Analysis
-
max time kernel
300s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
26-06-2023 04:48
Static task
static1
Behavioral task
behavioral1
Sample
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
Resource
win10-20230621-en
General
-
Target
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
-
Size
205KB
-
MD5
9d8a3dd432e255ebb2e890d2a0653ddb
-
SHA1
0e5741c323e7c35671333863492743ae0c64f64b
-
SHA256
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
-
SHA512
758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
-
SSDEEP
3072:g0t8tNh4pRETGd2/Rq9nvZCTBQAc5bGHtDuVszN54PKiIIiT28KHqK:QtJTY2/OQBQAc5qHtDN5kFIIiTVKHq
Malware Config
Extracted
smokeloader
2022
http://serverlogs37.xyz/statweb255/
http://servblog757.xyz/statweb255/
http://dexblog45.xyz/statweb255/
http://admlogs.online/statweb255/
http://blogstat355.xyz/statweb255/
http://blogstatserv25.xyz/statweb255/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exedescription pid process target process PID 2040 set thread context of 1064 2040 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exepid process 1064 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 1064 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1220 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exepid process 1064 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1220 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exedescription pid process target process PID 2040 wrote to memory of 1064 2040 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 2040 wrote to memory of 1064 2040 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 2040 wrote to memory of 1064 2040 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 2040 wrote to memory of 1064 2040 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 2040 wrote to memory of 1064 2040 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 2040 wrote to memory of 1064 2040 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 2040 wrote to memory of 1064 2040 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1064-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1064-56-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1064-58-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1064-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1220-59-0x0000000002240000-0x0000000002256000-memory.dmpFilesize
88KB
-
memory/2040-57-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB