Overview
overview
10Static
static
c8c2f5565b...24.exe
windows7_x64
10c8c2f5565b...24.exe
windows7_x64
10c8c2f5565b...24.exe
windows7_x64
10c8c2f5565b...24.exe
windows11_x64
10c8c2f5565b...24.exe
windows10_x64
10c8c2f5565b...24.exe
windows10_x64
10c8c2f5565b...24.exe
windows10_x64
10c8c2f5565b...24.exe
windows10_x64
10Analysis
-
max time kernel
601s -
max time network
398s -
platform
windows7_x64 -
resource
win7-de-20210920 -
submitted
26-09-2021 14:45
Static task
static1
Behavioral task
behavioral1
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win7-ja-20210920
windows7_x64
Behavioral task
behavioral2
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral3
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win7-de-20210920
windows7_x64
Behavioral task
behavioral4
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win11
windows11_x64
Behavioral task
behavioral5
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral6
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win10-ja-20210920
windows10_x64
Behavioral task
behavioral7
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral8
Sample
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
Resource
win10-de-20210920
windows10_x64
General
-
Target
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe
-
Size
139KB
-
MD5
3e201fc20a90e669990e2994d2114b83
-
SHA1
24bfc9636c793e7ceb309b08e319b2d925a080bd
-
SHA256
c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24
-
SHA512
4dae9203c1003ca32600d153d7a9f08fa3c50d7c665ee81d4d7608d8f47354e48493d4bb39af2a3259c7882ca0ba38f4db52033b0df3ddf4321cb7118b228591
Malware Config
Extracted
smokeloader
2020
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
pid Process 1400 rrbfjwh 1632 rrbfjwh -
Deletes itself 1 IoCs
pid Process 1228 Process not Found -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1592 set thread context of 956 1592 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 28 PID 1400 set thread context of 1632 1400 rrbfjwh 33 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rrbfjwh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rrbfjwh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rrbfjwh -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 956 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 956 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1228 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 956 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 1632 rrbfjwh -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1228 Process not Found Token: SeShutdownPrivilege 1228 Process not Found -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found 1228 Process not Found -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1592 wrote to memory of 956 1592 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 28 PID 1592 wrote to memory of 956 1592 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 28 PID 1592 wrote to memory of 956 1592 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 28 PID 1592 wrote to memory of 956 1592 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 28 PID 1592 wrote to memory of 956 1592 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 28 PID 1592 wrote to memory of 956 1592 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 28 PID 1592 wrote to memory of 956 1592 c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe 28 PID 1992 wrote to memory of 1400 1992 taskeng.exe 32 PID 1992 wrote to memory of 1400 1992 taskeng.exe 32 PID 1992 wrote to memory of 1400 1992 taskeng.exe 32 PID 1992 wrote to memory of 1400 1992 taskeng.exe 32 PID 1400 wrote to memory of 1632 1400 rrbfjwh 33 PID 1400 wrote to memory of 1632 1400 rrbfjwh 33 PID 1400 wrote to memory of 1632 1400 rrbfjwh 33 PID 1400 wrote to memory of 1632 1400 rrbfjwh 33 PID 1400 wrote to memory of 1632 1400 rrbfjwh 33 PID 1400 wrote to memory of 1632 1400 rrbfjwh 33 PID 1400 wrote to memory of 1632 1400 rrbfjwh 33 PID 1904 wrote to memory of 1384 1904 taskeng.exe 36 PID 1904 wrote to memory of 1384 1904 taskeng.exe 36 PID 1904 wrote to memory of 1384 1904 taskeng.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe"C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe"C:\Users\Admin\AppData\Local\Temp\c8c2f5565b13fbb60b89d11b7e71a03666c3afb2246b87e633cac8023bec0b24.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:956
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4C70E113-7879-45EF-9F8A-8DDCEDC99E1E} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Roaming\rrbfjwhC:\Users\Admin\AppData\Roaming\rrbfjwh2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Roaming\rrbfjwhC:\Users\Admin\AppData\Roaming\rrbfjwh3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1632
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {16492704-EB3D-4162-A770-77DAA80EC853} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:316
-
C:\Windows\system32\taskeng.exetaskeng.exe {DA89C77D-6D9A-4B6B-A16E-50B3C3237678} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵PID:1384
-