Analysis
-
max time kernel
600s -
max time network
444s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-es -
resource tags
arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
14/07/2023, 19:54
Static task
static1
Behavioral task
behavioral1
Sample
wins.exe
Resource
win10v2004-20230703-es
General
-
Target
wins.exe
-
Size
703KB
-
MD5
a8a27695f1bc25512354f2c6b5e9d037
-
SHA1
d39c5146f3560a6d55657eaa384a8794e25c97ad
-
SHA256
4365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
-
SHA512
58e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
SSDEEP
12288:/fyw2ahjxbe1SORR84Rl7hChlA4aEISAe43v:/6NanbivDChdrnXm
Malware Config
Extracted
smokeloader
2022
http://cletonmy.com/
http://alpatrik.com/
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks QEMU agent file 2 TTPs 4 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
description ioc Process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe wins.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe wins.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe hdsjfva File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe hdsjfva -
Executes dropped EXE 1 IoCs
pid Process 396 hdsjfva -
Loads dropped DLL 3 IoCs
pid Process 1232 wins.exe 396 hdsjfva 5096 hdsjfva -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 4788 wins.exe 5096 hdsjfva -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1232 wins.exe 4788 wins.exe 396 hdsjfva 5096 hdsjfva -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1232 set thread context of 4788 1232 wins.exe 92 PID 396 set thread context of 5096 396 hdsjfva 105 -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\sansningerne.Unc wins.exe File opened for modification C:\Program Files (x86)\Common Files\sansningerne.Unc hdsjfva -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\resources\0c0a\Katje\falsebenet\Bike\Angivende.ini wins.exe File opened for modification C:\Windows\resources\0c0a\Hovedgaarde.For wins.exe File opened for modification C:\Windows\resources\0c0a\Katje\falsebenet\Bike\Angivende.ini hdsjfva File opened for modification C:\Windows\resources\0c0a\Hovedgaarde.For hdsjfva -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 6 IoCs
resource yara_rule behavioral1/files/0x0007000000023235-305.dat nsis_installer_1 behavioral1/files/0x0007000000023235-305.dat nsis_installer_2 behavioral1/files/0x0007000000023235-306.dat nsis_installer_1 behavioral1/files/0x0007000000023235-306.dat nsis_installer_2 behavioral1/files/0x0007000000023235-322.dat nsis_installer_1 behavioral1/files/0x0007000000023235-322.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hdsjfva Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hdsjfva Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hdsjfva Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wins.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wins.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wins.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4788 wins.exe 4788 wins.exe 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3184 Process not Found -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 1232 wins.exe 4788 wins.exe 396 hdsjfva 5096 hdsjfva -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1232 wrote to memory of 4788 1232 wins.exe 92 PID 1232 wrote to memory of 4788 1232 wins.exe 92 PID 1232 wrote to memory of 4788 1232 wins.exe 92 PID 1232 wrote to memory of 4788 1232 wins.exe 92 PID 396 wrote to memory of 5096 396 hdsjfva 105 PID 396 wrote to memory of 5096 396 hdsjfva 105 PID 396 wrote to memory of 5096 396 hdsjfva 105 PID 396 wrote to memory of 5096 396 hdsjfva 105 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\wins.exe"C:\Users\Admin\AppData\Local\Temp\wins.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\wins.exe"C:\Users\Admin\AppData\Local\Temp\wins.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4788
-
-
C:\Users\Admin\AppData\Roaming\hdsjfvaC:\Users\Admin\AppData\Roaming\hdsjfva1⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Users\Admin\AppData\Roaming\hdsjfvaC:\Users\Admin\AppData\Roaming\hdsjfva2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5096
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5375e8a08471dc6f85f3828488b1147b3
SHA11941484ac710fc301a7d31d6f1345e32a21546af
SHA2564c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
SHA5125ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8
-
Filesize
11KB
MD5375e8a08471dc6f85f3828488b1147b3
SHA11941484ac710fc301a7d31d6f1345e32a21546af
SHA2564c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
SHA5125ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8
-
Filesize
11KB
MD5375e8a08471dc6f85f3828488b1147b3
SHA11941484ac710fc301a7d31d6f1345e32a21546af
SHA2564c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78
SHA5125ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8
-
C:\Users\Admin\AppData\Roaming\Havesanger\Nondyspeptic\Soten34\Igniting\Rockere128\Earn\Airways_14.bmp
Filesize7KB
MD54500ee6294e6dd7ebc558442a45cd4a2
SHA1e8dadc287fdc1d254e00fe6797732a6d7665ea61
SHA2562d00f2194e9c74b879c37b05af189682dbd551c8366f5145fc5d84200070a265
SHA51264686bcb6b028b9dfb80b6b4d2b3b8b57b8fbd5ac30e5140cebf2131c2f9c10175c6304134c59f363ea2adfd733fd6282e870d8930f352adf253e649530a1ace
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913
-
Filesize
703KB
MD5a8a27695f1bc25512354f2c6b5e9d037
SHA1d39c5146f3560a6d55657eaa384a8794e25c97ad
SHA2564365ff3c93ee1faa413ab7cf6838884c449053479d3039e995a6cdfe590125e4
SHA51258e1eb8588514730e5727c684839f35e45390c429e52514d8394d607a332cc8b3be7a733f3dbc856c696d55607d1073289c8dca2d0bc30d1c46de640c262a913