Analysis
-
max time kernel
240s -
max time network
245s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 08:48
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230915-en
General
-
Target
file.exe
-
Size
267KB
-
MD5
97e58a64090cb6f872c94a67eb2bee5c
-
SHA1
79a87878bd9c3d2d73f31eb2248ad7aebf70f5e7
-
SHA256
185031cb27faf0d5aa70d1d8e1016409e7ea9cb58690da2f64d907a4182ef6d4
-
SHA512
0bfdace4340ca97f36a868a90a21efd574fe196a54327f3656b8779d350299950898549f115e0c2657adc37a1e068602fc6e3d0a7881126afc48bab1130af1fe
-
SSDEEP
3072:D1i6xZDYH2IQRH+7MFJSwRujTSRHfU08RZ0Vn41b8Ubpxh5JetoMUMxNTxx:ZXYWT+oFMOUmpi0VnabZbprQo/MxNTf
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1604 file.exe 1604 file.exe 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found 2280 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2280 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1604 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2280 Process not Found Token: SeCreatePagefilePrivilege 2280 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.