Analysis
-
max time kernel
162s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 05:29
Static task
static1
Behavioral task
behavioral1
Sample
718b20cdfd7efb4a26aa0aa020e46af0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
718b20cdfd7efb4a26aa0aa020e46af0.exe
Resource
win10v2004-20231215-en
General
-
Target
718b20cdfd7efb4a26aa0aa020e46af0.exe
-
Size
147KB
-
MD5
718b20cdfd7efb4a26aa0aa020e46af0
-
SHA1
466be33731b34e28b56580f499cc7665bd3e77a9
-
SHA256
0ff586cfb65d5fff23f0410d1082a1852c75ca972967fb84031febe0e9a227af
-
SHA512
2cd4b934b3e51be5869b7f78bdaabb8803e8b6ef36cb51d63384ac5492f7a277cd84c3837026027cd3945e14199650fa97c52a96a03b9541af7c755f1247502f
-
SSDEEP
1536:/qdK3LyZnzrkB4BNeF1hwEQjomml3mwG0SbJrSKfIqNW0IyBRg3Hiz2j5t9WMi9y:SsX17mF4JcWpQSY2j5t9WptBD
Malware Config
Extracted
smokeloader
2020
http://fazanaharahe1.xyz/
http://xandelissane2.xyz/
http://ustiassosale3.xyz/
http://cytheriata4.xyz/
http://ggiergionard5.xyz/
http://rrelleynaniy6.store/
http://danniemusoa7.store/
http://nastanizab8.store/
http://onyokandis9.store/
http://dmunaavank10.store/
http://gilmandros11.site/
http://cusanthana12.site/
http://willietjeana13.site/
http://ximusokall14.site/
http://blodinetisha15.site/
http://urydiahadyss16.club/
http://glasamaddama17.club/
http://marlingarly18.club/
http://alluvianna19.club/
http://xandirkaniel20.club/
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
FCEE.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\193ia3y97q393yk.exe FCEE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\193ia3y97q393yk.exe\DisableExceptionChainValidation FCEE.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "clomshlwh.exe" explorer.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Deletes itself 1 IoCs
Processes:
pid process 3292 -
Executes dropped EXE 1 IoCs
Processes:
FCEE.exepid process 228 FCEE.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\193ia3y97q393yk.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\193ia3y97q393yk.exe\"" explorer.exe -
Processes:
FCEE.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FCEE.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
FCEE.exeexplorer.exepid process 228 FCEE.exe 4680 explorer.exe 4680 explorer.exe 4680 explorer.exe 4680 explorer.exe 4680 explorer.exe 4680 explorer.exe 4680 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
718b20cdfd7efb4a26aa0aa020e46af0.exedescription pid process target process PID 4880 set thread context of 2232 4880 718b20cdfd7efb4a26aa0aa020e46af0.exe 718b20cdfd7efb4a26aa0aa020e46af0.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1916 4680 WerFault.exe explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
718b20cdfd7efb4a26aa0aa020e46af0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 718b20cdfd7efb4a26aa0aa020e46af0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 718b20cdfd7efb4a26aa0aa020e46af0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 718b20cdfd7efb4a26aa0aa020e46af0.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
FCEE.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FCEE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FCEE.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
718b20cdfd7efb4a26aa0aa020e46af0.exepid process 2232 718b20cdfd7efb4a26aa0aa020e46af0.exe 2232 718b20cdfd7efb4a26aa0aa020e46af0.exe 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 3292 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
718b20cdfd7efb4a26aa0aa020e46af0.exeFCEE.exepid process 2232 718b20cdfd7efb4a26aa0aa020e46af0.exe 228 FCEE.exe 228 FCEE.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
Processes:
FCEE.exeexplorer.exedescription pid process Token: SeDebugPrivilege 228 FCEE.exe Token: SeRestorePrivilege 228 FCEE.exe Token: SeBackupPrivilege 228 FCEE.exe Token: SeLoadDriverPrivilege 228 FCEE.exe Token: SeCreatePagefilePrivilege 228 FCEE.exe Token: SeShutdownPrivilege 228 FCEE.exe Token: SeTakeOwnershipPrivilege 228 FCEE.exe Token: SeChangeNotifyPrivilege 228 FCEE.exe Token: SeCreateTokenPrivilege 228 FCEE.exe Token: SeMachineAccountPrivilege 228 FCEE.exe Token: SeSecurityPrivilege 228 FCEE.exe Token: SeAssignPrimaryTokenPrivilege 228 FCEE.exe Token: SeCreateGlobalPrivilege 228 FCEE.exe Token: 33 228 FCEE.exe Token: SeDebugPrivilege 4680 explorer.exe Token: SeRestorePrivilege 4680 explorer.exe Token: SeBackupPrivilege 4680 explorer.exe Token: SeLoadDriverPrivilege 4680 explorer.exe Token: SeCreatePagefilePrivilege 4680 explorer.exe Token: SeShutdownPrivilege 4680 explorer.exe Token: SeTakeOwnershipPrivilege 4680 explorer.exe Token: SeChangeNotifyPrivilege 4680 explorer.exe Token: SeCreateTokenPrivilege 4680 explorer.exe Token: SeMachineAccountPrivilege 4680 explorer.exe Token: SeSecurityPrivilege 4680 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4680 explorer.exe Token: SeCreateGlobalPrivilege 4680 explorer.exe Token: 33 4680 explorer.exe Token: SeShutdownPrivilege 3292 Token: SeCreatePagefilePrivilege 3292 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
718b20cdfd7efb4a26aa0aa020e46af0.exeFCEE.exedescription pid process target process PID 4880 wrote to memory of 2232 4880 718b20cdfd7efb4a26aa0aa020e46af0.exe 718b20cdfd7efb4a26aa0aa020e46af0.exe PID 4880 wrote to memory of 2232 4880 718b20cdfd7efb4a26aa0aa020e46af0.exe 718b20cdfd7efb4a26aa0aa020e46af0.exe PID 4880 wrote to memory of 2232 4880 718b20cdfd7efb4a26aa0aa020e46af0.exe 718b20cdfd7efb4a26aa0aa020e46af0.exe PID 4880 wrote to memory of 2232 4880 718b20cdfd7efb4a26aa0aa020e46af0.exe 718b20cdfd7efb4a26aa0aa020e46af0.exe PID 4880 wrote to memory of 2232 4880 718b20cdfd7efb4a26aa0aa020e46af0.exe 718b20cdfd7efb4a26aa0aa020e46af0.exe PID 4880 wrote to memory of 2232 4880 718b20cdfd7efb4a26aa0aa020e46af0.exe 718b20cdfd7efb4a26aa0aa020e46af0.exe PID 3292 wrote to memory of 228 3292 FCEE.exe PID 3292 wrote to memory of 228 3292 FCEE.exe PID 3292 wrote to memory of 228 3292 FCEE.exe PID 228 wrote to memory of 4680 228 FCEE.exe explorer.exe PID 228 wrote to memory of 4680 228 FCEE.exe explorer.exe PID 228 wrote to memory of 4680 228 FCEE.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe"C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe"C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\FCEE.exeC:\Users\Admin\AppData\Local\Temp\FCEE.exe1⤵
- Sets file execution options in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 11363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4680 -ip 46801⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FCEE.exeFilesize
360KB
MD594f379933c102d45a3bdb6d46070c3b6
SHA1e4004532129c49d22279737f26cff1f00b45a092
SHA256814a9e454a6bb2d8fc04560b917cbcae6860b873625507b9fa17cc817e2e95ff
SHA5124847abc92cdfe5d0fe8bbd351195644ff7354cdd9e4cc6ecb5e2434bc8a43c292dc20013bdaac263319d94ca2792e54c244dbe11bcfa94f37a0e0d4c4ac66aaf
-
memory/228-21-0x00000000022F0000-0x0000000002356000-memory.dmpFilesize
408KB
-
memory/228-35-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/228-25-0x00000000022F0000-0x0000000002356000-memory.dmpFilesize
408KB
-
memory/228-34-0x00000000022F0000-0x0000000002356000-memory.dmpFilesize
408KB
-
memory/228-20-0x0000000077EB4000-0x0000000077EB5000-memory.dmpFilesize
4KB
-
memory/228-24-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/228-16-0x0000000000010000-0x000000000006D000-memory.dmpFilesize
372KB
-
memory/228-18-0x00000000022F0000-0x0000000002356000-memory.dmpFilesize
408KB
-
memory/228-19-0x0000000000510000-0x000000000051D000-memory.dmpFilesize
52KB
-
memory/228-22-0x0000000002830000-0x000000000283C000-memory.dmpFilesize
48KB
-
memory/2232-4-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2232-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2232-3-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3292-5-0x0000000000F60000-0x0000000000F76000-memory.dmpFilesize
88KB
-
memory/4680-36-0x0000000004560000-0x0000000004562000-memory.dmpFilesize
8KB
-
memory/4680-28-0x0000000000B50000-0x0000000000F84000-memory.dmpFilesize
4.2MB
-
memory/4680-30-0x0000000000810000-0x00000000008D4000-memory.dmpFilesize
784KB
-
memory/4680-29-0x0000000000810000-0x00000000008D4000-memory.dmpFilesize
784KB
-
memory/4680-32-0x0000000000810000-0x00000000008D4000-memory.dmpFilesize
784KB
-
memory/4680-26-0x0000000000B50000-0x0000000000F84000-memory.dmpFilesize
4.2MB
-
memory/4680-39-0x0000000000810000-0x00000000008D4000-memory.dmpFilesize
784KB
-
memory/4680-38-0x0000000000B50000-0x0000000000F83000-memory.dmpFilesize
4.2MB
-
memory/4880-2-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/4880-1-0x0000000002150000-0x0000000002250000-memory.dmpFilesize
1024KB