abe1e098a0f

              SHA1

              a587fbaecef72c6f01e90ec1757f8fcf6c93e674

              SHA256

              580a21a85eb75e83d68f7d23f85b667cea33c2af3c4f26f2bd81cb57460c81c2

              SHA512

              b10df3ee30f9bc9a00eff9ded2cac4f91cadebdda00d3dd4ebaa130ede6f6aeb4abc5f03571c9c8ded0c97a3c60283662bac383de02896c3bead115f7d12ca39

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cornwall
              Filesize

              63KB

              MD5

              b4ce1424373882862c38402b8fa4293f

              SHA1

              a1208bdde8ed47c40d14de07fd7f5132e7efe21d

              SHA256

              78b0982fa8183fce64fc4784d7ad03bd7fc8089132759a27587d0714c00c99b5

              SHA512

              f4cb465e5792f2e27ac5f8890c1a902ea35b11feeaa8ed07dc06cad38e0d6a0a240007ef9b0a6a30574f72e816f28e0500c870121bdbf0cd4a2848154a3e5b71

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Its
              Filesize

              30KB

              MD5

              8a6bf71b7a2bfbd99d55d309ad86801d

              SHA1

              a4ab1e830dca05abf7e9a32adbc659b5b882b8c0

              SHA256

              f3e58127e58956ca8fed35733fe24b9533c16783126cd769a87aa4bfe4d581dc

              SHA512

              b17c9f529ba2200d85fda2487554eb254baca5ab673de1a7a1b779b4c4c7af03f0c7c0afa9e6ee4e1847ab4c2e7be789228c774bd954932582ca3672748e02b8

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Johnny
              Filesize

              45KB

              MD5

              c632c5d348e62fde34e6d5c723302088

              SHA1

              ac96ea5309e71a7048e32713887435496f36c007

              SHA256

              136ba9c45a6c2041dbdff3ad1c76b7fe139edf6d15de93380d0ab2c537a2936b

              SHA512

              fc06f07e53b4c89faa37b93e3e5dbfc2068bcfaf8329151c8599f70622d02d4792b03390b78ec720358bf65c4d093e03ba860c83e32daf2613710084a3ddab79

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rain
              Filesize

              65KB

              MD5

              7d510044cc60352568da4113704c1a1d

              SHA1

              10a95950ea6a8f011eb1a72c89944ca8d443ee78

              SHA256

              aa1aa1a05461ac61ec96ccefdf31309631f4957732bd7346dc41a705af70f669

              SHA512

              d628e1ea1f83cc0f0a2965ddb4b11bbe720f3c0ef9b996121296fd5045d2a23cf4832b55a21415ec26b5fac4a931ace1531d60ce8ec79fa19e64f9022e2c32f9

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sleeping
              Filesize

              229KB

              MD5

              db9791d42af7bdea2a0c4e25a3f576fe

              SHA1

              c9b9ffcc6bda3161f8e0f1f9627e6c61a9e7c70e

              SHA256

              eb846211ac7cadd57a088c2f15ce83ec5c071de94de0d54c97085aca53195cd3

              SHA512

              6c5b79d8ba8ae0a8ad9b66bae6861b5e53150abddad9ed54b9175d5a12a5a2a445fb7de94388a054d3560097b265b5b785e878bedba54684023b76412dd1c2c8

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Thunder
              Filesize

              24KB

              MD5

              6be69de1df914e7ae5216c7bc5ff1269

              SHA1

              cc315aec3b591651cf3c4a5bb0f51175ea96dda4

              SHA256

              feca2bd2079c5c5b3bb8c87f2eef9020e98957e113fa5431f6ed9c01e1ea9f3d

              SHA512

              c1344d9c530e2c453995fffc06768095c8ab15605c353e5ce06259b463e8ee743d75e56eba99b2b48672637de8a0b431c5d2b4559462e3097bfa1aba32c13f94

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tim
              Filesize

              248KB

              MD5

              39ba71e4b05f4a469299e24b646a549a

              SHA1

              2751f434e4c7c89b33fc644e3c329e37e2d979ff

              SHA256

              b73a94a4c079f0a1ca5e774e2ec59d42506a5adb713a76a3ab458f8916481cc7

              SHA512

              19bcf3fc6fa1b54d84adc37dd89387c33c8af41491adb76c6bae5868cc19211a3997c629b315d6db0c74ac10b8e6fe1eafafe43d3bab788576289b758cbb572b

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Warrant
              Filesize

              61KB

              MD5

              c478292445bda2b4e5c6d1ab188320fd

              SHA1

              cbda31144792a0f3286cf91c1420b58d6f28ce25

              SHA256

              2ac31510564c80349434f800c0f1e77300819c679893c652a7f7450cfcefae18

              SHA512

              08df6be89beb42026656e333884b22a81f15b605f9e2ae46dab54c25ef9d32d792ef40b5536ffa4457f49c29faeec4dba89372f1ce856943ce2c5530024a25a2

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wheat
              Filesize

              87KB

              MD5

              da888e1a14bd0d42f67aec0c6919954c

              SHA1

              3e8f0ba941471e1a534441ff6aefe48cb42bfd78

              SHA256

              a8da14cafb604cf276a6c53fc653f8f1118d4d82c37eabf9472908b9dc3280d0

              SHA512

              63fc99e0792b72cc4f7d0c07f027a50cdc2f5a17c74c704800e358dab8e7f82eed27f091ed7b452bae83c8578709e446795bc910748bd6962b217dd157d42298

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Zen
              Filesize

              100B

              MD5

              c7b69074c06b5a3c50e198791110b59d

              SHA1

              79b0399e23ce2e4c57ab71f0405581e14649e55e

              SHA256

              573f8b52527b72cb7434d712e9df3a9d7c4b7fe73085807aa5ba299136683ffb

              SHA512

              41ec3584a9593bfeb1225fc55297d6c8de23a0a8aa9abf89dc7c3ce63f0d8708dcdebafd6846072ba1765941196ff3809d5f064af92e2b9ca78ff5414ea99fc2

              Download Submit
            • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22402\Edt.pif
              Filesize

              872KB

              MD5

              6ee7ddebff0a2b78c7ac30f6e00d1d11

              SHA1

              f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

              SHA256

              865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

              SHA512

              57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

              Download Submit
            • memory/1368-70-0x00000000040D0000-0x00000000040E6000-memory.dmp
              Filesize

              88KB

              Download
            • memory/2140-79-0x0000000004C60000-0x0000000004C62000-memory.dmp
              Filesize

              8KB

              Download