Analysis
-
max time kernel
29s -
max time network
83s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2023, 08:20
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230831-en
General
-
Target
file.exe
-
Size
197KB
-
MD5
a1a1b7f76fbee4d3517306259118faee
-
SHA1
192c8ab0005aa0ac838c5f626b9eb576fc7bf66d
-
SHA256
be758d2b22cbf30dc03aac1bd99508099107aec8c697a533ecbcb2c43b4a7aec
-
SHA512
7d05175a176232cbda353feeea14a07defa7d392b7cfa2af149b3a838c008391e3fb33893c9de3c33596d2c8bf5989ce46d39f251e62b02a030f26b44db6f18f
-
SSDEEP
3072:IThu5LNO7JCdM+yueDmqIPtSEbMm9UEJ/W46au4opmgo56andwT3d4P:8u5LNwgeUeDmVMmfu4/u5mWmdwTt4
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4788 E927.exe -
resource yara_rule behavioral2/files/0x0009000000023248-19.dat themida behavioral2/files/0x0009000000023248-18.dat themida -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4600 file.exe 4600 file.exe 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found 3200 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4600 file.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3200 wrote to memory of 4788 3200 Process not Found 101 PID 3200 wrote to memory of 4788 3200 Process not Found 101 PID 3200 wrote to memory of 4788 3200 Process not Found 101 PID 3200 wrote to memory of 2604 3200 Process not Found 102 PID 3200 wrote to memory of 2604 3200 Process not Found 102 PID 3200 wrote to memory of 2604 3200 Process not Found 102 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4600
-
C:\Users\Admin\AppData\Local\Temp\E927.exeC:\Users\Admin\AppData\Local\Temp\E927.exe1⤵
- Executes dropped EXE
PID:4788
-
C:\Users\Admin\AppData\Local\Temp\ECA3.exeC:\Users\Admin\AppData\Local\Temp\ECA3.exe1⤵PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
696KB
MD52340b48b4a14c41d93d84ec7974cc8d6
SHA1877c209472761292e20de46711260b87b3c3a2ba
SHA2561baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5
SHA51287b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be
-
Filesize
696KB
MD52340b48b4a14c41d93d84ec7974cc8d6
SHA1877c209472761292e20de46711260b87b3c3a2ba
SHA2561baed15aceffae50481b74fe4a3952e68541c5cf1f4c2944e72504def29682d5
SHA51287b97ab758fdd34e0047f9cdc5cef3c1224d8f1b118d03eda5afbf1644381f4d21c7f2dab6dbb8c1bc88bc5d348c4994361d0dd79aa837b501e33dd5e3c5e6be
-
Filesize
1.2MB
MD5d181016f1baa4cfee73eb7b5bae5b1c7
SHA177f0d93e6ea1282fec709f9091d45daa69e0ad17
SHA25657844975b9c801e4c5ec37a8812998655696502604787402c21e1a5ea147ae54
SHA512c5f7f6d102ddbfcc34685c7a7167bec255edc436ab68802f10ee31276022dfe6bb629e4b0e00cc66b4677771d079229c44fcfb2fceebab1f8262e453ec03a47a
-
Filesize
1.1MB
MD5b35ff3ab45d2407bd1b34003eb489cea
SHA1584f03ab09d0cf915820cc3340a43e8a70b5379f
SHA256af332a8aec98c972093f3e3a54908c64564672f5bcc80efa5d3b17458649b3e3
SHA5124332f1b768349f0a9247518ccb6359db06c6ceb2d127d264603c12f7c3acb17e2b5bd333933f914df93f21e81da51fa80786c840b1ebcf302df6cef88de1c127