Analysis
-
max time kernel
300s -
max time network
295s -
platform
windows10-1703_x64 -
resource
win10-20230915-en -
resource tags
arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system -
submitted
22/09/2023, 04:16
Static task
static1
Behavioral task
behavioral1
Sample
3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe
Resource
win10-20230915-en
General
-
Target
3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe
-
Size
294KB
-
MD5
a429b1cad13b585f8ed0b211cf58c8b1
-
SHA1
831989747894654676a451e45caad4087b449d43
-
SHA256
3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1
-
SHA512
cff50434ba337280c8d66bb53a3df41499bed74a651fd8d6947fb2c091e25d72df0e10ae4b1a64b604bd30751bd128cdc4d618623dabc7421a30845345093045
-
SSDEEP
6144:PIcpSUbxJ7vc+lC9BmgXotRTO76Jo3g8Z:PIc4KxJ7vpzptOmWQ8
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3272 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 216 hsjiira -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hsjiira Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hsjiira Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hsjiira -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3640 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe 3640 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found 3272 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3272 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3640 3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe 216 hsjiira -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found Token: SeShutdownPrivilege 3272 Process not Found Token: SeCreatePagefilePrivilege 3272 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe"C:\Users\Admin\AppData\Local\Temp\3c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3640
-
C:\Users\Admin\AppData\Roaming\hsjiiraC:\Users\Admin\AppData\Roaming\hsjiira1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
294KB
MD5a429b1cad13b585f8ed0b211cf58c8b1
SHA1831989747894654676a451e45caad4087b449d43
SHA2563c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1
SHA512cff50434ba337280c8d66bb53a3df41499bed74a651fd8d6947fb2c091e25d72df0e10ae4b1a64b604bd30751bd128cdc4d618623dabc7421a30845345093045
-
Filesize
294KB
MD5a429b1cad13b585f8ed0b211cf58c8b1
SHA1831989747894654676a451e45caad4087b449d43
SHA2563c2672bb3dc91360f4ddeeb7d36db34354eab8624bff04430649d5b794b0afd1
SHA512cff50434ba337280c8d66bb53a3df41499bed74a651fd8d6947fb2c091e25d72df0e10ae4b1a64b604bd30751bd128cdc4d618623dabc7421a30845345093045