General
-
Target
file.exe
-
Size
10.0MB
-
Sample
231012-nsgzqsaa56
-
MD5
cc735bbb997be4520efb4943f2db3f6c
-
SHA1
340514242dd43220d0e74db4d20f9883eb4981fa
-
SHA256
08dcd62ba2989e93c04ce28b5619d9aae32d1fa40ea8003eb85d211be9772089
-
SHA512
3ec9131b8417fc41e61f17969fa01e933a452758a8695a6c30eab5b1836f207acfb1894a619ed21ab379233fac66ec06944fb6daf093f2c9874994d718585dcd
-
SSDEEP
196608:2KZjbiVJHceRw3eP/0Z2xoZsnx8KZjbiVJHceRw3eP/0Z2xoZsnx7yr99Tz:LSb8eG00Z2xoZsxZSb8eG00Z2xoZsx7K
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230831-en
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Targets
-
-
Target
file.exe
-
Size
10.0MB
-
MD5
cc735bbb997be4520efb4943f2db3f6c
-
SHA1
340514242dd43220d0e74db4d20f9883eb4981fa
-
SHA256
08dcd62ba2989e93c04ce28b5619d9aae32d1fa40ea8003eb85d211be9772089
-
SHA512
3ec9131b8417fc41e61f17969fa01e933a452758a8695a6c30eab5b1836f207acfb1894a619ed21ab379233fac66ec06944fb6daf093f2c9874994d718585dcd
-
SSDEEP
196608:2KZjbiVJHceRw3eP/0Z2xoZsnx8KZjbiVJHceRw3eP/0Z2xoZsnx7yr99Tz:LSb8eG00Z2xoZsxZSb8eG00Z2xoZsx7K
-
Glupteba payload
-
Modifies boot configuration data using bcdedit
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Possible attempt to disable PatchGuard
Rootkits can use kernel patching to embed themselves in an operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
3Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1