Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
09/03/2025, 01:45
Static task
static1
Behavioral task
behavioral1
Sample
c127879c5fa90526ba316c4bffd85427.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c127879c5fa90526ba316c4bffd85427.exe
Resource
win10v2004-20250217-en
General
-
Target
c127879c5fa90526ba316c4bffd85427.exe
-
Size
10.0MB
-
MD5
c127879c5fa90526ba316c4bffd85427
-
SHA1
3842cfd9949c83a4783bf8bc48ed5e6d629033bb
-
SHA256
808ea5f3c49d50f3ea6daeb52a6a5923c80c8a361a25048275077b12417c461b
-
SHA512
051abfcf0a325885c201a1a0e6e936d31b35d36838a585cadc7f6a29a23ac8bfb883b2e56c6960824b3143b78da17bf711b48a9ab3b997edf3e6f306301ceb5f
-
SSDEEP
49152:qq/f3J6UdlWunpHC2npAadqn3/FJovlO:q+cTMHC2npAao32
Malware Config
Extracted
raccoon
eee94d533c0441c732ed7e18e494bdc6
http://45.15.156.16/
http://82.115.223.5/
http://82.115.223.6/
http://45.15.156.17/
http://82.115.223.7/
-
user_agent
mozzzzzzzzzzz
Extracted
smokeloader
x0x4
Signatures
-
Raccoon family
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation c127879c5fa90526ba316c4bffd85427.exe Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation Ifiopyrxmbmpmdubjnjdmx0x4_2.exe -
Executes dropped EXE 2 IoCs
pid Process 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 4496 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4588 set thread context of 3912 4588 c127879c5fa90526ba316c4bffd85427.exe 110 PID 1340 set thread context of 4496 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 116 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c127879c5fa90526ba316c4bffd85427.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifiopyrxmbmpmdubjnjdmx0x4_2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c127879c5fa90526ba316c4bffd85427.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Ifiopyrxmbmpmdubjnjdmx0x4_2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Ifiopyrxmbmpmdubjnjdmx0x4_2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Ifiopyrxmbmpmdubjnjdmx0x4_2.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4236 powershell.exe 4236 powershell.exe 2376 powershell.exe 2376 powershell.exe 4576 powershell.exe 4576 powershell.exe 2008 powershell.exe 2008 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4236 powershell.exe Token: SeDebugPrivilege 4588 c127879c5fa90526ba316c4bffd85427.exe Token: SeDebugPrivilege 2376 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeDebugPrivilege 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe Token: SeDebugPrivilege 2008 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 4588 wrote to memory of 4236 4588 c127879c5fa90526ba316c4bffd85427.exe 88 PID 4588 wrote to memory of 4236 4588 c127879c5fa90526ba316c4bffd85427.exe 88 PID 4588 wrote to memory of 4236 4588 c127879c5fa90526ba316c4bffd85427.exe 88 PID 4588 wrote to memory of 2376 4588 c127879c5fa90526ba316c4bffd85427.exe 102 PID 4588 wrote to memory of 2376 4588 c127879c5fa90526ba316c4bffd85427.exe 102 PID 4588 wrote to memory of 2376 4588 c127879c5fa90526ba316c4bffd85427.exe 102 PID 4588 wrote to memory of 1340 4588 c127879c5fa90526ba316c4bffd85427.exe 109 PID 4588 wrote to memory of 1340 4588 c127879c5fa90526ba316c4bffd85427.exe 109 PID 4588 wrote to memory of 1340 4588 c127879c5fa90526ba316c4bffd85427.exe 109 PID 4588 wrote to memory of 3912 4588 c127879c5fa90526ba316c4bffd85427.exe 110 PID 4588 wrote to memory of 3912 4588 c127879c5fa90526ba316c4bffd85427.exe 110 PID 4588 wrote to memory of 3912 4588 c127879c5fa90526ba316c4bffd85427.exe 110 PID 4588 wrote to memory of 3912 4588 c127879c5fa90526ba316c4bffd85427.exe 110 PID 4588 wrote to memory of 3912 4588 c127879c5fa90526ba316c4bffd85427.exe 110 PID 4588 wrote to memory of 3912 4588 c127879c5fa90526ba316c4bffd85427.exe 110 PID 4588 wrote to memory of 3912 4588 c127879c5fa90526ba316c4bffd85427.exe 110 PID 4588 wrote to memory of 3912 4588 c127879c5fa90526ba316c4bffd85427.exe 110 PID 4588 wrote to memory of 3912 4588 c127879c5fa90526ba316c4bffd85427.exe 110 PID 1340 wrote to memory of 4576 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 111 PID 1340 wrote to memory of 4576 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 111 PID 1340 wrote to memory of 4576 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 111 PID 1340 wrote to memory of 2008 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 114 PID 1340 wrote to memory of 2008 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 114 PID 1340 wrote to memory of 2008 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 114 PID 1340 wrote to memory of 4496 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 116 PID 1340 wrote to memory of 4496 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 116 PID 1340 wrote to memory of 4496 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 116 PID 1340 wrote to memory of 4496 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 116 PID 1340 wrote to memory of 4496 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 116 PID 1340 wrote to memory of 4496 1340 Ifiopyrxmbmpmdubjnjdmx0x4_2.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA0AA==3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exeC:\Users\Admin\AppData\Local\Temp\Ifiopyrxmbmpmdubjnjdmx0x4_2.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4496
-
-
-
C:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exeC:\Users\Admin\AppData\Local\Temp\c127879c5fa90526ba316c4bffd85427.exe2⤵
- System Location Discovery: System Language Discovery
PID:3912
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
15KB
MD5e4e4e409290fd04cb5a3a43888a7d11b
SHA176d5e61178b3dc2c36853c60ea6cbeb4729c5242
SHA256f1c1fcff22555d38668d083b78c5139ba3ad03d7a655eded18c58a495be33b83
SHA512bbd403d84c4c254fa73b55a5a23f9f00b669e1fb3f7cb94a27bedb9fbace9cf7628f7697ed476a77f1bad018b9d1ab182734886c803ed253ce8635d2b41a22da
-
Filesize
16KB
MD54b27a805b9c5f87b285ea03bf51af647
SHA1bc2136ceca0bec87bb04cfbcd0f15c36c57cc98b
SHA25658de71f8228388f7859a3d3cbc5a0e1c91651458dcc90a9b9fac449c1fa78f86
SHA512491fe430e847db96ae9177c5c509a5292aac86a5ff13101a7e59ec1ac821b37059dd407dc7073e8e762679d4b42b8ce0f5464abb6be5ff984629e4f21c3304f7
-
Filesize
18KB
MD556d663207dfda19ab99d74c0a4f83d0d
SHA11618989b1360de2050118edeb0515d795458d2f4
SHA2562d26da3624e17fc30d357eea672493bb863b40043836af4b7368e6492110d540
SHA512aafe1faa32c98c8b6b42e56681869677bd12da9d5ca67c8597d78b825f28592ed983f5890f4a81ab3baa0592c479059ea153a97e3d1ad9ddb09be7d17df1afca
-
Filesize
819KB
MD57f1f17f581d25b34013146f290fea01b
SHA127c020394a1396b3e11ab563d62f76c2d5e873ea
SHA2562bbe711ab5c483cdbc39743637123498da1e62a743e7186a8e6a363c6c349375
SHA5128793a175c5d664c388f94d40ab544866d13b4c6b9348d56bd5a3144fb9480b0982577e6cc8604f6355ded850c7bcc67c1536af59bfdceb11a23187a8ee3f4935
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82