Analysis
-
max time kernel
163s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
30-09-2023 13:18
General
-
Target
b3458d317bb1d899de66eb3f3a50eeeaa1b8d2c7f4bd8e425a60d3fec697f3eb_JC.exe
-
Size
244KB
-
MD5
0d8502fef5dd261f308d66febb9cb48b
-
SHA1
ce56b101459bc1abeda37dcd75bc574cb78402af
-
SHA256
b3458d317bb1d899de66eb3f3a50eeeaa1b8d2c7f4bd8e425a60d3fec697f3eb
-
SHA512
4bf6669f91a3a5115165de938452bb1aa1203f51d94885d585ab56891d2a11e1d92e532663691012d218557acec4a4d0c91ee9b9b09fc466aff0aacd137771e0
-
SSDEEP
3072:6XjRI3MLxNy1MtOFMzmxyh3NzNgLGUIqsynbfzQIB5J5mJxrYT:addjyGtOFQzNgyUx7bfzQIB0nrYT
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3458d317bb1d899de66eb3f3a50eeeaa1b8d2c7f4bd8e425a60d3fec697f3eb_JC.exe"C:\Users\Admin\AppData\Local\Temp\b3458d317bb1d899de66eb3f3a50eeeaa1b8d2c7f4bd8e425a60d3fec697f3eb_JC.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {AB9AE9C4-15F5-44DD-A854-3573E442B82B} S-1-5-21-3513876443-2771975297-1923446376-1000:GPFFWLPI\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\bwcrcjuC:\Users\Admin\AppData\Roaming\bwcrcju2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244KB
MD50d8502fef5dd261f308d66febb9cb48b
SHA1ce56b101459bc1abeda37dcd75bc574cb78402af
SHA256b3458d317bb1d899de66eb3f3a50eeeaa1b8d2c7f4bd8e425a60d3fec697f3eb
SHA5124bf6669f91a3a5115165de938452bb1aa1203f51d94885d585ab56891d2a11e1d92e532663691012d218557acec4a4d0c91ee9b9b09fc466aff0aacd137771e0
-
Filesize
244KB
MD50d8502fef5dd261f308d66febb9cb48b
SHA1ce56b101459bc1abeda37dcd75bc574cb78402af
SHA256b3458d317bb1d899de66eb3f3a50eeeaa1b8d2c7f4bd8e425a60d3fec697f3eb
SHA5124bf6669f91a3a5115165de938452bb1aa1203f51d94885d585ab56891d2a11e1d92e532663691012d218557acec4a4d0c91ee9b9b09fc466aff0aacd137771e0
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
84KB
-
Filesize
36KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
36KB
-
Filesize
84KB
-
Filesize
296KB
-
Filesize
296KB