Analysis
-
max time kernel
152s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-04-2022 04:34
Static task
static1
Behavioral task
behavioral1
Sample
pub1.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
pub1.exe
Resource
win10v2004-20220414-en
General
-
Target
pub1.exe
-
Size
2.2MB
-
MD5
c8e46fca61b2d62c65dee70726a3b3fc
-
SHA1
c9dcb284c07d234955bad32c763d517a45ce7be1
-
SHA256
e61172cff1b99c47459423990313f06169c2e25c2273036c54780fb8068a7f57
-
SHA512
93c08ac468b9feb2f672ca409b6b7fa2ee9b459e21133fdd96abcfb567a49f9eaf609cf339a68b81f9c260d9bbdaffc6e23f10ab639ab00e91238e4971ce74aa
Malware Config
Extracted
smokeloader
2020
http://hydroxychl0roquine.xyz/
https://hydroxychl0roquine.xyz/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
pub1.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion pub1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion pub1.exe -
Processes:
pub1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pub1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
pub1.exepid process 1692 pub1.exe 1692 pub1.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
pub1.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pub1.exepid process 1692 pub1.exe 1692 pub1.exe 1692 pub1.exe 1692 pub1.exe 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pub1.exepid process 1692 pub1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pub1.exe"C:\Users\Admin\AppData\Local\Temp\pub1.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1312-65-0x00000000026B0000-0x00000000026C6000-memory.dmpFilesize
88KB
-
memory/1692-54-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1692-55-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1692-56-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1692-57-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1692-58-0x0000000000190000-0x00000000001D3000-memory.dmpFilesize
268KB
-
memory/1692-59-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1692-60-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1692-61-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1692-62-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB
-
memory/1692-63-0x00000000779E0000-0x0000000077B60000-memory.dmpFilesize
1.5MB
-
memory/1692-64-0x0000000000400000-0x00000000009C4000-memory.dmpFilesize
5.8MB