Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07-12-2023 19:38
Static task
static1
Behavioral task
behavioral1
Sample
26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe
Resource
win10v2004-20231130-en
General
-
Target
26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe
-
Size
290KB
-
MD5
c617d2602300313e08d06a7908f003f8
-
SHA1
8ccbfecb8d38fd825fca0c21311deba0ee25d9e5
-
SHA256
26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0
-
SHA512
fa1a5a89b131c3dc33a22fe78d0f43f6f30c27c27b5de595c7a569fdfe8711babbe7502f3051e3d94605567349678f88b9e9b141a463d34b7080dae3fd35ceab
-
SSDEEP
3072:CNSPhh6W2Zp1WIRppJMIBOtST1Uo/en8mvRHgHkPz5yzVdbVryTk+:fPOhZp13RfOIj1UyeliHkPwL52T
Malware Config
Extracted
smokeloader
pub4
Extracted
smokeloader
2022
http://humydrole.com/tmp/index.php
http://trunk-co.ru/tmp/index.php
http://weareelight.com/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1260 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exepid process 2184 26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe 2184 26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1260 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exepid process 2184 26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe"C:\Users\Admin\AppData\Local\Temp\26e19f26c8335cc9c6c13aeb02a5582461c4f45e1a14b128792a975cf2bbfef0exe.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2184