Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    784e3a535f623d7c59209e39bbdbd9ffabcc07157efbcaf12a8143190c08ed44.exe

  • Size

    209KB

  • MD5

    487c5ef864db010745ea26e6c27cdf10

  • SHA1

    b285aecebee79d70f684832a2bb09467c6db6cfb

  • SHA256

    784e3a535f623d7c59209e39bbdbd9ffabcc07157efbcaf12a8143190c08ed44

  • SHA512

    8dfd0185117d909fca007e9bd53dcc90da54d8b2bccac265f8a963f46a5b05c0d38ef981531b441ae5b762632f28ec4a7b45293cb4d2d99235ec61c1add98a4c

  • SSDEEP

    1536:n3o311bC7Xu1LpopPim+PvDOmdVFnb0MLrR2mbU9EFJ0NxgVO1MGyF59vXMziEV0:4/MePP7rrRHbU9EFJ0YVj5GZH

Score
10/10
smokeloaderpub1backdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 39 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\784e3a535f623d7c59209e39bbdbd9ffabcc07157efbcaf12a8143190c08ed44.exe
    "C:\Users\Admin\AppData\Local\Temp\784e3a535f623d7c59209e39bbdbd9ffabcc07157efbcaf12a8143190c08ed44.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1972
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\54A3.bat" "
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3784
    • C:\Windows\system32\reg.exe
      reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
      2⤵
        PID:3600
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6628.bat" "
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\system32\reg.exe
        reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
        2⤵
          PID:3624
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:2724
        • C:\Windows\explorer.exe
          explorer.exe
          1⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2004
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:3532
          • C:\Windows\explorer.exe
            explorer.exe
            1⤵
              PID:3968
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:2372
              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                1⤵
                  PID:4268
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                    PID:4340
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    1⤵
                      PID:4496
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                        PID:372
                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                        1⤵
                          PID:3724
                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                          1⤵
                            PID:3912
                          • C:\Windows\explorer.exe
                            explorer.exe
                            1⤵
                              PID:3120
                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                              1⤵
                                PID:1012
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                  PID:2756
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                    PID:4044
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                      PID:1988
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      1⤵
                                        PID:3700
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                          PID:4644
                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                          1⤵
                                            PID:4492

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                                            Filesize

                                            471B

                                            MD5

                                            cf94c140b8e861d5b8a579457f8e4c26

                                            SHA1

                                            972614473d6a8399f72403c6090ed50bcee1e56b

                                            SHA256

                                            2307783397917148817da0e40ad8afc4256a3a42230085eaebe512d815ced1fc

                                            SHA512

                                            696239223616e16d17775660d2e1ef97e4b536741a2cb406510d9de8e4090f6653c0e2fc8196bde76be527b02f2e362bad3b73ad37ac9b0168efaa3c80d90c05

                                            Download Submit

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                                            Filesize

                                            412B

                                            MD5

                                            68b91aa56420a00a88bbc23d43fb4277

                                            SHA1

                                            b9c3f3fd5fe3861c9494a488e12e23e7cbf3b78f

                                            SHA256

                                            b1f6988e1c459a87367887f59e1810f36a2787655caab9cba6a4875a903668de

                                            SHA512

                                            5bda4169b49c541f2846e023d1f2b4e414e6340341d878bceee3b4e5652d93d9dd48c5e707c48505318a9a0c5720e7f9d351f901ab080b8eb92bd9c5f674a61f

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                                            Filesize

                                            2KB

                                            MD5

                                            e7d8fa6976c678040856c66be93113a7

                                            SHA1

                                            7444efb6ea604cb018ae195cfee66ed1ecdd91ce

                                            SHA256

                                            37267c482adce0fc6e14bfd07a6a97f4cc462cbce275808d420704b2d73d33bb

                                            SHA512

                                            5af9f0a3b45a1cb6d646ac87e833036abb4817ef9b67b6912e1febd15942e222ca16e9ec99be8dfab46b781afa21964fc6b5da387ea038ed00e3cdc9234e7a36

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
                                            Filesize

                                            96B

                                            MD5

                                            84209e171da10686915fe7efcd51552d

                                            SHA1

                                            6bf96e86a533a68eba4d703833de374e18ce6113

                                            SHA256

                                            04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

                                            SHA512

                                            48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Temp\54A3.bat
                                            Filesize

                                            77B

                                            MD5

                                            55cc761bf3429324e5a0095cab002113

                                            SHA1

                                            2cc1ef4542a4e92d4158ab3978425d517fafd16d

                                            SHA256

                                            d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

                                            SHA512

                                            33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

                                            Download Submit

                                          • memory/372-177-0x0000000004F00000-0x0000000004F01000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1972-1-0x00000000023E0000-0x00000000024E0000-memory.dmp

                                            Filesize

                                            1024KB

                                            Download

                                          • memory/1972-3-0x0000000000400000-0x000000000040B000-memory.dmp

                                            Filesize

                                            44KB

                                            Download

                                          • memory/1972-2-0x0000000003F60000-0x0000000003F6B000-memory.dmp

                                            Filesize

                                            44KB

                                            Download

                                          • memory/1972-9-0x0000000000400000-0x000000000040B000-memory.dmp

                                            Filesize

                                            44KB

                                            Download

                                          • memory/1972-8-0x0000000003F60000-0x0000000003F6B000-memory.dmp

                                            Filesize

                                            44KB

                                            Download

                                          • memory/1972-7-0x0000000000400000-0x0000000002351000-memory.dmp

                                            Filesize

                                            31.3MB

                                            Download

                                          • memory/2756-339-0x0000019DC5190000-0x0000019DC51B0000-memory.dmp

                                            Filesize

                                            128KB

                                            Download

                                          • memory/2756-327-0x0000019DC51D0000-0x0000019DC51F0000-memory.dmp

                                            Filesize

                                            128KB

                                            Download

                                          • memory/2756-321-0x0000019DC4300000-0x0000019DC4400000-memory.dmp

                                            Filesize

                                            1024KB

                                            Download

                                          • memory/2756-340-0x0000019DC5830000-0x0000019DC5850000-memory.dmp

                                            Filesize

                                            128KB

                                            Download

                                          • memory/3120-319-0x0000000004800000-0x0000000004801000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3360-24-0x0000000002B90000-0x0000000002B91000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3360-4-0x0000000002BD0000-0x0000000002BE6000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/3912-213-0x0000014E3C7D0000-0x0000014E3C7F0000-memory.dmp

                                            Filesize

                                            128KB

                                            Download

                                          • memory/3912-184-0x0000014E3CC20000-0x0000014E3CC40000-memory.dmp

                                            Filesize

                                            128KB

                                            Download

                                          • memory/3912-180-0x000001463A900000-0x000001463AA00000-memory.dmp

                                            Filesize

                                            1024KB

                                            Download

                                          • memory/3912-216-0x0000014E3CFE0000-0x0000014E3D000000-memory.dmp

                                            Filesize

                                            128KB

                                            Download

                                          • memory/3912-179-0x000001463A900000-0x000001463AA00000-memory.dmp

                                            Filesize

                                            1024KB

                                            Download

                                          • memory/3968-33-0x00000000040D0000-0x00000000040D1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4268-55-0x0000011152130000-0x0000011152150000-memory.dmp

                                            Filesize

                                            128KB

                                            Download

                                          • memory/4268-70-0x00000111527D0000-0x00000111527F0000-memory.dmp

                                            Filesize

                                            128KB

                                            Download

                                          • memory/4268-34-0x0000011151220000-0x0000011151320000-memory.dmp

                                            Filesize

                                            1024KB

                                            Download

                                          • memory/4268-39-0x0000011152170000-0x0000011152190000-memory.dmp

                                            Filesize

                                            128KB

                                            Download