Analysis
-
max time kernel
293s -
max time network
288s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
19-06-2023 04:47
Static task
static1
Behavioral task
behavioral1
Sample
3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exe
Resource
win10-20230220-en
General
-
Target
3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exe
-
Size
281KB
-
MD5
e28bb0c12be9480d98e49fce8cced7b6
-
SHA1
e7f2fb2ebdcd1f416422ecfc9a2e3bdf4dc2e845
-
SHA256
3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c
-
SHA512
a2edcf059ec2787c20940913c674e86e19047147c5574d129f6126d4e53c90be24526ac61f146bcab8d678f60ce4e9c017a11309921cd23642d501c9b2f78578
-
SSDEEP
3072:d5lYIMAbKnUtNBizA3DAbxk57Ei3LSmPI0DnMOC4YMA5ydszTgXl:2IMVUtrrl7BDnMf4HA0
Malware Config
Extracted
systembc
admex1955x.xyz:4044
servx2785x.xyz:4044
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
wosi.exewosi.exepid process 1284 wosi.exe 1548 wosi.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exe'\"" 3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exe Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run 3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wosi.exedescription pid process target process PID 1284 set thread context of 1548 1284 wosi.exe wosi.exe -
Drops file in Windows directory 1 IoCs
Processes:
3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exedescription ioc process File created C:\Windows\Tasks\jqmgixifdfaiapaecep.job 3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wosi.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wosi.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wosi.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wosi.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
wosi.exepid process 1548 wosi.exe 1548 wosi.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
taskeng.exewosi.exedescription pid process target process PID 916 wrote to memory of 1284 916 taskeng.exe wosi.exe PID 916 wrote to memory of 1284 916 taskeng.exe wosi.exe PID 916 wrote to memory of 1284 916 taskeng.exe wosi.exe PID 916 wrote to memory of 1284 916 taskeng.exe wosi.exe PID 1284 wrote to memory of 1548 1284 wosi.exe wosi.exe PID 1284 wrote to memory of 1548 1284 wosi.exe wosi.exe PID 1284 wrote to memory of 1548 1284 wosi.exe wosi.exe PID 1284 wrote to memory of 1548 1284 wosi.exe wosi.exe PID 1284 wrote to memory of 1548 1284 wosi.exe wosi.exe PID 1284 wrote to memory of 1548 1284 wosi.exe wosi.exe PID 1284 wrote to memory of 1548 1284 wosi.exe wosi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exe"C:\Users\Admin\AppData\Local\Temp\3c8aec76ac1f6c07f332c3f9a80c4c3c93c5f809b58dfed8abdb6a644e13c57c.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {3A17CC62-DE82-43CE-92E3-B8EC26B196E1} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wosi.exeC:\Users\Admin\AppData\Local\Temp\wosi.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\wosi.exeC:\Users\Admin\AppData\Local\Temp\wosi.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wosi.exeFilesize
281KB
MD59769c181ecef69544bbb2f974b8c0e10
SHA15d0f447f4ccc89d7d79c0565372195240cdfa25f
SHA256e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA512b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a
-
C:\Users\Admin\AppData\Local\Temp\wosi.exeFilesize
281KB
MD59769c181ecef69544bbb2f974b8c0e10
SHA15d0f447f4ccc89d7d79c0565372195240cdfa25f
SHA256e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA512b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a
-
C:\Users\Admin\AppData\Local\Temp\wosi.exeFilesize
281KB
MD59769c181ecef69544bbb2f974b8c0e10
SHA15d0f447f4ccc89d7d79c0565372195240cdfa25f
SHA256e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0
SHA512b3da8fea6ee5d6b67f55a4043f18d7325f1700c9f3dcb0e7cbf21f49ebdbb56b5a10a2d03153d0dfb1e8dc34db20cdea0236c448f2c361fadbabf9a6f59b4c7a
-
memory/1284-83-0x00000000001D0000-0x00000000001D9000-memory.dmpFilesize
36KB
-
memory/1548-81-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1548-80-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1548-84-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1548-86-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2024-54-0x0000000000220000-0x0000000000235000-memory.dmpFilesize
84KB
-
memory/2024-55-0x0000000000240000-0x0000000000245000-memory.dmpFilesize
20KB
-
memory/2024-56-0x0000000000400000-0x000000000092B000-memory.dmpFilesize
5.2MB