Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 21:38
Static task
static1
Behavioral task
behavioral1
Sample
0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe
Resource
win10v2004-20230221-en
General
-
Target
0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe
-
Size
264KB
-
MD5
603e1c4b337563620dd3b0873efd2242
-
SHA1
f334f318213431b357aa7fab4a869f0d300ac079
-
SHA256
0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7
-
SHA512
e2791bd7c7476ecdad9d123274abf55bae7b88fb099fc7b6f438f6abfca415ed77719d908b748341034be7f74da789943e6906513ae96493d460301cb4099d4d
-
SSDEEP
3072:E3zCCRHyE0rYUXLHYLZ3zG9G6xHtPnBvsM+xUDzFQz1LlL5kYYCU3wsUf:EDz5yERUXL4Yzf2VkZ2oY
Malware Config
Extracted
smokeloader
lab
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
Processes:
uehdgrauehdgrapid process 2952 uehdgra 3116 uehdgra -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exeuehdgradescription pid process target process PID 2148 set thread context of 440 2148 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe PID 2952 set thread context of 3116 2952 uehdgra uehdgra -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exeuehdgradescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uehdgra Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uehdgra Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI uehdgra -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exepid process 440 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe 440 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 3164 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3164 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exeuehdgrapid process 440 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe 3116 uehdgra -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3164 Token: SeCreatePagefilePrivilege 3164 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exeuehdgradescription pid process target process PID 2148 wrote to memory of 440 2148 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe PID 2148 wrote to memory of 440 2148 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe PID 2148 wrote to memory of 440 2148 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe PID 2148 wrote to memory of 440 2148 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe PID 2148 wrote to memory of 440 2148 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe PID 2148 wrote to memory of 440 2148 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe 0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe PID 2952 wrote to memory of 3116 2952 uehdgra uehdgra PID 2952 wrote to memory of 3116 2952 uehdgra uehdgra PID 2952 wrote to memory of 3116 2952 uehdgra uehdgra PID 2952 wrote to memory of 3116 2952 uehdgra uehdgra PID 2952 wrote to memory of 3116 2952 uehdgra uehdgra PID 2952 wrote to memory of 3116 2952 uehdgra uehdgra -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe"C:\Users\Admin\AppData\Local\Temp\0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe"C:\Users\Admin\AppData\Local\Temp\0efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\uehdgraC:\Users\Admin\AppData\Roaming\uehdgra1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\uehdgraC:\Users\Admin\AppData\Roaming\uehdgra2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\uehdgraFilesize
264KB
MD5603e1c4b337563620dd3b0873efd2242
SHA1f334f318213431b357aa7fab4a869f0d300ac079
SHA2560efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7
SHA512e2791bd7c7476ecdad9d123274abf55bae7b88fb099fc7b6f438f6abfca415ed77719d908b748341034be7f74da789943e6906513ae96493d460301cb4099d4d
-
C:\Users\Admin\AppData\Roaming\uehdgraFilesize
264KB
MD5603e1c4b337563620dd3b0873efd2242
SHA1f334f318213431b357aa7fab4a869f0d300ac079
SHA2560efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7
SHA512e2791bd7c7476ecdad9d123274abf55bae7b88fb099fc7b6f438f6abfca415ed77719d908b748341034be7f74da789943e6906513ae96493d460301cb4099d4d
-
C:\Users\Admin\AppData\Roaming\uehdgraFilesize
264KB
MD5603e1c4b337563620dd3b0873efd2242
SHA1f334f318213431b357aa7fab4a869f0d300ac079
SHA2560efe59a8f13a80ac3ee5c71b2282972bd42d9e609afbff88d9bf8b9092743bd7
SHA512e2791bd7c7476ecdad9d123274abf55bae7b88fb099fc7b6f438f6abfca415ed77719d908b748341034be7f74da789943e6906513ae96493d460301cb4099d4d
-
memory/440-134-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/440-136-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/440-138-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2148-135-0x0000000000860000-0x0000000000869000-memory.dmpFilesize
36KB
-
memory/3116-150-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3116-152-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3164-137-0x0000000001120000-0x0000000001136000-memory.dmpFilesize
88KB
-
memory/3164-151-0x00000000010A0000-0x00000000010B6000-memory.dmpFilesize
88KB