Analysis
-
max time kernel
72s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
06-01-2024 10:16
General
-
Target
4590ca72f4ec2cb7396b45759bcc6b42.exe
-
Size
178KB
-
MD5
4590ca72f4ec2cb7396b45759bcc6b42
-
SHA1
a602b1bb140bfb0609091261af0f1d9a09e4eceb
-
SHA256
720205f5906b4bf07d115a1ad8c4986a83d8ec247693dd8214a07858bcab97af
-
SHA512
9c8569a9f5ed9e46fa9f5b9a348f10a74883366cf9b756167f562afce42cc76045382b439f1ca141b493d46e4ff56891c6eaf665775ba56601bc13105fa6127f
-
SSDEEP
3072:OucaWa7jti7pB1GTYXeh1jPMpYLLd6plhwRvDpBsArywoOLi6:6lao1G9h1jUGLLsplh6DpBsRwoOL
Malware Config
Extracted
smokeloader
0508
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4590ca72f4ec2cb7396b45759bcc6b42.exe"C:\Users\Admin\AppData\Local\Temp\4590ca72f4ec2cb7396b45759bcc6b42.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4590ca72f4ec2cb7396b45759bcc6b42.exe"C:\Users\Admin\AppData\Local\Temp\4590ca72f4ec2cb7396b45759bcc6b42.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {45DD21AF-9083-4A37-A274-417FA015EB4E} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\htfcserC:\Users\Admin\AppData\Roaming\htfcser2⤵
-
C:\Users\Admin\AppData\Roaming\htfcserC:\Users\Admin\AppData\Roaming\htfcser3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5b7e40ab08be5c7156a0c7a7892cb53f6
SHA1de76d4612462568892f4bd6e8d2468ab5caa7cea
SHA256a21d2ee0edc4abd49d7885973ce8dfd015ee6c47bf8dd6dc41dc454eb30355e9
SHA512978b399ad0bcb30f5e1f930cb45f4ad553be1d5cb4a723687bfb243cb07c847ff705191bfb2619342b5f908a9610247110bf4c0222af4262457752ba4eda2461
-
Filesize
34KB
MD582bb7f22a3749a427c2e13f09b286036
SHA171d07bbb5dab6d802a5d4f88892220da5c789148
SHA2567ae10960f140eb2562ad263eca286212f1841c4e99e43194a887a1453b9577dc
SHA51208ab502e26392383335e2b208732f53d9848a275ed1c5bac347f4e4b8c03badb193a0c5a153b9a4c3936fedea923c6b5a7aa7b48860e6c0cecffe0054a294164
-
Filesize
9KB
MD52d7c04fdb9d89aa0745f25b3c40c889e
SHA1a03f3851562887c2165cfb8d9de8ec6686c700d8
SHA25661e21136c2b86cc8a87cb8dc746b79bcc9d9e680481b465f4b3820b687680123
SHA5129554cd1cee72a6a7aa02e425d0fbecb3f40183f3ea4c36180a9eb0a468064e04641a72a90ae83a1ab98430dab86b714ac90e497b67d867b6034dd7fc63b44302
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
40KB
-
Filesize
1024KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB