Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 17:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    213KB

  • MD5

    29c2d7eec8802f3967aafcd0d16628b1

  • SHA1

    efe099762635d1d6284afb88225029bf89adec5d

  • SHA256

    843ad82984513d049fcbf1258c0a2cf71fd519ad98a272e54ea95d42422a24bb

  • SHA512

    755316646a0fcf8fef69832e33e8c611eb02e9e88e6416f7a19c499acab82f9a0e15d49fa92de70aaa5085f05a591e33456f8df61af5534cdb43c3f652e1502a

  • SSDEEP

    3072:XG6IE/WIaxT8XyWiTmZTb05a+f4IOCX9:N/0oXyWiTQh+fN

Score
10/10
smokeloaderpub1backdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3248
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1164
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BBC9.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2416
      • C:\Windows\system32\reg.exe
        reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
        2⤵
          PID:3464
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CC06.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3052
        • C:\Windows\system32\reg.exe
          reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
          2⤵
            PID:3668
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:3328
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:852
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:3536
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:3876
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:2640
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:4572
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:736
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:2008

                      Network

                      MITRE ATT&CK Matrix ATT&CK v13

                      Initial Access

                      Execution

                      Persistence

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Privilege Escalation

                      Boot or Logon Autostart Execution

                      1
                      T1547

                      Registry Run Keys / Startup Folder

                      1
                      T1547.001

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      Query Registry

                      3
                      T1012

                      Peripheral Device Discovery

                      2
                      T1120

                      System Information Discovery

                      2
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Web Service

                      1
                      T1102

                      Impact

                      Resource Development

                      Reconnaissance

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                        Filesize

                        471B

                        MD5

                        a962cde9b0ca0bd1ced7036af84b2cfe

                        SHA1

                        3514554251d09117f198a799f2068e66978a3f6d

                        SHA256

                        97afb92afdfc3920dc8f36ccfd75fc13e6ec4161e3c9704c450da4f1cb0937f9

                        SHA512

                        16e5eef5bcc499e0e4d471a37df8aa3b701be4f4dee45f3f9181906943394df217c06b399e3451e73e9a996fead5d0cf1420902611ee7954da0def7721710df6

                        Download Submit
                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                        Filesize

                        412B

                        MD5

                        646d7252baa43e7c32957178f2d667e5

                        SHA1

                        1d313c98d27b55ff03e1a010441c12ac2f939a88

                        SHA256

                        d1a342334ba4821a163a55fd328ad6cf8ff85a87ad3ef0628a5e66a4c1a44a80

                        SHA512

                        2c543a2716f8a99ec995a8d02e60db19a043c73b45bf7df008d543409e50ef01d97e7ad8794a3ff65942fe65a77c3c1711648f03097fa2657872ddb466a65971

                        Download Submit
                      • C:\Users\Admin\AppData\Local\Temp\BBC9.bat
                        Filesize

                        77B

                        MD5

                        55cc761bf3429324e5a0095cab002113

                        SHA1

                        2cc1ef4542a4e92d4158ab3978425d517fafd16d

                        SHA256

                        d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                        SHA512

                        33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                        Download Submit
                      • memory/2640-35-0x000001B193F00000-0x000001B194000000-memory.dmp
                        Filesize

                        1024KB

                        Download
                      • memory/2640-65-0x000001B194FB0000-0x000001B194FD0000-memory.dmp
                        Filesize

                        128KB

                        Download
                      • memory/2640-40-0x000001B194FF0000-0x000001B195010000-memory.dmp
                        Filesize

                        128KB

                        Download
                      • memory/2640-71-0x000001B1953C0000-0x000001B1953E0000-memory.dmp
                        Filesize

                        128KB

                        Download
                      • memory/3248-4-0x0000000000400000-0x0000000002722000-memory.dmp
                        Filesize

                        35.1MB

                        Download
                      • memory/3248-6-0x0000000000400000-0x0000000002722000-memory.dmp
                        Filesize

                        35.1MB

                        Download
                      • memory/3248-9-0x0000000002880000-0x000000000288B000-memory.dmp
                        Filesize

                        44KB

                        Download
                      • memory/3248-10-0x0000000000400000-0x000000000040B000-memory.dmp
                        Filesize

                        44KB

                        Download
                      • memory/3248-1-0x0000000002A80000-0x0000000002B80000-memory.dmp
                        Filesize

                        1024KB

                        Download
                      • memory/3248-3-0x0000000000400000-0x000000000040B000-memory.dmp
                        Filesize

                        44KB

                        Download
                      • memory/3248-2-0x0000000002880000-0x000000000288B000-memory.dmp
                        Filesize

                        44KB

                        Download
                      • memory/3300-5-0x0000000002FC0000-0x0000000002FD6000-memory.dmp
                        Filesize

                        88KB

                        Download
                      • memory/3300-23-0x0000000002FB0000-0x0000000002FB1000-memory.dmp
                        Filesize

                        4KB

                        Download
                      • memory/3536-33-0x00000000046B0000-0x00000000046B1000-memory.dmp
                        Filesize

                        4KB

                        Download