Analysis
-
max time kernel
300s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
22/09/2023, 04:16
Static task
static1
Behavioral task
behavioral1
Sample
3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe
Resource
win10-20230915-en
General
-
Target
3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe
-
Size
294KB
-
MD5
a429b1cad13b585f8ed0b211cf58c8b1
-
SHA1
831989747894654676a451e45caad4087b449d43
-
SHA256
3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1
-
SHA512
cff50434ba337280c8d66bb53a3df41499bed74a651fd8d6947fb2c091e25d72df0e10ae4b1a64b604bd30751bd128cdc4d618623dabc7421a30845345093045
-
SSDEEP
6144:PIcpSUbxJ7vc+lC9BmgXotRTO76Jo3g8Z:PIc4KxJ7vpzptOmWQ8
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 1236 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2108 sbcvtwh -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sbcvtwh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sbcvtwh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sbcvtwh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2404 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe 2404 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found 1236 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1236 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2404 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe 2108 sbcvtwh -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 1236 Process not Found -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2108 2520 taskeng.exe 31 PID 2520 wrote to memory of 2108 2520 taskeng.exe 31 PID 2520 wrote to memory of 2108 2520 taskeng.exe 31 PID 2520 wrote to memory of 2108 2520 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe"C:\Users\Admin\AppData\Local\Temp\3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2404
-
C:\Windows\system32\taskeng.exetaskeng.exe {75E7191E-748E-45B1-9D56-113F444C9D15} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\sbcvtwhC:\Users\Admin\AppData\Roaming\sbcvtwh2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD5a429b1cad13b585f8ed0b211cf58c8b1
SHA1831989747894654676a451e45caad4087b449d43
SHA2563c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1
SHA512cff50434ba337280c8d66bb53a3df41499bed74a651fd8d6947fb2c091e25d72df0e10ae4b1a64b604bd30751bd128cdc4d618623dabc7421a30845345093045
-
Filesize
294KB
MD5a429b1cad13b585f8ed0b211cf58c8b1
SHA1831989747894654676a451e45caad4087b449d43
SHA2563c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1
SHA512cff50434ba337280c8d66bb53a3df41499bed74a651fd8d6947fb2c091e25d72df0e10ae4b1a64b604bd30751bd128cdc4d618623dabc7421a30845345093045