Analysis
-
max time kernel
110s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2024, 04:19
Static task
static1
Behavioral task
behavioral1
Sample
716e808961c26085303b90cedec7ae17.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
716e808961c26085303b90cedec7ae17.exe
Resource
win10v2004-20231222-en
General
-
Target
716e808961c26085303b90cedec7ae17.exe
-
Size
147KB
-
MD5
716e808961c26085303b90cedec7ae17
-
SHA1
9d4c5dc49c0d24e244090f38a87af186163fcd14
-
SHA256
4564475353ab3f0d5e9200009b3e8f0ab950dd140720a8ac3ecd054b80b9cf8f
-
SHA512
57f0ae8d7dba69f0464e92cd206098a55c31e271204fdf6fd812c90fcbadb116df79b2ca26add306208ffbff768871c659e28d81b79f8a26d5220d5a86dc05f1
-
SSDEEP
3072:HpHSh0hXk6HfgLp+1iReblGYeazgFnLmx:1ShP6H4d+5JeYgFnL
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3432 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 3624 bjjggas -
Program crash 2 IoCs
pid pid_target Process procid_target 4412 2304 WerFault.exe 13 736 3624 WerFault.exe 103 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 716e808961c26085303b90cedec7ae17.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 716e808961c26085303b90cedec7ae17.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 716e808961c26085303b90cedec7ae17.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bjjggas Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bjjggas Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bjjggas -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2304 716e808961c26085303b90cedec7ae17.exe 2304 716e808961c26085303b90cedec7ae17.exe 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2304 716e808961c26085303b90cedec7ae17.exe 3624 bjjggas -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\716e808961c26085303b90cedec7ae17.exe"C:\Users\Admin\AppData\Local\Temp\716e808961c26085303b90cedec7ae17.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2304 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 3682⤵
- Program crash
PID:4412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2304 -ip 23041⤵PID:3044
-
C:\Users\Admin\AppData\Roaming\bjjggasC:\Users\Admin\AppData\Roaming\bjjggas1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3624 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 3722⤵
- Program crash
PID:736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3624 -ip 36241⤵PID:1096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD5716e808961c26085303b90cedec7ae17
SHA19d4c5dc49c0d24e244090f38a87af186163fcd14
SHA2564564475353ab3f0d5e9200009b3e8f0ab950dd140720a8ac3ecd054b80b9cf8f
SHA51257f0ae8d7dba69f0464e92cd206098a55c31e271204fdf6fd812c90fcbadb116df79b2ca26add306208ffbff768871c659e28d81b79f8a26d5220d5a86dc05f1