Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2023 19:33
Static task
static1
Behavioral task
behavioral1
Sample
19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe
Resource
win10v2004-20230915-en
General
-
Target
19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe
-
Size
225KB
-
MD5
594b091166ea555ee1d1fb1431a7d372
-
SHA1
f591b6b3b4ee9fd6e74cef34b5b1332d6e14d7bd
-
SHA256
19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a
-
SHA512
e3e85f5259eb1612141b1bd8efd1eec9779b7bd443e447962b34418b4cf4650688691904d27fd9f4bf1908dc92361532d78a0a614c70425953425694d883f52c
-
SSDEEP
3072:IwXb9SzG47rwk7tOu6N0TsHEj70MqsEMn30sqE1e59n9FwJVr:F8C47r77jo0gHW70MbE9bFwJV
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exedescription pid process target process PID 1620 set thread context of 2728 1620 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exepid process 2728 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe 2728 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3192 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exepid process 2728 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3192 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exedescription pid process target process PID 1620 wrote to memory of 2728 1620 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe PID 1620 wrote to memory of 2728 1620 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe PID 1620 wrote to memory of 2728 1620 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe PID 1620 wrote to memory of 2728 1620 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe PID 1620 wrote to memory of 2728 1620 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe PID 1620 wrote to memory of 2728 1620 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe 19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe"C:\Users\Admin\AppData\Local\Temp\19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe"C:\Users\Admin\AppData\Local\Temp\19c46ab63fe9578c1de1bb9a04149f311abc2aacf18aa709a6a9353db4e54f4a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2728