Analysis
-
max time kernel
300s -
max time network
184s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
08-06-2023 04:31
Static task
static1
Behavioral task
behavioral1
Sample
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe
Resource
win10-20230220-en
General
-
Target
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe
-
Size
205KB
-
MD5
3a66a27b79651f7c45a136a08a44a571
-
SHA1
2c5ef7ea40a7f24c559818e25a166cacb9b0c6fa
-
SHA256
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43
-
SHA512
26478e3bace13460bc2ef257eb9032c6c6f21f015b14e9c698c52f7208b9edf8c70edfaaebe08671dc675862df6a29238e14636a27e2ee06523453c6208da5d6
-
SSDEEP
3072:VVsJbQ1aKw4eML540EeACDTF8K7BlXk1OahFdkogWTKb0IjMa09irQn+:+c1aXQ40Wgx80w/aV4a0Gz
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3176 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exedescription pid process target process PID 1920 set thread context of 2052 1920 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exepid process 2052 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe 2052 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 3176 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3176 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exepid process 2052 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3176 Token: SeCreatePagefilePrivilege 3176 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exedescription pid process target process PID 1920 wrote to memory of 2052 1920 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe PID 1920 wrote to memory of 2052 1920 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe PID 1920 wrote to memory of 2052 1920 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe PID 1920 wrote to memory of 2052 1920 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe PID 1920 wrote to memory of 2052 1920 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe PID 1920 wrote to memory of 2052 1920 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe 2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe"C:\Users\Admin\AppData\Local\Temp\2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe"C:\Users\Admin\AppData\Local\Temp\2e229f0a4035b58e6c24c519e93f56a9aad7af92405c8604e5e8cb1d23174f43.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1920-123-0x0000000000750000-0x0000000000759000-memory.dmpFilesize
36KB
-
memory/2052-122-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2052-124-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2052-126-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3176-125-0x0000000001090000-0x00000000010A6000-memory.dmpFilesize
88KB