Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
16/09/2023, 05:29
Static task
static1
Behavioral task
behavioral1
Sample
5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe
Resource
win10-20230915-en
General
-
Target
5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe
-
Size
273KB
-
MD5
fc2851ae5e30ea9d2e3ce59d8a5effd3
-
SHA1
3dbe27b7cd96d795a014b78af54c1e15fe9afd04
-
SHA256
5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a
-
SHA512
1088fa4abf07c7c3cbb502690163ac350e69e4755391c26539186c0b6aa6d320a8164e039276f55fa1649a7c293b1cea9c7c5bbb2661261ee8a23d8f3ddaaf2d
-
SSDEEP
3072:zAPnx4m4vVEDB0aXhw4dlrAsytnN+EtM8bKSxGyqPJokNo:EPYvVEDB0aXhbbrPy6KDdGtPJg
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3152 Process not Found -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2440 set thread context of 4540 2440 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe 70 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4540 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe 4540 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found 3152 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3152 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4540 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2440 wrote to memory of 4540 2440 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe 70 PID 2440 wrote to memory of 4540 2440 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe 70 PID 2440 wrote to memory of 4540 2440 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe 70 PID 2440 wrote to memory of 4540 2440 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe 70 PID 2440 wrote to memory of 4540 2440 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe 70 PID 2440 wrote to memory of 4540 2440 5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe"C:\Users\Admin\AppData\Local\Temp\5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe"C:\Users\Admin\AppData\Local\Temp\5a1aa91415a6d01eda43af0f34248ce2c4134200a6b6213c8f8953e917427e5a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4540
-