Malware Analysis Report

2024-12-08 00:48

Sample ID 231227-3f6jwsdcf6
Target ba618b945e0ffb2709208d3c4bd15960
SHA256 52d50c8eb51d3c1cca7baf57353f24943b8c880446ce53ca4e79db8844205503
Tags
smokeloader pub3 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52d50c8eb51d3c1cca7baf57353f24943b8c880446ce53ca4e79db8844205503

Threat Level: Known bad

The file ba618b945e0ffb2709208d3c4bd15960 was found to be: Known bad.

Malicious Activity Summary

smokeloader pub3 backdoor trojan

SmokeLoader

Executes dropped EXE

Deletes itself

Loads dropped DLL

Program crash

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-27 23:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 23:28

Reported

2024-01-08 01:31

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\uhvictg N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Roaming\uhvictg

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe

"C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {384DAEA0-1061-4C32-868A-92590B5ED4FE} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\uhvictg

C:\Users\Admin\AppData\Roaming\uhvictg

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 124

Network

Country Destination Domain Proto
US 8.8.8.8:53 conceitosseg.com udp
US 8.8.8.8:53 integrasidata.com udp
SG 172.104.187.4:80 integrasidata.com tcp
US 8.8.8.8:53 ozentekstil.com udp
TR 89.19.30.75:80 ozentekstil.com tcp
US 8.8.8.8:53 finbelportal.com udp
US 8.8.8.8:53 telanganadigital.com udp
US 192.64.119.13:80 telanganadigital.com tcp
US 8.8.8.8:53 www.telanganadigital.com udp
DE 91.195.240.19:80 www.telanganadigital.com tcp

Files

memory/1288-2-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/1288-5-0x00000000001B0000-0x00000000001B9000-memory.dmp

\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

memory/1288-6-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1196-7-0x0000000002B00000-0x0000000002B15000-memory.dmp

memory/1288-8-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Roaming\uhvictg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\uhvictg

MD5 f9acf8160b421fdd9fa69f60abbd7c56
SHA1 dbd1a28878b29c72d2ac68403f555cfafb2d1564
SHA256 e5b62db00542471ea2f249ebf006a8172fdc76f3411621336905ecca3a51ef33
SHA512 b574d6c72ef699c37277cf7d31a4d0db983741386906d2dd3916b5c0669adb2077007c5ef62eb2d37f9c931cb99d675b2480bc58f4472740310c5875f84e9493

memory/1640-19-0x0000000000400000-0x000000000046A000-memory.dmp

memory/1640-18-0x0000000000610000-0x0000000000710000-memory.dmp

memory/1640-25-0x0000000000610000-0x0000000000710000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 23:28

Reported

2024-01-08 01:31

Platform

win10v2004-20231215-en

Max time kernel

79s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe

"C:\Users\Admin\AppData\Local\Temp\ba618b945e0ffb2709208d3c4bd15960.exe"

C:\Users\Admin\AppData\Roaming\abwvwie

C:\Users\Admin\AppData\Roaming\abwvwie

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 conceitosseg.com udp
US 8.8.8.8:53 integrasidata.com udp
SG 172.104.187.4:80 integrasidata.com tcp
US 8.8.8.8:53 ozentekstil.com udp
TR 89.19.30.75:80 ozentekstil.com tcp
US 8.8.8.8:53 finbelportal.com udp
US 8.8.8.8:53 4.187.104.172.in-addr.arpa udp
US 8.8.8.8:53 75.30.19.89.in-addr.arpa udp
US 8.8.8.8:53 telanganadigital.com udp
US 192.64.119.13:80 telanganadigital.com tcp
US 8.8.8.8:53 13.119.64.192.in-addr.arpa udp
US 8.8.8.8:53 www.telanganadigital.com udp
DE 91.195.240.19:80 www.telanganadigital.com tcp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/444-1-0x0000000000640000-0x0000000000740000-memory.dmp

memory/444-2-0x0000000000610000-0x0000000000619000-memory.dmp

memory/444-3-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/3528-8-0x0000000002A10000-0x0000000002A25000-memory.dmp

memory/444-9-0x0000000000400000-0x000000000046A000-memory.dmp

C:\Users\Admin\AppData\Roaming\abwvwie

MD5 c73cd30d7602f74d0958311f32a3fb10
SHA1 41cf46cff8e3359ba73fee758b8694bffcfb9185
SHA256 ad1ff7c3b3777a03de074ce0682d8e65803d89d0f6cb33afac953274559dc65b
SHA512 227c9904a0eca08bf2a28f1ef27951e878045fcfe1bf4deb79c46f93405b78c0880d31a45ee3220b30b2017052756b3fc0ad93c99fb17b4bd9184bd59fb39157

C:\Users\Admin\AppData\Roaming\abwvwie

MD5 7f79983f0773235e3dc78222936c2ccf
SHA1 37f544569365cca567c1669ba7fa4dc013fb53f6
SHA256 4959d79364f4ffd8c652e44a2a08f3d3d6bc55527fb57887ccb13b66c3b5b72a
SHA512 9a47fcdc9d2d42a18107766400766ff7032d666f9012a6a15055bd3782ea346bec4e451c7e8ab51a135925c503dc8db3dd068cd7d3d98639c123e39b71bb4675

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 bfdfb97736467ee0c88f0b7e44ea47cb
SHA1 a8cc09ebae363f04cf15f08b07e60fac9ae0e51f
SHA256 790d09b51cc248f01572b333d783f9b1683d4d90788323c97d5890280e4ecbac
SHA512 264e077ca4937beb543d818b1bea8a2e1ff7066aa8bf5389af0ee3bd1374533f4313a573e96c2788fbda07d68cac52a7e2c2d728f17c3043a1c116acf14bf299

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 cfe2a50ed5f4fe4ba62a105843b714b7
SHA1 2f55c369f0482210b360994e32c8608614f59d83
SHA256 03281c55512720536741178783ad16d06672fb60216e16039fa8eeb5d2bef83c
SHA512 45b97e42c84c526a7cf62ce5e5a781c2f6af3f5edd26c19fcb223d848dd2b75216f11a1b4928b4fb5735816b8ab919789bb8c184103ed0860a9912ef12090b29

memory/4420-21-0x0000000000400000-0x000000000046A000-memory.dmp

memory/4420-20-0x0000000000560000-0x0000000000660000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 e3266137560bcdc25d91b338cb582025
SHA1 6d2bad8f419a83493ec365639feec71a389b6db3
SHA256 a149047f577f0e066e4e646fcacf0f4d8f8956619b3e03136bf5d7a886ee7d5c
SHA512 329c3cf0e090b6cae77da74facb75f67c303268b80ddb444cfe2d8e376ae82acf9c87b5fd5270545d1cfc3e3b1ad7a6c3e4a5a6649a68ca204645015be41fa14

memory/4420-26-0x0000000000400000-0x000000000046A000-memory.dmp

memory/3528-25-0x0000000002B00000-0x0000000002B15000-memory.dmp