Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-01-2024 23:08
Static task
static1
Behavioral task
behavioral1
Sample
WEXTRACT.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
WEXTRACT.exe
Resource
win10v2004-20231222-en
General
-
Target
WEXTRACT.exe
-
Size
427KB
-
MD5
be982f88b4dc59376512980069e223e6
-
SHA1
0e410efd5f98f96ae5cea91ea60a827db48bdb11
-
SHA256
17c7cc079465da191a8ed1512b8088b869415f5bc5bccf3eb72b0820b7f35619
-
SHA512
b763f0235689765d1aceefc76925cc6b714630e1760b6e221b378263e9019e18f5f2002bcbb242ce1016efbc0ff79d7645c3025e7b7a6f27daba02552377a197
-
SSDEEP
6144:K2y+bnr+Bp0yN90QEF6VvTOaAJL63hsjz+7Ha3th4oIrfwXxp3DMgZtyXs2bBub9:+MrZy90KdIJLUxstfWfwXxpzMg+RQ9
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 3 IoCs
Processes:
v0143080.exea8638369.exearvhcuapid process 1904 v0143080.exe 2156 a8638369.exe 1724 arvhcua -
Loads dropped DLL 9 IoCs
Processes:
WEXTRACT.exev0143080.exea8638369.exeWerFault.exepid process 1928 WEXTRACT.exe 1904 v0143080.exe 1904 v0143080.exe 1904 v0143080.exe 2156 a8638369.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe 2952 WerFault.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WEXTRACT.exev0143080.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" WEXTRACT.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" v0143080.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a8638369.exedescription pid process target process PID 2156 set thread context of 2836 2156 a8638369.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 2952 2156 WerFault.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AppLaunch.exepid process 2836 AppLaunch.exe 2836 AppLaunch.exe 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 1144 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
AppLaunch.exepid process 2836 AppLaunch.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
WEXTRACT.exev0143080.exea8638369.exetaskeng.exedescription pid process target process PID 1928 wrote to memory of 1904 1928 WEXTRACT.exe v0143080.exe PID 1928 wrote to memory of 1904 1928 WEXTRACT.exe v0143080.exe PID 1928 wrote to memory of 1904 1928 WEXTRACT.exe v0143080.exe PID 1928 wrote to memory of 1904 1928 WEXTRACT.exe v0143080.exe PID 1928 wrote to memory of 1904 1928 WEXTRACT.exe v0143080.exe PID 1928 wrote to memory of 1904 1928 WEXTRACT.exe v0143080.exe PID 1928 wrote to memory of 1904 1928 WEXTRACT.exe v0143080.exe PID 1904 wrote to memory of 2156 1904 v0143080.exe a8638369.exe PID 1904 wrote to memory of 2156 1904 v0143080.exe a8638369.exe PID 1904 wrote to memory of 2156 1904 v0143080.exe a8638369.exe PID 1904 wrote to memory of 2156 1904 v0143080.exe a8638369.exe PID 1904 wrote to memory of 2156 1904 v0143080.exe a8638369.exe PID 1904 wrote to memory of 2156 1904 v0143080.exe a8638369.exe PID 1904 wrote to memory of 2156 1904 v0143080.exe a8638369.exe PID 2156 wrote to memory of 2836 2156 a8638369.exe AppLaunch.exe PID 2156 wrote to memory of 2836 2156 a8638369.exe AppLaunch.exe PID 2156 wrote to memory of 2836 2156 a8638369.exe AppLaunch.exe PID 2156 wrote to memory of 2836 2156 a8638369.exe AppLaunch.exe PID 2156 wrote to memory of 2836 2156 a8638369.exe AppLaunch.exe PID 2156 wrote to memory of 2836 2156 a8638369.exe AppLaunch.exe PID 2156 wrote to memory of 2836 2156 a8638369.exe AppLaunch.exe PID 2156 wrote to memory of 2836 2156 a8638369.exe AppLaunch.exe PID 2156 wrote to memory of 2836 2156 a8638369.exe AppLaunch.exe PID 2156 wrote to memory of 2836 2156 a8638369.exe AppLaunch.exe PID 2156 wrote to memory of 2952 2156 a8638369.exe WerFault.exe PID 2156 wrote to memory of 2952 2156 a8638369.exe WerFault.exe PID 2156 wrote to memory of 2952 2156 a8638369.exe WerFault.exe PID 2156 wrote to memory of 2952 2156 a8638369.exe WerFault.exe PID 2156 wrote to memory of 2952 2156 a8638369.exe WerFault.exe PID 2156 wrote to memory of 2952 2156 a8638369.exe WerFault.exe PID 2156 wrote to memory of 2952 2156 a8638369.exe WerFault.exe PID 2140 wrote to memory of 1724 2140 taskeng.exe arvhcua PID 2140 wrote to memory of 1724 2140 taskeng.exe arvhcua PID 2140 wrote to memory of 1724 2140 taskeng.exe arvhcua PID 2140 wrote to memory of 1724 2140 taskeng.exe arvhcua
Processes
-
C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0143080.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0143080.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8638369.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8638369.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 361⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\taskeng.exetaskeng.exe {42FD4E48-BA97-4B32-9EF9-34EE87F79D77} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\arvhcuaC:\Users\Admin\AppData\Roaming\arvhcua2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0143080.exeFilesize
325KB
MD56d3e807bc5b1075951cb02aee1040ce4
SHA1e46b8731eb240af658cd92f869b9c4c48255d572
SHA2563044994d68ed802e317cd4395ed588a0928dd006e4359ff907691fdcfd3b45f7
SHA512b2bccf1135ef7a8d0adfeaa158933e730206e0cbf3920ffab0a8aad0eda01d6c14ac176bf0215bcb0e77385b6f5562fb1ddb7e87a8acb8cfdb3290dd1800ea2f
-
C:\Users\Admin\AppData\Roaming\arvhcuaFilesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0143080.exeFilesize
256KB
MD58f5a5b30d9da4f77d1d5ebf8deafa506
SHA151bbe9d2a8a78cc7ceb2450e275cc7ea429ec1b3
SHA256a4006371f134ff2533cb4ae993e903894feb6595df66b66737c9ad8883567c4e
SHA51240b10e049632d4e262e7e0e46df8f4cf6d922305fbbdcb696b90278a38bc1ced9ebeba90fcaab79883494447401bed7f791f71417ec195ea9d3d257f48b4b866
-
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8638369.exeFilesize
166KB
MD56b3b5578bfce84e4564382d8dcb84c88
SHA1fbe695d073f9bf1c4480f0da2e75de798d58deba
SHA25648eab4277fff7669eb09844dd2d5de7a5edc2a487a6a4ef9b540785fff1bc9c1
SHA512c4b48b40fdb6ebdbfd4cd6c42a4ce34c8a5d4e74163eda9cb197e7bad1a2d2bb80653b1ecb47dbb4ad106e1570663945de22301623aceef70c802354091957f8
-
memory/1144-32-0x0000000002F00000-0x0000000002F16000-memory.dmpFilesize
88KB
-
memory/2836-27-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2836-26-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2836-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2836-24-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2836-23-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2836-33-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB