Malware Analysis Report

2024-12-08 00:43

Sample ID 240201-kbamjshdcr
Target af5282a51cef3bfe67618820bc588881.exe
SHA256 7027b1ec91d52aa39f5c78d9ee8fe0a2dd7375d0f6d2e3155e31e4f175838143
Tags
smokeloader pub3 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7027b1ec91d52aa39f5c78d9ee8fe0a2dd7375d0f6d2e3155e31e4f175838143

Threat Level: Known bad

The file af5282a51cef3bfe67618820bc588881.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader pub3 backdoor trojan

SmokeLoader

Downloads MZ/PE file

Loads dropped DLL

Deletes itself

Drops startup file

Executes dropped EXE

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: AddClipboardFormatListener

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 08:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 08:25

Reported

2024-02-01 08:27

Platform

win7-20231215-en

Max time kernel

152s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\D3A.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D3A.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D3A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D3A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D3A.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe

"C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe"

C:\Users\Admin\AppData\Local\Temp\D3A.exe

C:\Users\Admin\AppData\Local\Temp\D3A.exe

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gxutc2c.com udp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
US 8.8.8.8:53 emgvod.com udp
KR 211.119.84.111:80 emgvod.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp

Files

memory/2672-1-0x0000000000560000-0x0000000000660000-memory.dmp

memory/2672-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2672-3-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2672-5-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1268-4-0x00000000029F0000-0x0000000002A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D3A.exe

MD5 06fad45002385c2b1062998e6d840e54
SHA1 4c598a9fd8f4768bfcc83a2b43effa1387050003
SHA256 fe089e2de5573a6e56ca69768894bffa6cfe9d2db226edd6ebd75a221d044611
SHA512 4917ea1585e746ad3f105589768a506f48c24d15bc88fe3a65419d7b5fee1f7af1fb06d5746a9a8982ce81de97f668eb24bbf53e45637f5c3e83dc95dd7f3f8f

memory/2668-20-0x0000000002C10000-0x0000000002D10000-memory.dmp

memory/2668-21-0x00000000002C0000-0x0000000000351000-memory.dmp

\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 69656b64c3dec4fc3bedcc33d31161d8
SHA1 4a82c8c926e1b35fd432b045c543b98e7215737d
SHA256 c8165c3c116deb726aabca38b4ff9295fcc9cbd063bb773b90e0bbe7a6058e3b
SHA512 731438b793a9cdf30d166509b60587ac7ca8065100a186847eda8dcf2ba0fd3c8ef82fdc324769add92b4699fb3280dc3ade6b11cb13ddb996344ee916164b89

memory/2668-26-0x0000000000400000-0x0000000002B72000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

MD5 0d4ac9dd920f258bc5cdac81ad327740
SHA1 1fd0d6d209da0109a313b746a2ed6c1a0f02529a
SHA256 b19dc8ba8a1429e1484fab3284ff8420cc9b2db334e0e4cc011e6c0608a1ede2
SHA512 e8c586f591fffc94f9ccb6ff3c032d70fe5d778e886f05339d4aaf819275f655289b993cad0f444080c88a03f80d0bb65a8dee881119d8028946ff6965d890e1

\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 b64441bc28980e9655fe5e844e0992f9
SHA1 141dc2d8035b265082464bb166c40c745e2e481b
SHA256 38a3e2b4fe7623f663cbb621c9b26d066bd5f0f74b7f5a31b4345d176b398c76
SHA512 a7b0139cc806c87ba4291bd9192f77feeb5d438ba31550b4b625b425e84ba9e1480defa77bf8f3f97010d2f12e5afc27d79de95bd0bed7cb7f8dc627c6657a1e

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 6359be92daadda4674b3b654123f1ee8
SHA1 2364765655e85c4a3d52a202843933b3666d8507
SHA256 642c11df35f1601b7ce3b0df230e623264f9efcc00ea13cb16f91daa7866277d
SHA512 c9c3bb94c101a158fd34f2c1722d582448dc6d6149249c8510968873e8c5023bcf71fd11f77efb3749ec082a2a722d7cd330105a29e12217c74d16fa63046ef6

\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 4163168a05a93b50f4f52e44a4de635c
SHA1 e471e6a06396a1f9fb3a7f10180c010842e811dd
SHA256 6a0845c0db490e398161b2a363524a670f028a1393f6d5a5c686b6592f72f747
SHA512 d20741a598cde6a94e2a95d9a5123eb12f77c844dd85466733d008c34e59a5dfc2dabb1c0d3c21203efac9d281053ff5156c795298d4b89dd43808d09ee88fe4

memory/2668-35-0x0000000000400000-0x0000000002B72000-memory.dmp

memory/1860-37-0x0000000002C30000-0x0000000002D30000-memory.dmp

memory/1860-38-0x0000000000400000-0x0000000002B72000-memory.dmp

memory/1860-41-0x0000000002C30000-0x0000000002D30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 08:25

Reported

2024-02-01 08:27

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\E82.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E82.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\E82.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 1688 N/A N/A C:\Users\Admin\AppData\Local\Temp\E82.exe
PID 3428 wrote to memory of 1688 N/A N/A C:\Users\Admin\AppData\Local\Temp\E82.exe
PID 3428 wrote to memory of 1688 N/A N/A C:\Users\Admin\AppData\Local\Temp\E82.exe
PID 1688 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\E82.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1688 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\E82.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 1688 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\E82.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe

"C:\Users\Admin\AppData\Local\Temp\af5282a51cef3bfe67618820bc588881.exe"

C:\Users\Admin\AppData\Local\Temp\E82.exe

C:\Users\Admin\AppData\Local\Temp\E82.exe

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1688 -ip 1688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 gxutc2c.com udp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
US 8.8.8.8:53 7.10.180.2.in-addr.arpa udp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
IR 2.180.10.7:80 gxutc2c.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
IR 2.180.10.7:80 gxutc2c.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
IR 2.180.10.7:80 gxutc2c.com tcp
US 8.8.8.8:53 emgvod.com udp
KR 211.119.84.111:80 emgvod.com tcp
US 8.8.8.8:53 111.84.119.211.in-addr.arpa udp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
IR 2.180.10.7:80 gxutc2c.com tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/4144-1-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/4144-2-0x00000000005A0000-0x00000000005AB000-memory.dmp

memory/4144-3-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3428-4-0x0000000002B00000-0x0000000002B16000-memory.dmp

memory/4144-5-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E82.exe

MD5 06fad45002385c2b1062998e6d840e54
SHA1 4c598a9fd8f4768bfcc83a2b43effa1387050003
SHA256 fe089e2de5573a6e56ca69768894bffa6cfe9d2db226edd6ebd75a221d044611
SHA512 4917ea1585e746ad3f105589768a506f48c24d15bc88fe3a65419d7b5fee1f7af1fb06d5746a9a8982ce81de97f668eb24bbf53e45637f5c3e83dc95dd7f3f8f

memory/1688-16-0x0000000002E50000-0x0000000002F50000-memory.dmp

memory/1688-17-0x00000000047F0000-0x0000000004881000-memory.dmp

memory/1688-22-0x0000000000400000-0x0000000002B72000-memory.dmp

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 3cd63a1bee20221a78bfd044c41fdc1e
SHA1 f654b36109b453f82bb7f0187431e69e13fa780d
SHA256 a59c014ca7c5843ff51641c89cc05b35372d0896c2a30571a2dbd7cf705873a4
SHA512 82a0b049c0a96bdbb4b9ea4d9bebcdf87aeadf723ccab68ef6229676dac6eac9166d5d4f09c8e505ca5c2464756fd8474378f69ba0811e946926a89e40a35638

memory/2304-28-0x0000000002F30000-0x0000000003030000-memory.dmp

memory/2304-29-0x00000000047D0000-0x0000000004861000-memory.dmp

memory/1688-27-0x0000000000400000-0x0000000002B72000-memory.dmp

memory/2304-30-0x0000000000400000-0x0000000002B72000-memory.dmp

memory/2304-33-0x0000000002F30000-0x0000000003030000-memory.dmp