Analysis
-
max time kernel
159s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
12/10/2023, 11:32
General
-
Target
file.exe
-
Size
266KB
-
MD5
9ee15016c8a23146f0fbc437291dd10f
-
SHA1
0e80acd0d67e7179df166e9c3a8aa3a8db3db7c2
-
SHA256
bf44be67aea40cdbd3e7c3533989d42107e61f5c76bdbb3fc6e6f473fa65f84e
-
SHA512
165052ab1e08bf3e682c11b8e0e1dc9719616ee82726953a7670edc23d8e6da087fb9e2be9d9332523c851424207763fe7cc8ec2e0a3db38afc57a8f8b44ee35
-
SSDEEP
3072:4rXLmuHB6Pr+LM9WMgycdAaa5SbQCsZV2yO8pmoLqW:aBBOr+LRMgyLaNQCsZEy1pmoL
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://gudintas.at/tmp/
http://pik96.ru/tmp/
http://rosatiauto.com/tmp/
http://kingpirate.ru/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {DC247E22-7828-4CAA-8528-D6B8FB297549} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gfjgvrwC:\Users\Admin\AppData\Roaming\gfjgvrw2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
266KB
MD59ee15016c8a23146f0fbc437291dd10f
SHA10e80acd0d67e7179df166e9c3a8aa3a8db3db7c2
SHA256bf44be67aea40cdbd3e7c3533989d42107e61f5c76bdbb3fc6e6f473fa65f84e
SHA512165052ab1e08bf3e682c11b8e0e1dc9719616ee82726953a7670edc23d8e6da087fb9e2be9d9332523c851424207763fe7cc8ec2e0a3db38afc57a8f8b44ee35
-
Filesize
266KB
MD59ee15016c8a23146f0fbc437291dd10f
SHA10e80acd0d67e7179df166e9c3a8aa3a8db3db7c2
SHA256bf44be67aea40cdbd3e7c3533989d42107e61f5c76bdbb3fc6e6f473fa65f84e
SHA512165052ab1e08bf3e682c11b8e0e1dc9719616ee82726953a7670edc23d8e6da087fb9e2be9d9332523c851424207763fe7cc8ec2e0a3db38afc57a8f8b44ee35
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
3.1MB
-
Filesize
3.1MB