Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2023, 18:01
Static task
static1
Behavioral task
behavioral1
Sample
6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
Resource
win10v2004-20231127-en
General
-
Target
6CB2CCD975A8A10FB54C0A407C2F8BE6.exe
-
Size
270KB
-
MD5
6cb2ccd975a8a10fb54c0a407c2f8be6
-
SHA1
ff24085242fe52b5b59d5dd08a9698fcfea11aca
-
SHA256
142aacbf783038ea4b2a7f2d9433b1309b413330e702b8a90e300eea1bbed4c8
-
SHA512
e581dd1d87027bb97f71d2fadf352243390e154c931dcaa963a6b988426d6a8a39389239c88dfe0216520e3ad500f7564269899fde1e029361d378de475ca0e5
-
SSDEEP
3072:S7cAUflrRS52tq7MjWGLSGEmNcJwJgpiDTmV0f5toMF4zrrVydGhvU2d:Wc5FqSq7AWG2scoTmVS4fpyd
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3144 Process not Found -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2284 set thread context of 1404 2284 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe 89 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1404 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe 1404 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found 3144 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1404 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeManageVolumePrivilege 4108 svchost.exe Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found Token: SeShutdownPrivilege 3144 Process not Found Token: SeCreatePagefilePrivilege 3144 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3144 Process not Found 3144 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2284 wrote to memory of 1404 2284 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe 89 PID 2284 wrote to memory of 1404 2284 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe 89 PID 2284 wrote to memory of 1404 2284 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe 89 PID 2284 wrote to memory of 1404 2284 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe 89 PID 2284 wrote to memory of 1404 2284 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe 89 PID 2284 wrote to memory of 1404 2284 6CB2CCD975A8A10FB54C0A407C2F8BE6.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"C:\Users\Admin\AppData\Local\Temp\6CB2CCD975A8A10FB54C0A407C2F8BE6.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1404
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1476
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD52054bc73b7290fc5ec47f67255d2b09f
SHA1258b6bf3792d65b58a2ee92820f0e450e8bfbef6
SHA25641c015ad6b7ed18e73a5ae2eef492029b8d0cc73fd669ac4b4e4132000438373
SHA5126629609dd8ee244f30d711c43dfd338b1cb1c3cf9f411332ffaf5e3dbc40db72f1d69404dd9090ca8154c99f734f37dc01c63faa4bddf0815c526c585f37a2b6