Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
-
submitted
14-01-2024 23:08
General
-
Target
toolspab3.exe
-
Size
208KB
-
MD5
79d36a2a84827ac86f9e30d31cf5b5dd
-
SHA1
01432852b4c3d1d1d17d45cde7bdbab0be214fce
-
SHA256
55424ba52333947a5827238ff2b0905a9ae90c92fb7e9f0d165cbed47dffc47b
-
SHA512
b0364ce3ca20f32846d2a5ca89cbc92113d52406907ca1c5918bf8d14f826dfa9f738c002a4efbb5ef7bbc30bf31f59d4285b1816d3f695d69cf0f2113ec1388
-
SSDEEP
3072:RXNxbPxb1GXDbcqUkNO5LntzXCXKX24xVad5E0OtTn7922cDD:13bJb1GzPNMntSXnEad5etTn7o26
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
NSIS installer 6 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspab3.exe"C:\Users\Admin\AppData\Local\Temp\toolspab3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\toolspab3.exe"C:\Users\Admin\AppData\Local\Temp\toolspab3.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 5043⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\C89F.exeC:\Users\Admin\AppData\Local\Temp\C89F.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CC79.exeC:\Users\Admin\AppData\Local\Temp\CC79.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Roaming\tdfceidC:\Users\Admin\AppData\Roaming\tdfceid1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tdfceidC:\Users\Admin\AppData\Roaming\tdfceid2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360KB
MD580c413180b6bd0dd664adc4e0665b494
SHA1e791e4a3391fc6b7bcb58399cd4fa3c52a06b940
SHA2566d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880
SHA512347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a
-
Filesize
933KB
MD57e4f0782a05e8db797ad194707caf101
SHA1e9371f702692abc34e7268f867caebb31f113c5a
SHA256e67302edc80342584d8a40b085e971edfb08e04b0f687d5afc684e7fda4e3df8
SHA5129cfd560609d29fdca1202079c10e1889c33cc7e8f5e7c0c861a9f91eb3f7c47aec050820ddca75000543f9b2601e21c9e92bb453ad4bc1cd233f9dbb14256157
-
Filesize
1003KB
MD5bf9138372d7f5ce657102e3c0a09a042
SHA130916bcb764edc464d581c81ccdaafba626a4f4f
SHA2560e920c5e6d017ce0254ed9298a2568bedaac49a67d97810fc59f39f0a182c13b
SHA512c42fcabf68fad149039a5dfef6e2a634ae761c0902bdb5033730c64f14a6ba28dcad924d59ee527becfc2d83b8b2751c6615d070c80952124a1b940738c4eb57
-
Filesize
975KB
MD55b197495e6e6317af77a580eca32d1b4
SHA118f0c66de27ec3efc87f34e88bb4efae76a9809b
SHA2569216896cbd3f6e77b14e1758a6992ce9ee3d2b9620525993255e33a9e0bdce4e
SHA512296c710c01b974d06b2bc7280c004936d1dad819f4ef034e04d6b800510d3e49d5b7a5a5b6b1574d6b860da328cbb7ad75ec75d1881958bca4a8666189dc7ccb
-
Filesize
689KB
MD534ed04c2cd2e355a26bc34054c1ebc38
SHA12d1c1410955bc384740e51d4117d46b0c2b131b5
SHA2566f4efb68ac843df4d25125a7f076a0546cbf51009e84fc67c1b2d9245720b3c8
SHA51297ce15584f7aa0f47fcc7e2a4e3f9368c6d81ed66463e45d5cc13c7769a094f87fa14dc3a01de8b7f0bda094b3832894202395f7422cf01cc702af0fe5f2a331
-
Filesize
208KB
MD579d36a2a84827ac86f9e30d31cf5b5dd
SHA101432852b4c3d1d1d17d45cde7bdbab0be214fce
SHA25655424ba52333947a5827238ff2b0905a9ae90c92fb7e9f0d165cbed47dffc47b
SHA512b0364ce3ca20f32846d2a5ca89cbc92113d52406907ca1c5918bf8d14f826dfa9f738c002a4efbb5ef7bbc30bf31f59d4285b1816d3f695d69cf0f2113ec1388
-
Filesize
888KB
MD5d00dc0b518a4b0b1e437a237232b5a1f
SHA140c9d35738dd0b94ee12dc1bebbf6752b334f23d
SHA256311ea0977262a1b13330b62c374164adbff61c89c924bc37818d8ef83d4cf2a3
SHA512b13df80edd96cfe578bd7a19bbd991c25bfdfd808ac2b6eb4f80972a2465d910838f033ff2b01d0c4f62fafbb74d285706c1d6c5e9c1436ea593ef7e952a298c
-
Filesize
12KB
MD5dd87a973e01c5d9f8e0fcc81a0af7c7a
SHA1c9206ced48d1e5bc648b1d0f54cccc18bf643a14
SHA2567fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1
SHA5124910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
1024KB
-
Filesize
88KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB