Resubmissions

04-12-2024 19:31

241204-x8wmhaxmcv 10

04-12-2024 11:47

241204-nybd5szkdq 10

04-12-2024 11:40

241204-nsybqazjek 10

04-12-2024 11:35

241204-np1bxatqgz 10

03-12-2024 19:23

241203-x381msvpgj 10

03-12-2024 16:27

241203-tyez8atjdv 10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 11:47

General

  • Target

    HYDRA.exe

  • Size

    2.6MB

  • MD5

    c52bc39684c52886712971a92f339b23

  • SHA1

    c5cb39850affb7ed322bfb0a4900e17c54f95a11

  • SHA256

    f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

  • SHA512

    2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

  • SSDEEP

    49152:HnUXzRe4cjAx+L/G/3JHQZutOnmSzZniyui0EJHezdcc/DK9kTO1S:HUD8djA0LOvJdtOmSlniyuiPFePmS61S

Malware Config

Extracted

Family

smokeloader

Version

2017

C2

http://92.53.105.14/

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Smokeloader family
  • Drops startup file 1 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 20 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HYDRA.exe
    "C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Roaming\yaya.exe
      C:\Users\Admin\AppData\Roaming\yaya.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
        "C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amdt1ql_.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CDB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2CDA.tmp"
            5⤵
              PID:2892
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe"
            4⤵
              PID:2932
            • C:\Windows\System32\cmd.exe
              /K services.exe && clear
              4⤵
                PID:596
              • C:\Windows\System32\cmd.exe
                /K services.exe && clear
                4⤵
                  PID:940
                • C:\Windows\System32\cmd.exe
                  /K services.exe && clear
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1356
                  • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
                    services.exe
                    5⤵
                    • Executes dropped EXE
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1036
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe"
                  4⤵
                    PID:736
                  • C:\Windows\System32\cmd.exe
                    net localgroup administrators %username% /add
                    4⤵
                      PID:1660
                • C:\Users\Admin\AppData\Roaming\va.exe
                  C:\Users\Admin\AppData\Roaming\va.exe
                  2⤵
                  • Drops startup file
                  • Executes dropped EXE
                  PID:2256
                • C:\Users\Admin\AppData\Roaming\ufx.exe
                  C:\Users\Admin\AppData\Roaming\ufx.exe
                  2⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2968
                  • C:\ProgramData\ucp\usc.exe
                    "C:\ProgramData\ucp\usc.exe" /ucp/usc.exe
                    3⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2412
                    • C:\Windows\SysWOW64\SCHTASKS.exe
                      SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
                      4⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:2132
                • C:\Users\Admin\AppData\Roaming\sant.exe
                  C:\Users\Admin\AppData\Roaming\sant.exe
                  2⤵
                  • Executes dropped EXE
                  • Maps connected drives based on registry
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of WriteProcessMemory
                  PID:2524
                  • C:\Windows\SysWOW64\explorer.exe
                    explorer.exe
                    3⤵
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    PID:2960
                • C:\Users\Admin\AppData\Roaming\power.exe
                  C:\Users\Admin\AppData\Roaming\power.exe
                  2⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2740
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2844
              • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
                C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
                1⤵
                • Executes dropped EXE
                • Modifies data under HKEY_USERS
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1720
                • C:\Windows\TEMP\foxcon.exe
                  "C:\Windows\TEMP\foxcon.exe"
                  2⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1832

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\RES2CDB.tmp

                Filesize

                1KB

                MD5

                a8d620bcf866b5a473abdcb18b30c769

                SHA1

                e5bde9fcffea77be0d005b3e2296a27ff946bb95

                SHA256

                fb0868b9f0d5b96a39c730152bcb87d1713e3501a004b536ebdaaacffec519e6

                SHA512

                110efbec6ac714f880a81c34b670319e77b373f2c25bf1139d92b3c559de9ee654a96cbde9a0f4020c9a0cab96c6fbced229bb7370e72291be88f76b6ea2517e

              • C:\Users\Admin\AppData\Local\Temp\amdt1ql_.dll

                Filesize

                5KB

                MD5

                d7d412546c39a0e3e7a7bbbbb59ebf51

                SHA1

                28932fa100c4d4ab466fbf145cf184da77be05ef

                SHA256

                fe01f60083953daaaac3b8e95ed57c24feae91ef859a1aad2c69fa82901a90d5

                SHA512

                a0be4d94dcbff60c73b2270bfc8de43601b00e4b5f7c5583a63c4a0bb7dd092e40876e6f0cce68e182fdca534171734ad352eea98d239868381186b5a5f584c2

              • C:\Users\Admin\AppData\Local\Temp\amdt1ql_.pdb

                Filesize

                7KB

                MD5

                ffa390d33696133a400e5cfe2962550a

                SHA1

                138c1debac8899ea516252226846d8a6c717a91e

                SHA256

                8ab47fbab29711f9c60b152367ba6c138d2b77d6a93790e9a492a90d7647552c

                SHA512

                012d011e0d162563ca963d9ecd12bed69371e974f44fa36fffde9eba63bd94fa76e2fc4ec4890699cad94e60a9e069629a67b6a6705adc3ababa2e1ea16d2834

              • C:\Users\Admin\AppData\Roaming\ufx.exe

                Filesize

                960KB

                MD5

                22e088012519e1013c39a3828bda7498

                SHA1

                3a8a87cce3f6aff415ee39cf21738663c0610016

                SHA256

                9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973

                SHA512

                5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

              • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\Newtonsoft.Json.dll

                Filesize

                487KB

                MD5

                0c33e2f116aaa66d0012a8376d82ce29

                SHA1

                81cd6b87a9f7b4a174138312986d682f464067f4

                SHA256

                9a19ef049430af9ac49ff719cbfb73dc6c6b0d0ef53914479dd282260771518b

                SHA512

                b19dceb47d943bcb40f185e232eb1a0f665f6b6107e6c83c0f0a1aa80013b2756c5a831f3413a4c57ca37f7ec4a95a173e1f3d67e49f1fff2071273acc538317

              • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\foxcon.exe

                Filesize

                15KB

                MD5

                7b07728b813d26228f10f6cdb7ac8471

                SHA1

                48418d83ac372c1398753f7a766076750a03a725

                SHA256

                7e5a9baf4d9ead35e1d9a3b3dda6ee05e670bd721500d82fbf08e1e8091fa911

                SHA512

                f8a1070d4a0297151c6d55e60bc953a985b82159920e5a6a3a40270f0ad7e06edb1815b6fed1313076f7f6bbf32155d22a5a0e605378525aa3a9055a2c7128aa

              • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe

                Filesize

                27KB

                MD5

                63602f11993c01a4b36f42187a797128

                SHA1

                d6c761942dcb32190f924ea7490acc38865f7300

                SHA256

                2c926cd6c980ff89ced8de49a8d0e7fb7247f58b1face21a1e9883a58b822b84

                SHA512

                1a13649d6d5917d132f85cae9af206b1959578134db392afd6fec0c68ff1828c87daa2a537678ad1a83c0e273fed7f154f6f6f6f72102733fa6626bcd57ded0e

              • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

                Filesize

                80KB

                MD5

                51bf85f3bf56e628b52d61614192359d

                SHA1

                c1bc90be6a4beb67fb7b195707798106114ec332

                SHA256

                990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446

                SHA512

                131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

              • \??\c:\Users\Admin\AppData\Local\Temp\CSC2CDA.tmp

                Filesize

                652B

                MD5

                20ca9632f3c8e21330b71057cf350cb3

                SHA1

                fb97e3942d21bf344478518a250edd181f3ae4ee

                SHA256

                18b41da1dba325cf14440bf3134ba0f39fd65fa991a938263396b9a155a1198b

                SHA512

                b604fae3cabf6c0385b0be1181a328016295840502f4622a9450a9e2f26a5096023e2db86b8ae478ef127a7805001444c5e761b70064fea52390e604ecc84415

              • \??\c:\Users\Admin\AppData\Local\Temp\amdt1ql_.0.cs

                Filesize

                4KB

                MD5

                a0d1b6f34f315b4d81d384b8ebcdeaa5

                SHA1

                794c1ff4f2a28e0c631a783846ecfffdd4c7ae09

                SHA256

                0b3a3f8f11eb6f50fe67943f2b73c5824614f31c2e0352cc234927d7cb1a52e0

                SHA512

                0a89293d731c5bca05e73148f85a740b324fc877f2fb05cde1f68e2098329fbca552d78249a46f4a1da15a450c8e754c73be20c652f7089d5cfec445ce950a0e

              • \??\c:\Users\Admin\AppData\Local\Temp\amdt1ql_.cmdline

                Filesize

                309B

                MD5

                89d5d03585d8e32115b7d283c7dbf9ce

                SHA1

                c08d89a1e2662a7f941cc3b83ff4796ff3176887

                SHA256

                8629ae58fea9d3bcc2397b6acbd0c0f31d038f40d454cb6efef64defa3132cf2

                SHA512

                c3cc3276061cf162266f58d453d4de78507ccf7b96e35e5925fe92ced7af9e7022fb5d2585343516b8ff5f11eeac533002e368b29e523b0ff908688e4ae0dd88

              • \ProgramData\ucp\usc.exe

                Filesize

                4.0MB

                MD5

                b100b373d645bf59b0487dbbda6c426d

                SHA1

                44a4ad2913f5f35408b8c16459dcce3f101bdcc7

                SHA256

                84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

                SHA512

                69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

              • \Users\Admin\AppData\Roaming\power.exe

                Filesize

                507KB

                MD5

                743f47ae7d09fce22d0a7c724461f7e3

                SHA1

                8e98dd1efb70749af72c57344aab409fb927394e

                SHA256

                1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465

                SHA512

                567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

              • \Users\Admin\AppData\Roaming\sant.exe

                Filesize

                12KB

                MD5

                5effca91c3f1e9c87d364460097f8048

                SHA1

                28387c043ab6857aaa51865346046cf5dc4c7b49

                SHA256

                3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907

                SHA512

                b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

              • \Users\Admin\AppData\Roaming\va.exe

                Filesize

                88KB

                MD5

                c084e736931c9e6656362b0ba971a628

                SHA1

                ef83b95fc645ad3a161a19ccef3224c72e5472bd

                SHA256

                3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1

                SHA512

                cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

              • \Users\Admin\AppData\Roaming\yaya.exe

                Filesize

                1.7MB

                MD5

                7d05ab95cfe93d84bc5db006c789a47f

                SHA1

                aa4aa0189140670c618348f1baad877b8eca04a4

                SHA256

                5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f

                SHA512

                40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

              • memory/1720-101-0x0000000019A20000-0x0000000019AA0000-memory.dmp

                Filesize

                512KB

              • memory/2256-16-0x0000000000400000-0x000000000041C000-memory.dmp

                Filesize

                112KB

              • memory/2268-87-0x00000000007C0000-0x00000000007C8000-memory.dmp

                Filesize

                32KB

              • memory/2404-42-0x0000000000310000-0x0000000000314000-memory.dmp

                Filesize

                16KB

              • memory/2404-43-0x0000000000310000-0x0000000000314000-memory.dmp

                Filesize

                16KB

              • memory/2524-49-0x0000000000030000-0x000000000003A000-memory.dmp

                Filesize

                40KB

              • memory/2524-45-0x0000000000400000-0x0000000000404000-memory.dmp

                Filesize

                16KB

              • memory/2524-108-0x0000000000030000-0x000000000003A000-memory.dmp

                Filesize

                40KB

              • memory/2524-110-0x0000000000400000-0x0000000000404000-memory.dmp

                Filesize

                16KB

              • memory/2612-60-0x0000000000400000-0x000000000047B000-memory.dmp

                Filesize

                492KB

              • memory/2740-102-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

              • memory/2740-122-0x0000000000400000-0x0000000000485000-memory.dmp

                Filesize

                532KB

              • memory/2960-103-0x0000000000270000-0x00000000004F1000-memory.dmp

                Filesize

                2.5MB

              • memory/2960-104-0x0000000000080000-0x000000000008A000-memory.dmp

                Filesize

                40KB

              • memory/2960-117-0x0000000000080000-0x000000000008A000-memory.dmp

                Filesize

                40KB

              • memory/2960-116-0x0000000000080000-0x000000000008A000-memory.dmp

                Filesize

                40KB