Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2025, 04:56

General

  • Target

    HYDRA.exe

  • Size

    2.6MB

  • MD5

    c52bc39684c52886712971a92f339b23

  • SHA1

    c5cb39850affb7ed322bfb0a4900e17c54f95a11

  • SHA256

    f8c17cb375e8ccad5b0e33dae65694a1bd628f91cac6cf65dd11f50e91130c2d

  • SHA512

    2d50c1aa6ca237b9dbe97f000a082a223618f2164c8ab42ace9f4e142c318b2fc53e91a476dbe9c2dd459942b61507df5c551bd5c692a2b2a2037e4f6bd2a12b

  • SSDEEP

    49152:HnUXzRe4cjAx+L/G/3JHQZutOnmSzZniyui0EJHezdcc/DK9kTO1S:HUD8djA0LOvJdtOmSlniyuiPFePmS61S

Malware Config

Extracted

Family

smokeloader

Version

2017

C2

http://92.53.105.14/

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Smokeloader family
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HYDRA.exe
    "C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Users\Admin\AppData\Roaming\yaya.exe
      C:\Users\Admin\AppData\Roaming\yaya.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1464
      • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
        "C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3544
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a0wwfqpx.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5112
          • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA1CE.tmp"
            5⤵
              PID:32
      • C:\Users\Admin\AppData\Roaming\va.exe
        C:\Users\Admin\AppData\Roaming\va.exe
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4660
      • C:\Users\Admin\AppData\Roaming\ufx.exe
        C:\Users\Admin\AppData\Roaming\ufx.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4516
        • C:\ProgramData\ucp\usc.exe
          "C:\ProgramData\ucp\usc.exe" /ucp/usc.exe
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\SysWOW64\SCHTASKS.exe
            SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3052
      • C:\Users\Admin\AppData\Roaming\sant.exe
        C:\Users\Admin\AppData\Roaming\sant.exe
        2⤵
        • Executes dropped EXE
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3688
        • C:\Windows\SysWOW64\explorer.exe
          explorer.exe
          3⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:1736
      • C:\Users\Admin\AppData\Roaming\power.exe
        C:\Users\Admin\AppData\Roaming\power.exe
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2328
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:1824
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\hjdivuia\jhschjsa.exe
      1⤵
        PID:2520

      Network

            MITRE ATT&CK Enterprise v16

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\ucp\usc.exe

              Filesize

              4.0MB

              MD5

              b100b373d645bf59b0487dbbda6c426d

              SHA1

              44a4ad2913f5f35408b8c16459dcce3f101bdcc7

              SHA256

              84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7

              SHA512

              69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

            • C:\Users\Admin\AppData\Local\Temp\RESA1CF.tmp

              Filesize

              1KB

              MD5

              7b6d16fac5a8fe392b7d4aef5dd143d7

              SHA1

              64d86deee5ce98453a6ed058c38630344c8cf4f7

              SHA256

              c025e14b76b64ab45616f3283ec5184c73e776d8b8eac239cf8f560422ca8bcf

              SHA512

              d1b790e0baa1b3a15f38946a76c94a9216188e7cc8e065c8c4dec9c3a1e99f714a3413284c37e81fdbb3972f5fa270adc280cf7e7f18ccae73d5f389b7243b71

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjimd5v1.f1x.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Local\Temp\a0wwfqpx.dll

              Filesize

              5KB

              MD5

              73ce130d9a74e449038e6dbbf5816c14

              SHA1

              9877133e4942e032cc83d05b61cf806b43526bab

              SHA256

              55a84a3dd2239cf4ac5723e569ee3b4bf7dc038c13e88d51260445b2fee25cfd

              SHA512

              4a562da5de75b07e9cbbfa86254b7623fd24803b511e32c5c0ec45f40fec0bffea75f2245e70010332cf516def16795de2302d1a7e27a908ee3220cc808bc77d

            • C:\Users\Admin\AppData\Local\Temp\a0wwfqpx.pdb

              Filesize

              7KB

              MD5

              b3b271f63a7d31428e45226908321ae1

              SHA1

              0a5d7164fbb109d41be1d75e8148e74c16cf5b61

              SHA256

              7fecb8195b3a24193610a56e60c0a32939f2cd9b8aff6608756080c792cf663a

              SHA512

              da4b0c652fee8d124920f3c5dcc74b7557170dfc1df8f6c4ed6e445e69fb2f152a75dabbd48db91b040110213c4dd5bc69549427ca596e686d772ce045c93d93

            • C:\Users\Admin\AppData\Roaming\power.exe

              Filesize

              507KB

              MD5

              743f47ae7d09fce22d0a7c724461f7e3

              SHA1

              8e98dd1efb70749af72c57344aab409fb927394e

              SHA256

              1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465

              SHA512

              567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

            • C:\Users\Admin\AppData\Roaming\sant.exe

              Filesize

              12KB

              MD5

              5effca91c3f1e9c87d364460097f8048

              SHA1

              28387c043ab6857aaa51865346046cf5dc4c7b49

              SHA256

              3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907

              SHA512

              b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

            • C:\Users\Admin\AppData\Roaming\ufx.exe

              Filesize

              960KB

              MD5

              22e088012519e1013c39a3828bda7498

              SHA1

              3a8a87cce3f6aff415ee39cf21738663c0610016

              SHA256

              9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973

              SHA512

              5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

            • C:\Users\Admin\AppData\Roaming\va.exe

              Filesize

              88KB

              MD5

              c084e736931c9e6656362b0ba971a628

              SHA1

              ef83b95fc645ad3a161a19ccef3224c72e5472bd

              SHA256

              3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1

              SHA512

              cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

            • C:\Users\Admin\AppData\Roaming\yaya.exe

              Filesize

              1.7MB

              MD5

              7d05ab95cfe93d84bc5db006c789a47f

              SHA1

              aa4aa0189140670c618348f1baad877b8eca04a4

              SHA256

              5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f

              SHA512

              40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

            • C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

              Filesize

              80KB

              MD5

              51bf85f3bf56e628b52d61614192359d

              SHA1

              c1bc90be6a4beb67fb7b195707798106114ec332

              SHA256

              990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446

              SHA512

              131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

            • \??\c:\Users\Admin\AppData\Local\Temp\CSCA1CE.tmp

              Filesize

              652B

              MD5

              bbb5097f16e42b4f2fdb89fcbcd2a5d9

              SHA1

              f308f42016d4d77fd6b8e961fd617eb324a5e73d

              SHA256

              5d5e94728bd68d4ff904bac388422ec3f5dee42aa0fa27da0a44066ac5187380

              SHA512

              4d6c7f8331528b93368f61dccad45eb26a8bc5f7bd3bed9844611f56b9b4b049bd80bd7f77a4090e7d8dd3475170ebf3026dc38b90f0a0e32cbfed1d88845b9c

            • \??\c:\Users\Admin\AppData\Local\Temp\a0wwfqpx.0.cs

              Filesize

              4KB

              MD5

              a0d1b6f34f315b4d81d384b8ebcdeaa5

              SHA1

              794c1ff4f2a28e0c631a783846ecfffdd4c7ae09

              SHA256

              0b3a3f8f11eb6f50fe67943f2b73c5824614f31c2e0352cc234927d7cb1a52e0

              SHA512

              0a89293d731c5bca05e73148f85a740b324fc877f2fb05cde1f68e2098329fbca552d78249a46f4a1da15a450c8e754c73be20c652f7089d5cfec445ce950a0e

            • \??\c:\Users\Admin\AppData\Local\Temp\a0wwfqpx.cmdline

              Filesize

              309B

              MD5

              eb63509c646830b0da4cfda7ee99f006

              SHA1

              7589bec13650b35ade6cb70c046928bc68472e6f

              SHA256

              45a69a8fb6e40271903d9d76102b78e8fc82df1d5b7cce16cf2325f733bddec1

              SHA512

              3443f0458b2fd458c8512fe2a796a9ee0fbb1a13c0bead2f005ef5d2bac3418df2c546770f833a2d6695a3b83575acee26920ffba4c4b14fd77a39b94b8190a4

            • memory/1464-55-0x0000000000400000-0x000000000047B000-memory.dmp

              Filesize

              492KB

            • memory/1736-80-0x0000000000130000-0x0000000000563000-memory.dmp

              Filesize

              4.2MB

            • memory/1736-81-0x0000000000130000-0x0000000000563000-memory.dmp

              Filesize

              4.2MB

            • memory/1736-82-0x0000000000B70000-0x0000000000B7A000-memory.dmp

              Filesize

              40KB

            • memory/1736-89-0x0000000000B70000-0x0000000000B7A000-memory.dmp

              Filesize

              40KB

            • memory/1736-91-0x0000000000B70000-0x0000000000B7A000-memory.dmp

              Filesize

              40KB

            • memory/1824-101-0x0000000005B50000-0x0000000006178000-memory.dmp

              Filesize

              6.2MB

            • memory/1824-116-0x0000000006890000-0x00000000068DC000-memory.dmp

              Filesize

              304KB

            • memory/1824-115-0x0000000006860000-0x000000000687E000-memory.dmp

              Filesize

              120KB

            • memory/1824-120-0x0000000007BE0000-0x0000000007BFA000-memory.dmp

              Filesize

              104KB

            • memory/1824-104-0x0000000006230000-0x0000000006296000-memory.dmp

              Filesize

              408KB

            • memory/1824-103-0x0000000005AB0000-0x0000000005B16000-memory.dmp

              Filesize

              408KB

            • memory/1824-102-0x0000000005990000-0x00000000059B2000-memory.dmp

              Filesize

              136KB

            • memory/1824-114-0x0000000006400000-0x0000000006754000-memory.dmp

              Filesize

              3.3MB

            • memory/1824-119-0x0000000008240000-0x00000000088BA000-memory.dmp

              Filesize

              6.5MB

            • memory/1824-118-0x0000000007B40000-0x0000000007BB6000-memory.dmp

              Filesize

              472KB

            • memory/1824-117-0x0000000006DA0000-0x0000000006DE4000-memory.dmp

              Filesize

              272KB

            • memory/1824-100-0x0000000002F00000-0x0000000002F36000-memory.dmp

              Filesize

              216KB

            • memory/2328-99-0x0000000000400000-0x0000000000485000-memory.dmp

              Filesize

              532KB

            • memory/2328-78-0x0000000000400000-0x0000000000485000-memory.dmp

              Filesize

              532KB

            • memory/3544-74-0x000000001BA80000-0x000000001BA88000-memory.dmp

              Filesize

              32KB

            • memory/3544-58-0x000000001B450000-0x000000001B91E000-memory.dmp

              Filesize

              4.8MB

            • memory/3544-59-0x000000001B9C0000-0x000000001BA5C000-memory.dmp

              Filesize

              624KB

            • memory/3544-60-0x000000001BA60000-0x000000001BA68000-memory.dmp

              Filesize

              32KB

            • memory/3688-24-0x00000000001E0000-0x00000000001EA000-memory.dmp

              Filesize

              40KB

            • memory/3688-17-0x0000000000400000-0x0000000000404000-memory.dmp

              Filesize

              16KB

            • memory/3688-21-0x00000000001E0000-0x00000000001EA000-memory.dmp

              Filesize

              40KB

            • memory/3688-94-0x0000000000400000-0x0000000000404000-memory.dmp

              Filesize

              16KB

            • memory/3688-92-0x00000000001E0000-0x00000000001EA000-memory.dmp

              Filesize

              40KB

            • memory/3688-79-0x00000000001E0000-0x00000000001EA000-memory.dmp

              Filesize

              40KB

            • memory/4660-20-0x0000000000400000-0x000000000041C000-memory.dmp

              Filesize

              112KB