Analysis
-
max time kernel
23s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2024, 15:30
Static task
static1
Behavioral task
behavioral1
Sample
9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe
Resource
win10v2004-20231215-en
General
-
Target
9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe
-
Size
203KB
-
MD5
7b2592bee2a2b4cfb28502892c619612
-
SHA1
c4477fef847e926783d54efb7c577fdb8d2407f9
-
SHA256
9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483
-
SHA512
c9527802e2d80f8f226471fc1d0791dea2efc29e51eba03c2525defc6d6be41e8b8f2bcf1ecf30c543a9476d520ef53ab898b912a1a69086b83cc0bb5d28c1fe
-
SSDEEP
3072:dDoO2LbVS5fgevom6PJiMrt+NqaDD3LP2uHv49GriBditdi16kwxZRUiaD:S3LbfGMTI3LPJPqG2Bkeia
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3412 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2876 9E82.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9E82.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2876 9E82.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5028 set thread context of 3352 5028 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe 22 -
Program crash 2 IoCs
pid pid_target Process procid_target 4948 3352 WerFault.exe 22 1612 3388 WerFault.exe 104 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9E82.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9E82.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3352 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe 3352 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3352 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 3412 Process not Found Token: SeCreatePagefilePrivilege 3412 Process not Found Token: SeDebugPrivilege 2876 9E82.exe Token: SeRestorePrivilege 2876 9E82.exe Token: SeBackupPrivilege 2876 9E82.exe Token: SeLoadDriverPrivilege 2876 9E82.exe Token: SeCreatePagefilePrivilege 2876 9E82.exe Token: SeShutdownPrivilege 2876 9E82.exe Token: SeTakeOwnershipPrivilege 2876 9E82.exe Token: SeChangeNotifyPrivilege 2876 9E82.exe Token: SeCreateTokenPrivilege 2876 9E82.exe Token: SeMachineAccountPrivilege 2876 9E82.exe Token: SeSecurityPrivilege 2876 9E82.exe Token: SeAssignPrimaryTokenPrivilege 2876 9E82.exe Token: SeCreateGlobalPrivilege 2876 9E82.exe Token: 33 2876 9E82.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5028 wrote to memory of 3352 5028 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe 22 PID 5028 wrote to memory of 3352 5028 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe 22 PID 5028 wrote to memory of 3352 5028 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe 22 PID 5028 wrote to memory of 3352 5028 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe 22 PID 5028 wrote to memory of 3352 5028 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe 22 PID 5028 wrote to memory of 3352 5028 9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe 22 PID 3412 wrote to memory of 2876 3412 Process not Found 103 PID 3412 wrote to memory of 2876 3412 Process not Found 103 PID 3412 wrote to memory of 2876 3412 Process not Found 103 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe"C:\Users\Admin\AppData\Local\Temp\9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe"C:\Users\Admin\AppData\Local\Temp\9c98f0f798b53d28919e7c8f7331619c509e24045d1f4dd192f86f2a6115d483.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 3283⤵
- Program crash
PID:4948
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3352 -ip 33521⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\9E82.exeC:\Users\Admin\AppData\Local\Temp\9E82.exe1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2876 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:3388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 11443⤵
- Program crash
PID:1612
-
-
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"1⤵PID:3864
-
C:\Users\Admin\AppData\Local\Temp\A47E.exeC:\Users\Admin\AppData\Local\Temp\A47E.exe1⤵PID:4292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3388 -ip 33881⤵PID:2804