Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2023, 09:35 UTC
Static task
static1
Behavioral task
behavioral1
Sample
985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe
Resource
win10v2004-20230220-en
General
-
Target
985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe
-
Size
223KB
-
MD5
10a23e5e5c59b8d1470248a72be5faeb
-
SHA1
48cdf8db907f4efc039c477198b11d9541306395
-
SHA256
985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da
-
SHA512
c618b4d7c0c41629f0279e1d6c14f84908d2da6f3b8cd98be444757c1c12e236068604e55f81b3b05bbb2e2cc1cad0e3a88e586361a71dbce3e213061765a295
-
SSDEEP
3072:WIMolJB8OtFSTWZk9FRhKUMb4jYgQLRZiitUPX4q56lm22Td:LDUTWCiNqgTzt1oT
Malware Config
Extracted
smokeloader
pu10
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1816 set thread context of 3016 1816 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe 83 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3016 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe 3016 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found 2512 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2512 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3016 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 2512 Process not Found Token: SeCreatePagefilePrivilege 2512 Process not Found Token: SeShutdownPrivilege 2512 Process not Found Token: SeCreatePagefilePrivilege 2512 Process not Found Token: SeShutdownPrivilege 2512 Process not Found Token: SeCreatePagefilePrivilege 2512 Process not Found Token: SeShutdownPrivilege 2512 Process not Found Token: SeCreatePagefilePrivilege 2512 Process not Found Token: SeShutdownPrivilege 2512 Process not Found Token: SeCreatePagefilePrivilege 2512 Process not Found Token: SeShutdownPrivilege 2512 Process not Found Token: SeCreatePagefilePrivilege 2512 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1816 wrote to memory of 3016 1816 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe 83 PID 1816 wrote to memory of 3016 1816 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe 83 PID 1816 wrote to memory of 3016 1816 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe 83 PID 1816 wrote to memory of 3016 1816 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe 83 PID 1816 wrote to memory of 3016 1816 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe 83 PID 1816 wrote to memory of 3016 1816 985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe"C:\Users\Admin\AppData\Local\Temp\985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe"C:\Users\Admin\AppData\Local\Temp\985e977864a3bf31e1953cf1de4465a3ce5eeafac9908598a730de1e9af1a1da.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3016
-
Network
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request73.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request42.220.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesthost-file-host6.comIN AResponsehost-file-host6.comIN A193.233.134.82
-
Remote address:193.233.134.82:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://olttcqylat.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 201
Host: host-file-host6.com
ResponseHTTP/1.1 200 OK
Date: Wed, 26 Apr 2023 09:36:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
-
Remote address:8.8.8.8:53Requesthost-host-file8.comIN AResponse
-
Remote address:8.8.8.8:53Requesthost-host-file8.comIN AResponse
-
Remote address:8.8.8.8:53Requesthost-host-file8.comIN AResponse
-
Remote address:8.8.8.8:53Requesthost-host-file8.comIN AResponse
-
Remote address:8.8.8.8:53Request82.134.233.193.in-addr.arpaIN PTRResponse82.134.233.193.in-addr.arpaIN PTRhosted-bybenderrdp
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.8.109.52.in-addr.arpaIN PTRResponse
-
745 B 402 B 6 5
HTTP Request
POST http://host-file-host6.com/HTTP Response
200 -
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
208 B 4
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
73.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
42.220.44.20.in-addr.arpa
-
65 B 81 B 1 1
DNS Request
host-file-host6.com
DNS Response
193.233.134.82
-
260 B 260 B 4 4
DNS Request
host-host-file8.com
DNS Request
host-host-file8.com
DNS Request
host-host-file8.com
DNS Request
host-host-file8.com
-
73 B 107 B 1 1
DNS Request
82.134.233.193.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.8.109.52.in-addr.arpa