Malware Analysis Report

2024-12-08 00:46

Sample ID 231228-fgzfmsccar
Target c4e5974e135abb99b9592c9b2fef10fc
SHA256 4c341d77788e2d9feb45ee82a2d951e81b4d736de8f3ca180475c1cee83ae936
Tags
smokeloader pub3 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c341d77788e2d9feb45ee82a2d951e81b4d736de8f3ca180475c1cee83ae936

Threat Level: Known bad

The file c4e5974e135abb99b9592c9b2fef10fc was found to be: Known bad.

Malicious Activity Summary

smokeloader pub3 backdoor trojan

SmokeLoader

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 04:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 04:51

Reported

2023-12-29 16:41

Platform

win7-20231215-en

Max time kernel

181s

Max time network

196s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sdsusvd N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sdsusvd
PID 1220 wrote to memory of 580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sdsusvd
PID 1220 wrote to memory of 580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sdsusvd
PID 1220 wrote to memory of 580 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\sdsusvd

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe

"C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {FC8FD8A9-E746-4A7D-BE29-04126A740686} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\sdsusvd

C:\Users\Admin\AppData\Roaming\sdsusvd

Network

Country Destination Domain Proto
US 8.8.8.8:53 conceitosseg.com udp
US 8.8.8.8:53 integrasidata.com udp
SG 172.104.187.4:80 integrasidata.com tcp
US 8.8.8.8:53 ozentekstil.com udp
TR 89.19.30.75:80 ozentekstil.com tcp
US 8.8.8.8:53 finbelportal.com udp
US 8.8.8.8:53 telanganadigital.com udp
US 192.64.119.13:80 telanganadigital.com tcp
US 8.8.8.8:53 www.telanganadigital.com udp
DE 91.195.240.19:80 www.telanganadigital.com tcp

Files

memory/2192-1-0x0000000000520000-0x0000000000620000-memory.dmp

memory/2192-2-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2192-3-0x0000000000400000-0x0000000000456000-memory.dmp

\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

memory/2192-7-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1244-8-0x00000000029C0000-0x00000000029D5000-memory.dmp

memory/2192-12-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2192-9-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Roaming\sdsusvd

MD5 c4e5974e135abb99b9592c9b2fef10fc
SHA1 1c6e1431d03e5633bf044871d3c73535f691cceb
SHA256 4c341d77788e2d9feb45ee82a2d951e81b4d736de8f3ca180475c1cee83ae936
SHA512 5dcc5da8f924ceb758c515a0022a7ab2cf366a84079937bfd8ae656076df80da447f63b37dc9d30607abcfb63cb250fd2eb667d1a451be3679dcea3ad13c4114

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 bfd2c47097a0f9cfa2133ca6e26614e4
SHA1 600327b44feae3d21e958c0ea4cdf73873d78ad9
SHA256 fb4f7bfea28c56fdb39dacaf0121a443d1389eceb45f096a360944d47b17e153
SHA512 1bf064941bc7f264ebc3dc2a50b387f409f5616d911262078bb3289495229b8df02a6185fee5a9788c35ac8fb6f0b0562e6a503487ed03d6032f91dd8378830c

memory/580-21-0x0000000000552000-0x0000000000563000-memory.dmp

memory/580-20-0x0000000000400000-0x0000000000456000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 04:51

Reported

2023-12-29 16:40

Platform

win10v2004-20231215-en

Max time kernel

102s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe

"C:\Users\Admin\AppData\Local\Temp\c4e5974e135abb99b9592c9b2fef10fc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 448 -ip 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 392

C:\Users\Admin\AppData\Roaming\wsstgcu

C:\Users\Admin\AppData\Roaming\wsstgcu

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4052 -ip 4052

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 conceitosseg.com udp
US 8.8.8.8:53 integrasidata.com udp
SG 172.104.187.4:80 integrasidata.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 ozentekstil.com udp
TR 89.19.30.75:80 ozentekstil.com tcp
US 8.8.8.8:53 finbelportal.com udp
US 8.8.8.8:53 4.187.104.172.in-addr.arpa udp
US 8.8.8.8:53 telanganadigital.com udp
US 192.64.119.13:80 telanganadigital.com tcp
US 8.8.8.8:53 75.30.19.89.in-addr.arpa udp
US 8.8.8.8:53 13.119.64.192.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 www.telanganadigital.com udp
DE 91.195.240.19:80 www.telanganadigital.com tcp
US 8.8.8.8:53 19.240.195.91.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 82.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 60.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
GB 96.17.179.60:80 tcp
GB 96.17.179.60:80 tcp
GB 96.17.179.60:80 tcp
GB 96.17.179.60:80 tcp
GB 96.17.179.60:80 tcp
GB 96.17.179.60:80 tcp
GB 96.17.179.60:80 tcp
US 8.8.8.8:53 udp
FR 20.74.47.205:443 tcp
FR 20.74.47.205:443 tcp
FR 20.74.47.205:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 76.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp

Files

memory/448-3-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 6202455580de16d5319e9488b0df97b5
SHA1 033f1ba7a5dcf41bdd21ff01b96425afd284ce67
SHA256 5413ecba8fe27efcebc9eb1aa6063b87b870acfa6887a29cf3efcca3f39c935d
SHA512 d077f951c677e689b4940f2755218222ce117546e8c679bdcc9380658eef403ca65a4bddd2e8f86979f1d8983ea9676583b9dd85e9741e4bd9ad5aedd59d0dd4

memory/448-2-0x0000000000700000-0x0000000000709000-memory.dmp

memory/448-1-0x0000000000780000-0x0000000000880000-memory.dmp

memory/3432-8-0x0000000002F60000-0x0000000002F75000-memory.dmp

memory/448-11-0x0000000000400000-0x0000000000456000-memory.dmp

C:\Users\Admin\AppData\Roaming\wsstgcu

MD5 7bfd8f4ede79745687cc01889dc06563
SHA1 7dd5dd5f122625ac8475e4dd204d8580c171ddb5
SHA256 5e8a66655391ea6c83d99daad3e058ee6fa1ba91d391b82f836a90bfae3b722f
SHA512 6b255f5e153f0b1c522eee85b5513395bcc06b33470cf24cc2dde463be200e750605f82531f647725bea287ffee43d542414cd37614e4179c091bcd3273f3a88

C:\Users\Admin\AppData\Roaming\wsstgcu

MD5 a5a5dbafa10d804cbed00a6d0dc6fa6d
SHA1 9ad65863ba7dc2eec56893786264969b27f87d75
SHA256 7d9fceb74c2b2d1bd408e2d4be1d1f9ebacd493bd7bb5de6a508a81fbf6bd15d
SHA512 4fb0d72795dc350cd38a6c4dd8086be3e6f489bd7696561c97a396701a739ba1ca361816e03218844ab13f93ec5d59879723fea34e188ee397061eb5f36a093b

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 a59156976098a7b8ab04ae903dc4db72
SHA1 2841305715b58bfab435cebf5cf345cdb4d54837
SHA256 c7c2e6b5d4ae8942dff47d68687efc0291a04460f52eea169e1e258be23ca8a2
SHA512 5a6b69af8c8b12c5ebff37c2db96f621767e3e03b9d181bd4c352670710e0fa3f355e9a8f84fa04a318293c6f549c605dd4a6b1875cb8229b4a0c75133c1a1f9

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 cfd4b8e883f1826e025cc1b02ff710e6
SHA1 3bb0164079fb0228a8aa28e7b725f1a54fa03f82
SHA256 34be52f084ee024ed70498497f84dfe3f05dd7297690940c9341fb5a7610523c
SHA512 3befe224c6da6beb4230be558f1d7df2d650f86fe6417af8d83443df361cc9bb2629186eded51cf518fe5f5aa315f7ee7c74f013ed30ec4eba66f4ab693a2d6a

memory/4052-20-0x0000000000400000-0x0000000000456000-memory.dmp

memory/4052-19-0x0000000000580000-0x0000000000680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

MD5 da128058e2f4258bd0478f32f98e868e
SHA1 d754f1222f39ef00130854676dafa063f317956b
SHA256 cb3bc9a8cdde2180dea69cf0c29cda669dc44eb59bce52553e771960c7d2a475
SHA512 946f1287ea5592adac6c4dd58a051edb7092983221777195fec8a5ffc5292d4c85a8168c624c53e70701f9b6b5dbc2dd97ea690f9e3b628b6bf9006f507e58fc

memory/3432-25-0x00000000010C0000-0x00000000010D5000-memory.dmp

memory/4052-28-0x0000000000400000-0x0000000000456000-memory.dmp