Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24/01/2024, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
716e808961c26085303b90cedec7ae17.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
716e808961c26085303b90cedec7ae17.exe
Resource
win10v2004-20231222-en
General
-
Target
716e808961c26085303b90cedec7ae17.exe
-
Size
147KB
-
MD5
716e808961c26085303b90cedec7ae17
-
SHA1
9d4c5dc49c0d24e244090f38a87af186163fcd14
-
SHA256
4564475353ab3f0d5e9200009b3e8f0ab950dd140720a8ac3ecd054b80b9cf8f
-
SHA512
57f0ae8d7dba69f0464e92cd206098a55c31e271204fdf6fd812c90fcbadb116df79b2ca26add306208ffbff768871c659e28d81b79f8a26d5220d5a86dc05f1
-
SSDEEP
3072:HpHSh0hXk6HfgLp+1iReblGYeazgFnLmx:1ShP6H4d+5JeYgFnL
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 1372 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2668 swdchwb -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 716e808961c26085303b90cedec7ae17.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 716e808961c26085303b90cedec7ae17.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 716e808961c26085303b90cedec7ae17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI swdchwb Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI swdchwb Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI swdchwb -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1364 716e808961c26085303b90cedec7ae17.exe 1364 716e808961c26085303b90cedec7ae17.exe 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found 1372 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1364 716e808961c26085303b90cedec7ae17.exe 2668 swdchwb -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2632 wrote to memory of 2668 2632 taskeng.exe 29 PID 2632 wrote to memory of 2668 2632 taskeng.exe 29 PID 2632 wrote to memory of 2668 2632 taskeng.exe 29 PID 2632 wrote to memory of 2668 2632 taskeng.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\716e808961c26085303b90cedec7ae17.exe"C:\Users\Admin\AppData\Local\Temp\716e808961c26085303b90cedec7ae17.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1364
-
C:\Windows\system32\taskeng.exetaskeng.exe {B017B149-2C02-4416-BDD6-678B0C25C11F} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Roaming\swdchwbC:\Users\Admin\AppData\Roaming\swdchwb2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
127KB
MD539599015feebc899fb91b23eb1944f0f
SHA1996e0a4abc8573c520c5ffe6bd7df9294f5e9d3b
SHA256ac7576849c2a80252a1aee6978cb15e99539c39d7e26c29b60532ed6c6780813
SHA51278c7d1cd9d7c2a7ed5fb1bccf646783631925b35d0ff7a43ec7df9357d8d0a19258e031fb16d9838dcd1d965821150d1f32b872cb91cfa51b5b99958f19a4ade
-
Filesize
147KB
MD5716e808961c26085303b90cedec7ae17
SHA19d4c5dc49c0d24e244090f38a87af186163fcd14
SHA2564564475353ab3f0d5e9200009b3e8f0ab950dd140720a8ac3ecd054b80b9cf8f
SHA51257f0ae8d7dba69f0464e92cd206098a55c31e271204fdf6fd812c90fcbadb116df79b2ca26add306208ffbff768871c659e28d81b79f8a26d5220d5a86dc05f1