Analysis
-
max time kernel
300s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
26-06-2023 05:00
Static task
static1
Behavioral task
behavioral1
Sample
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
Resource
win10v2004-20230621-en
General
-
Target
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
-
Size
205KB
-
MD5
9d8a3dd432e255ebb2e890d2a0653ddb
-
SHA1
0e5741c323e7c35671333863492743ae0c64f64b
-
SHA256
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
-
SHA512
758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96
-
SSDEEP
3072:g0t8tNh4pRETGd2/Rq9nvZCTBQAc5bGHtDuVszN54PKiIIiT28KHqK:QtJTY2/OQBQAc5qHtDN5kFIIiTVKHq
Malware Config
Extracted
smokeloader
2022
http://serverlogs37.xyz/statweb255/
http://servblog757.xyz/statweb255/
http://dexblog45.xyz/statweb255/
http://admlogs.online/statweb255/
http://blogstat355.xyz/statweb255/
http://blogstatserv25.xyz/statweb255/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exedescription pid process target process PID 1632 set thread context of 1464 1632 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exepid process 1464 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 1464 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 1372 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1372 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exepid process 1464 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1372 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exedescription pid process target process PID 1632 wrote to memory of 1464 1632 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 1632 wrote to memory of 1464 1632 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 1632 wrote to memory of 1464 1632 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 1632 wrote to memory of 1464 1632 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 1632 wrote to memory of 1464 1632 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 1632 wrote to memory of 1464 1632 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe PID 1632 wrote to memory of 1464 1632 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"C:\Users\Admin\AppData\Local\Temp\6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1464
-