Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2023, 14:29
Static task
static1
Behavioral task
behavioral1
Sample
ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe
Resource
win10v2004-20231023-en
General
-
Target
ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe
-
Size
271KB
-
MD5
012cea5b54f5cbdc516e264ffc132a22
-
SHA1
6673a76737901f7c8ae01fb0d46dc81ad4a8cb57
-
SHA256
ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75
-
SHA512
939de6c679ee1fa923bd4fbd2f25266d96dfdeb17360f70364754c850dd66d730f17353318ae7ff28b3fa550cc4cd79a269a5d8232d9315791f1fe86f660d122
-
SSDEEP
3072:+zK1Ijv9DbX1n27OOV0LaCl6UqjP2HnwJLv7F3bf7Zfk46RsVxz+da39iVR:8cav9FjjaCl6UseHOLzRf7BkQVx1M
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3304 Process not Found -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4760 set thread context of 4844 4760 ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe 103 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4844 ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe 4844 ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found 3304 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3304 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4844 ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3304 Process not Found Token: SeCreatePagefilePrivilege 3304 Process not Found Token: SeShutdownPrivilege 3304 Process not Found Token: SeCreatePagefilePrivilege 3304 Process not Found -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3304 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4760 wrote to memory of 4844 4760 ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe 103 PID 4760 wrote to memory of 4844 4760 ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe 103 PID 4760 wrote to memory of 4844 4760 ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe 103 PID 4760 wrote to memory of 4844 4760 ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe 103 PID 4760 wrote to memory of 4844 4760 ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe 103 PID 4760 wrote to memory of 4844 4760 ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe"C:\Users\Admin\AppData\Local\Temp\ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe"C:\Users\Admin\AppData\Local\Temp\ce4d4d90930a76c70509f754b056ac01f31c18057174438033a0730139095f75.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4844
-