Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 19:01
Static task
static1
Behavioral task
behavioral1
Sample
f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe
Resource
win10v2004-20230915-en
General
-
Target
f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe
-
Size
253KB
-
MD5
d53fd15867eac795277bb9660c5add7c
-
SHA1
64cfc927faa7c37284aad8dd5a5730bad89b33ed
-
SHA256
f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8
-
SHA512
04a61b2125f266882993c8809b6fd143a3e4e33695059b5b4419981e2840135a9d8ba7da64e8f52eef993a5cd227b4dced992f05f209a60a452a2b38d8ade695
-
SSDEEP
1536:zJpUUCmM1MHq8lnDjgDSj+lPxZ9chmgJAxcoE+bfAmflaRg7BP0hFWbIdK7IbM3R:dp+mM1MKs949chmnu+bfja+eWabM2GN
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3184 Process not Found -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4340 set thread context of 2532 4340 f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe 82 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2532 f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe 2532 f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3184 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2532 f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3184 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4340 wrote to memory of 2532 4340 f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe 82 PID 4340 wrote to memory of 2532 4340 f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe 82 PID 4340 wrote to memory of 2532 4340 f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe 82 PID 4340 wrote to memory of 2532 4340 f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe 82 PID 4340 wrote to memory of 2532 4340 f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe 82 PID 4340 wrote to memory of 2532 4340 f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe 82 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe"C:\Users\Admin\AppData\Local\Temp\f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe"C:\Users\Admin\AppData\Local\Temp\f0937a56401c28d94e8608e80c9f48d74a688797e9e030b0324094874d8a1ad8.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2532
-