Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13/07/2023, 04:39
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230703-en
General
-
Target
tmp.exe
-
Size
695KB
-
MD5
d4cd7f24da8930bfc263c6fcd063c4cc
-
SHA1
6f08c420fcae55a3eb281f03b6bc63ad2eb025b8
-
SHA256
92016b01f6a319dece11785543f6ec734a436ba63727a8ae065890dfd4b6420d
-
SHA512
500d2cdbdcec195eeb455c3e34c9780dd3c0bf105730a78a890066d733b8646ffdccf8b302a48557b11a2547eda46261ef90dc46e499233115aa5a9e7b5891d0
-
SSDEEP
6144:mQ606xBwuSRDF2FXbmXzMT4teeBWHYpePla37v/OFKTMvC+vax5ZEorjy7+eQMAh:J1/2FX6XzMT47kPgLHOFPJX7D4Xn
Malware Config
Extracted
smokeloader
2022
http://cletonmy.com/
http://alpatrik.com/
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe tmp.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe tmp.exe -
Loads dropped DLL 2 IoCs
pid Process 1724 tmp.exe 1724 tmp.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Orbiculares.ini tmp.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4288 tmp.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1724 tmp.exe 4288 tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1724 set thread context of 4288 1724 tmp.exe 96 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\0409\sundhedsmyndighederne.Vac tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tmp.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tmp.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4288 tmp.exe 4288 tmp.exe 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 760 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1724 tmp.exe 4288 tmp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 760 Process not Found Token: SeCreatePagefilePrivilege 760 Process not Found Token: SeShutdownPrivilege 760 Process not Found Token: SeCreatePagefilePrivilege 760 Process not Found -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1724 wrote to memory of 4288 1724 tmp.exe 96 PID 1724 wrote to memory of 4288 1724 tmp.exe 96 PID 1724 wrote to memory of 4288 1724 tmp.exe 96 PID 1724 wrote to memory of 4288 1724 tmp.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4288
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
Filesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
Filesize
11KB
MD58b3830b9dbf87f84ddd3b26645fed3a0
SHA1223bef1f19e644a610a0877d01eadc9e28299509
SHA256f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
SHA512d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03