Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
23/09/2023, 17:11
Static task
static1
Behavioral task
behavioral1
Sample
e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe
Resource
win10v2004-20230915-en
General
-
Target
e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe
-
Size
310KB
-
MD5
9201a6faa902397373c885d6d69ece9e
-
SHA1
7ca9268955de314da0e5d154afca5d27403073a7
-
SHA256
e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89
-
SHA512
0a4952173c000338444f5df32b64369f724d3040ede8c6dd32265eaed88ced0e951596a201fcb404f5ca4f7857ad4673f803c346adff19fcd025e7b374b3961a
-
SSDEEP
6144:yuX2qVTqEhFrY/m+FFMaYMhCTI6NRPTh8XI/:nVTq+VY/moDYMsTvR7aQ
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
pid Process 1844 vaevhur 3892 vaevhur -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1120 set thread context of 5100 1120 e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe 85 PID 1844 set thread context of 3892 1844 vaevhur 99 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaevhur Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaevhur Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaevhur Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5100 e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe 5100 e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found 3164 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3164 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 5100 e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe 3892 vaevhur -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3164 Process not Found Token: SeCreatePagefilePrivilege 3164 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1120 wrote to memory of 5100 1120 e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe 85 PID 1120 wrote to memory of 5100 1120 e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe 85 PID 1120 wrote to memory of 5100 1120 e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe 85 PID 1120 wrote to memory of 5100 1120 e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe 85 PID 1120 wrote to memory of 5100 1120 e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe 85 PID 1120 wrote to memory of 5100 1120 e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe 85 PID 1844 wrote to memory of 3892 1844 vaevhur 99 PID 1844 wrote to memory of 3892 1844 vaevhur 99 PID 1844 wrote to memory of 3892 1844 vaevhur 99 PID 1844 wrote to memory of 3892 1844 vaevhur 99 PID 1844 wrote to memory of 3892 1844 vaevhur 99 PID 1844 wrote to memory of 3892 1844 vaevhur 99 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe"C:\Users\Admin\AppData\Local\Temp\e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe"C:\Users\Admin\AppData\Local\Temp\e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5100
-
-
C:\Users\Admin\AppData\Roaming\vaevhurC:\Users\Admin\AppData\Roaming\vaevhur1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Users\Admin\AppData\Roaming\vaevhurC:\Users\Admin\AppData\Roaming\vaevhur2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3892
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
310KB
MD59201a6faa902397373c885d6d69ece9e
SHA17ca9268955de314da0e5d154afca5d27403073a7
SHA256e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89
SHA5120a4952173c000338444f5df32b64369f724d3040ede8c6dd32265eaed88ced0e951596a201fcb404f5ca4f7857ad4673f803c346adff19fcd025e7b374b3961a
-
Filesize
310KB
MD59201a6faa902397373c885d6d69ece9e
SHA17ca9268955de314da0e5d154afca5d27403073a7
SHA256e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89
SHA5120a4952173c000338444f5df32b64369f724d3040ede8c6dd32265eaed88ced0e951596a201fcb404f5ca4f7857ad4673f803c346adff19fcd025e7b374b3961a
-
Filesize
310KB
MD59201a6faa902397373c885d6d69ece9e
SHA17ca9268955de314da0e5d154afca5d27403073a7
SHA256e52dd9c3f4a93bb109e3d72602d7000f02c83a230fa392b0e3ae1ac039a58b89
SHA5120a4952173c000338444f5df32b64369f724d3040ede8c6dd32265eaed88ced0e951596a201fcb404f5ca4f7857ad4673f803c346adff19fcd025e7b374b3961a