Analysis

  • max time kernel
    124s
  • max time network
    210s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    20-12-2024 03:27

General

  • Target

    http://spotcarservice.ru/fdjskf88cvt/yumba/putty.exe

Malware Config

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Smokeloader family
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://spotcarservice.ru/fdjskf88cvt/yumba/putty.exe
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x1fc,0x200,0x224,0x1f8,0x228,0x7ffc8a12cc40,0x7ffc8a12cc4c,0x7ffc8a12cc58
      2⤵
        PID:3608
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,9735739856473530297,15021509533063897986,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1936 /prefetch:2
        2⤵
          PID:2024
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1780,i,9735739856473530297,15021509533063897986,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2052 /prefetch:3
          2⤵
            PID:3348
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,9735739856473530297,15021509533063897986,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2608 /prefetch:8
            2⤵
              PID:3372
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3044,i,9735739856473530297,15021509533063897986,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3064 /prefetch:1
              2⤵
                PID:1824
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3048,i,9735739856473530297,15021509533063897986,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3280 /prefetch:1
                2⤵
                  PID:4660
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,9735739856473530297,15021509533063897986,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4948 /prefetch:8
                  2⤵
                    PID:5044
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5092,i,9735739856473530297,15021509533063897986,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5152 /prefetch:8
                    2⤵
                      PID:1524
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5140,i,9735739856473530297,15021509533063897986,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5160 /prefetch:8
                      2⤵
                        PID:4472
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5376,i,9735739856473530297,15021509533063897986,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5340 /prefetch:8
                        2⤵
                          PID:2588
                        • C:\Users\Admin\Downloads\putty.exe
                          "C:\Users\Admin\Downloads\putty.exe"
                          2⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Checks SCSI registry key(s)
                          PID:2696
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 388
                            3⤵
                            • Program crash
                            PID:4780
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                        1⤵
                          PID:1128
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:3688
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2696 -ip 2696
                            1⤵
                              PID:3292

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

                              Filesize

                              649B

                              MD5

                              3b464978b57587f31fa7eed509b48054

                              SHA1

                              eaabb527495b80718b8fc67536bac7f1ba68266b

                              SHA256

                              92c5e476b6c0f8a18dddd4eaa5874cfe4de79a5e7cd6486f0c697e2a6a4e2feb

                              SHA512

                              75dbfc848b5a8bb76183b5c4e8d198110680407bba1363ec7694f22bba399679b3ec2228cd1ea054828e21eeff1d711e4d7b6269ec5752842011d1ac8bb67ca3

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

                              Filesize

                              240KB

                              MD5

                              3bbac642557b0ab934addbac0594561c

                              SHA1

                              0787a06f1fff51bdfdb129186df44e73d8c7d5de

                              SHA256

                              bc887fcd6805824ac58a107917c6d083056d688eef39e979da25d16eb388e798

                              SHA512

                              c91cbc77b3a67f65082f5d8187f237b9de0a6aaf1cbfb7bbd0e3157d2b8815f55a6ed71d6bda88941daed67ad6f0ee9a9e98149f11b053f81a462e17f7145730

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                              Filesize

                              1KB

                              MD5

                              925b52a3b52dc4b1381b95de0279ca45

                              SHA1

                              6f4cdb317fe4c05031939912932ee5a19a8d6f57

                              SHA256

                              3e915889d551ec3649738e3780fe60342b850325827d8d0c02ea3ba3a3104daf

                              SHA512

                              5d951beb33eed793c6dedd25f643a0248097a5c61823d7da6ef1bb1ef2966023953b217fcee9a9ab14194e399b457c63cb50b3b6906a52e69106597280e721d0

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              f7edfabc1f211b283e99735346114218

                              SHA1

                              14b9a004b3474083c1e76ab4872ae6ac807e17a9

                              SHA256

                              b0b8c594ca67f6ef3cbee26b94d26ff3bdefa3b7579c98b7bdf7c551caf5abc1

                              SHA512

                              1818ea4d6711013b22c6e0cc0480e55829630b061cc9cc4120915920dd71e3e86c3ea54b9fdc524363975689212ce44ec4df143c252abfafb338828be8eaa140

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              e4e341757dcb690eaab9522d36cc37bf

                              SHA1

                              83b686400436564177cf1ff4cfa8b149669a618f

                              SHA256

                              8a5cdb124ab8124a49f0abc72eeffb2e150d3727d7aa75e836a90114e5f553dc

                              SHA512

                              7d4766f9ae0b7e5076b5466147371d811a0b36febef0bab6200c0c2a97d5c84d82b9668a612265dff5bed9af5a208038def568f8a633a34fb76229c3e6ff9f1c

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                              Filesize

                              9KB

                              MD5

                              9b256aa61cff43d9f7753cf025550d44

                              SHA1

                              ac896df6e1164bac939df6366097ec2048008c8f

                              SHA256

                              c66ece2dd80288f562234319ed87a2a8718814b01bb919f39aba42718783ecfb

                              SHA512

                              08441822fdf38de3646a59fda518e3b841fc19fdee3352f2952a1e3df84116443e7bf9bd3ffba3db708bd13f13d13e936bd7b590ccb83dafd2079b9ebe6de2ab

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

                              Filesize

                              264KB

                              MD5

                              b2da8f89594d4100c11f5718699e49aa

                              SHA1

                              88f5bfa5b20a4b3c24e31146c9fa9950c4e688c8

                              SHA256

                              bcd4ea9648130a558833bb293ae635638ce9459fb111fe60b6a44353ba6d8a9b

                              SHA512

                              087e4e0684a72ecffbec9c1f203b52eefd64d5c0c0625af44aa0741719cb9d0032f5a6835120e63d61647515e7c92dd085c11fc826484ff583837475f4b0d1cb

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                              Filesize

                              118KB

                              MD5

                              95f8a936913d71fb1f67fa51c6161bc5

                              SHA1

                              f5ff1c07dc45905e1b3afa33af0225c7dbe01c7d

                              SHA256

                              00d1cedb498231a9448db025a1ef04f7908e4918226b6878cc93de95b6c2a21c

                              SHA512

                              4ded1ee059faba8cd33de947e9869359e6b6e3876d46aa24e62618867c333df5c4f4314bd3a5635d7078e2e9da12be369c67129e9fbd195c9242305be674289e

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                              Filesize

                              118KB

                              MD5

                              d2edac1d82c5c0d09bcb293bf458fca1

                              SHA1

                              6e154e0c914af8ed77ed42eb5969d822ff04e8d0

                              SHA256

                              9f39fa1848c724f7cdd874011bcf082157cedb5624702aac5b9e0fbf54c7214a

                              SHA512

                              630cd7eb11c483161637fdd410cb7beeec0ebe3af581dc0cec3770855afa8a1b586a91233562e46167440d14a68e8a2320e0236655be1a457bca1c42f27e2120

                            • memory/2696-72-0x00000000001F0000-0x00000000001FB000-memory.dmp

                              Filesize

                              44KB

                            • memory/2696-76-0x0000000000400000-0x000000000040B000-memory.dmp

                              Filesize

                              44KB

                            • memory/2696-75-0x00000000001F0000-0x00000000001FB000-memory.dmp

                              Filesize

                              44KB

                            • memory/2696-74-0x0000000000400000-0x0000000000815000-memory.dmp

                              Filesize

                              4.1MB

                            • memory/2696-73-0x0000000000400000-0x000000000040B000-memory.dmp

                              Filesize

                              44KB

                            • memory/2696-71-0x00000000009F0000-0x0000000000AF0000-memory.dmp

                              Filesize

                              1024KB