Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
16/09/2023, 08:40
Static task
static1
Behavioral task
behavioral1
Sample
2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe
Resource
win10-20230915-en
General
-
Target
2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe
-
Size
277KB
-
MD5
a0e989bfc13652a11790d78817625113
-
SHA1
fcc68565d33c7756c36132d7b7fb7ebe57b230d9
-
SHA256
2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543
-
SHA512
3c347f640e5896a93e959758ae2be0a0300cc256660e3758e0958486a606c31fd138a01ef506099687b4ce03297b8eacd8e44e95f367e935604f0cf87f01b43b
-
SSDEEP
3072:ZQcF0kPNK1h5A2OshCkI5lkn684umGjLDySF9WlpXKRGW:ZlFPNKH/1CVjkn68AGj3l3WlJ
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3232 Process not Found -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3048 set thread context of 964 3048 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe 70 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 964 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe 964 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found 3232 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3232 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 964 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeShutdownPrivilege 3232 Process not Found Token: SeCreatePagefilePrivilege 3232 Process not Found Token: SeShutdownPrivilege 3232 Process not Found Token: SeCreatePagefilePrivilege 3232 Process not Found Token: SeShutdownPrivilege 3232 Process not Found Token: SeCreatePagefilePrivilege 3232 Process not Found Token: SeShutdownPrivilege 3232 Process not Found Token: SeCreatePagefilePrivilege 3232 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3048 wrote to memory of 964 3048 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe 70 PID 3048 wrote to memory of 964 3048 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe 70 PID 3048 wrote to memory of 964 3048 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe 70 PID 3048 wrote to memory of 964 3048 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe 70 PID 3048 wrote to memory of 964 3048 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe 70 PID 3048 wrote to memory of 964 3048 2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe"C:\Users\Admin\AppData\Local\Temp\2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe"C:\Users\Admin\AppData\Local\Temp\2be6a54749de59590faea64558a1d390d29e450bcb75606d7a203ae8d5f78543.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:964
-