Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2023 18:26
Static task
static1
Behavioral task
behavioral1
Sample
e2d7cbcda465782e79d8eff871dcaca3.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
e2d7cbcda465782e79d8eff871dcaca3.exe
Resource
win10v2004-20231130-en
General
-
Target
e2d7cbcda465782e79d8eff871dcaca3.exe
-
Size
288KB
-
MD5
e2d7cbcda465782e79d8eff871dcaca3
-
SHA1
4da3b4bd4ea870d8d2c208b49f0034a2f767eef9
-
SHA256
ce5719ebd3ff01d9ba7b59cd3b9cc69a76fbe99d1f0ac581caf073c8b7fe04d7
-
SHA512
df4ddd345a44b542a8d23e9cc0c2aace24523d67e621b0c8d2bf7fe07fa3b9144d65b605f7d74c360f8a4ce9da26282ffa33ef5d4e829db60bd18de74c10a7a7
-
SSDEEP
3072:/YMqDVCBnXkEGaD5nZ6ilUL00Oy0kMoRH0z1X3N+RGGZapPwOeTsWL:A1D8J0EBDLqfPUz1t5GMpoT
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://humydrole.com/tmp/index.php
http://trunk-co.ru/tmp/index.php
http://weareelight.com/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3192 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e2d7cbcda465782e79d8eff871dcaca3.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e2d7cbcda465782e79d8eff871dcaca3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e2d7cbcda465782e79d8eff871dcaca3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e2d7cbcda465782e79d8eff871dcaca3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e2d7cbcda465782e79d8eff871dcaca3.exepid process 3548 e2d7cbcda465782e79d8eff871dcaca3.exe 3548 e2d7cbcda465782e79d8eff871dcaca3.exe 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3192 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e2d7cbcda465782e79d8eff871dcaca3.exepid process 3548 e2d7cbcda465782e79d8eff871dcaca3.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3192 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.