Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
17/11/2022, 08:05
Static task
static1
Behavioral task
behavioral1
Sample
f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe
Resource
win10-20220901-en
General
-
Target
f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe
-
Size
163KB
-
MD5
7350dd116e35bf99e1d583f377f7e902
-
SHA1
b4465d8f92d89d72db03017e7967bdbe1da99e60
-
SHA256
f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b
-
SHA512
2c9bf321db5a83590cf5226d400d012a1a80271ed53b021aa8a80ff0096e62010ad47a117b1f28e3993e533b18b63da9983ab87cdfd7c4854184fde023039dfc
-
SSDEEP
3072:PjG40LroiYvot5pMtoi1Xtk3HDFzSrTWVYeuAnWFu+D:PkLE/vMMtosdkzFeyVD7nR
Malware Config
Extracted
systembc
89.248.165.79:443
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/2652-155-0x0000000000720000-0x0000000000729000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 4376 FEE2.exe 720 oovht.exe -
Deletes itself 1 IoCs
pid Process 2056 Process not Found -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\oovht.job FEE2.exe File opened for modification C:\Windows\Tasks\oovht.job FEE2.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2652 f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe 2652 f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found 2056 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2056 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2652 f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found Token: SeShutdownPrivilege 2056 Process not Found Token: SeCreatePagefilePrivilege 2056 Process not Found -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2056 wrote to memory of 4376 2056 Process not Found 66 PID 2056 wrote to memory of 4376 2056 Process not Found 66 PID 2056 wrote to memory of 4376 2056 Process not Found 66
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe"C:\Users\Admin\AppData\Local\Temp\f4fae06b0c73cef55ecba926edff5350e95fc54cbd81f0d81edde68a69c71c1b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2652
-
C:\Users\Admin\AppData\Local\Temp\FEE2.exeC:\Users\Admin\AppData\Local\Temp\FEE2.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4376
-
C:\ProgramData\ksncv\oovht.exeC:\ProgramData\ksncv\oovht.exe start1⤵
- Executes dropped EXE
PID:720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD5ede4e0e4f4547b54a24a170161ae4542
SHA17b15b83ebd70c52302e0dea0dea0404026298713
SHA2565411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32
SHA512d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4
-
Filesize
163KB
MD5ede4e0e4f4547b54a24a170161ae4542
SHA17b15b83ebd70c52302e0dea0dea0404026298713
SHA2565411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32
SHA512d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4
-
Filesize
163KB
MD5ede4e0e4f4547b54a24a170161ae4542
SHA17b15b83ebd70c52302e0dea0dea0404026298713
SHA2565411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32
SHA512d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4
-
Filesize
163KB
MD5ede4e0e4f4547b54a24a170161ae4542
SHA17b15b83ebd70c52302e0dea0dea0404026298713
SHA2565411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32
SHA512d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4