Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
13-04-2023 18:18
Static task
static1
Behavioral task
behavioral1
Sample
65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe
Resource
win10v2004-20230220-en
General
-
Target
65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe
-
Size
275KB
-
MD5
cd73c933d5d2e9198b39ce8c94be2162
-
SHA1
abca8c9ecc25ffc0472951031f0f362e59653fa5
-
SHA256
65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68
-
SHA512
d310c67c085ab352dddf37c134f76ac52b606161a5af500fd4fe7f220ce138132fc8e5724ad8db1e7398a5ac63bc80c96bd7d36a6beb1d3a24e020dc9ff96dcb
-
SSDEEP
3072:osglgaVb7nykPOlg4z9uJS7Bio9GzbsQK/ZPYDKCK9feogTgB50gb2J0nD:4glkPOldMJSVjUzbpEPYDDKALhgb2a
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
pid Process 4080 bcdjrbe 3664 bcdjrbe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4636 set thread context of 2328 4636 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe 84 PID 4080 set thread context of 3664 4080 bcdjrbe 93 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bcdjrbe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bcdjrbe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bcdjrbe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2328 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe 2328 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found 1264 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1264 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2328 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe 3664 bcdjrbe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1264 Process not Found Token: SeCreatePagefilePrivilege 1264 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4636 wrote to memory of 2328 4636 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe 84 PID 4636 wrote to memory of 2328 4636 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe 84 PID 4636 wrote to memory of 2328 4636 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe 84 PID 4636 wrote to memory of 2328 4636 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe 84 PID 4636 wrote to memory of 2328 4636 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe 84 PID 4636 wrote to memory of 2328 4636 65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe 84 PID 4080 wrote to memory of 3664 4080 bcdjrbe 93 PID 4080 wrote to memory of 3664 4080 bcdjrbe 93 PID 4080 wrote to memory of 3664 4080 bcdjrbe 93 PID 4080 wrote to memory of 3664 4080 bcdjrbe 93 PID 4080 wrote to memory of 3664 4080 bcdjrbe 93 PID 4080 wrote to memory of 3664 4080 bcdjrbe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe"C:\Users\Admin\AppData\Local\Temp\65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe"C:\Users\Admin\AppData\Local\Temp\65d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2328
-
-
C:\Users\Admin\AppData\Roaming\bcdjrbeC:\Users\Admin\AppData\Roaming\bcdjrbe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Users\Admin\AppData\Roaming\bcdjrbeC:\Users\Admin\AppData\Roaming\bcdjrbe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3664
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
275KB
MD5cd73c933d5d2e9198b39ce8c94be2162
SHA1abca8c9ecc25ffc0472951031f0f362e59653fa5
SHA25665d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68
SHA512d310c67c085ab352dddf37c134f76ac52b606161a5af500fd4fe7f220ce138132fc8e5724ad8db1e7398a5ac63bc80c96bd7d36a6beb1d3a24e020dc9ff96dcb
-
Filesize
275KB
MD5cd73c933d5d2e9198b39ce8c94be2162
SHA1abca8c9ecc25ffc0472951031f0f362e59653fa5
SHA25665d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68
SHA512d310c67c085ab352dddf37c134f76ac52b606161a5af500fd4fe7f220ce138132fc8e5724ad8db1e7398a5ac63bc80c96bd7d36a6beb1d3a24e020dc9ff96dcb
-
Filesize
275KB
MD5cd73c933d5d2e9198b39ce8c94be2162
SHA1abca8c9ecc25ffc0472951031f0f362e59653fa5
SHA25665d0f98251d3fec8407452aea6c523f6cac7dd34d3bb141ddaec4a160d01dc68
SHA512d310c67c085ab352dddf37c134f76ac52b606161a5af500fd4fe7f220ce138132fc8e5724ad8db1e7398a5ac63bc80c96bd7d36a6beb1d3a24e020dc9ff96dcb