Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07-02-2024 01:01
Static task
static1
Behavioral task
behavioral1
Sample
7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe
Resource
win10v2004-20231222-en
General
-
Target
7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe
-
Size
311KB
-
MD5
0daebde971a5f21690f26c1ed8bf8813
-
SHA1
361417ed0552958448b0fde6aeb980fcbec9572a
-
SHA256
7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e
-
SHA512
1ac209e287a79aa14a8448418b78383b3fab3712f8f3d59946f39aabab9b035628735ef9362eec5146966562cc15b0bfa0dbc00d6e104789e1e799d3f9259a7a
-
SSDEEP
6144:QKILYpVy5qgOWp99sfQ+a/HTXbvOREnsE0aV:zIspVy5qgP2fQv/HbbZns
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1164 -
Executes dropped EXE 2 IoCs
Processes:
8804.exe8804.exepid process 2244 8804.exe 2784 8804.exe -
Loads dropped DLL 2 IoCs
Processes:
8804.exeregsvr32.exepid process 2244 8804.exe 2076 regsvr32.exe -
Processes:
resource yara_rule behavioral1/memory/2784-24-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-28-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-27-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-29-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-30-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-31-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-43-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-50-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-52-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-57-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-68-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-69-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-70-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-82-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-83-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-90-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-94-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-95-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2784-96-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8804.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 8804.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8804.exedescription pid process target process PID 2244 set thread context of 2784 2244 8804.exe 8804.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exepid process 2968 7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe 2968 7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 1164 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exepid process 2968 7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1164 1164 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1164 1164 -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
8804.exeregsvr32.exedescription pid process target process PID 1164 wrote to memory of 2244 1164 8804.exe PID 1164 wrote to memory of 2244 1164 8804.exe PID 1164 wrote to memory of 2244 1164 8804.exe PID 1164 wrote to memory of 2244 1164 8804.exe PID 2244 wrote to memory of 2784 2244 8804.exe 8804.exe PID 2244 wrote to memory of 2784 2244 8804.exe 8804.exe PID 2244 wrote to memory of 2784 2244 8804.exe 8804.exe PID 2244 wrote to memory of 2784 2244 8804.exe 8804.exe PID 2244 wrote to memory of 2784 2244 8804.exe 8804.exe PID 2244 wrote to memory of 2784 2244 8804.exe 8804.exe PID 2244 wrote to memory of 2784 2244 8804.exe 8804.exe PID 2244 wrote to memory of 2784 2244 8804.exe 8804.exe PID 2244 wrote to memory of 2784 2244 8804.exe 8804.exe PID 1164 wrote to memory of 1412 1164 regsvr32.exe PID 1164 wrote to memory of 1412 1164 regsvr32.exe PID 1164 wrote to memory of 1412 1164 regsvr32.exe PID 1164 wrote to memory of 1412 1164 regsvr32.exe PID 1164 wrote to memory of 1412 1164 regsvr32.exe PID 1412 wrote to memory of 2076 1412 regsvr32.exe regsvr32.exe PID 1412 wrote to memory of 2076 1412 regsvr32.exe regsvr32.exe PID 1412 wrote to memory of 2076 1412 regsvr32.exe regsvr32.exe PID 1412 wrote to memory of 2076 1412 regsvr32.exe regsvr32.exe PID 1412 wrote to memory of 2076 1412 regsvr32.exe regsvr32.exe PID 1412 wrote to memory of 2076 1412 regsvr32.exe regsvr32.exe PID 1412 wrote to memory of 2076 1412 regsvr32.exe regsvr32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe"C:\Users\Admin\AppData\Local\Temp\7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2968
-
C:\Users\Admin\AppData\Local\Temp\8804.exeC:\Users\Admin\AppData\Local\Temp\8804.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\8804.exeC:\Users\Admin\AppData\Local\Temp\8804.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2784
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\9426.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\9426.dll2⤵
- Loads dropped DLL
PID:2076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
668KB
MD57d6f1ed9efe0638df92322164bb90168
SHA1c265075b9b813be151045a23d5bf095378bb7936
SHA256eac223187c982e7aa31211526ca1e3991f24c017e06e4fd99b783a8bd6a90fd1
SHA5124d6059674967afa889b3929576cb5ac5a917cb71f7594962deda8222517f0d43a01956add4ca473e3a7b5dde6c45576a514b7b91ce7da03c8cff0ea3e5145e48
-
Filesize
7.6MB
MD51c052a489fd2559d65d308a9195ddccc
SHA1366f6d911adf94f3e99780ee6f46c348643d817f
SHA2569609eeba94998fb2ce472957a859495dd819433da1a7d399aff807e0f19c985d
SHA512b6d19d29adee77d5bba3fb0d7eeaeb991af2a9a7a323663b897b2bd0dd7e80ebfee9ec636e909f62f3440f5e4d2bdde2c1d4bccfe9c91a21f38943e021b460c9
-
Filesize
1.9MB
MD5151e9ec4f0355d2f131b871671bd5e20
SHA150992f712b281db70518e6d404084e26dcd98b98
SHA256a1480e23bd2a89b188fb01138ef2f54130f2dc41ce85ff9319ab7f15471b0011
SHA51218a2fa6e9c97281328de819126dccb6cc8576e11ea11a8faba629da58e724040427c7d941ce0f935948195c30da6d60a6873d7e3e9613eba7df42bde1a3aba1f
-
Filesize
1.7MB
MD5b019a088041eb55df8a7482338ea240a
SHA19d4789657cfc50ef5d5d5e6899c89de0119f8ea6
SHA256c994bc26c7cc7a003ac3120415cff033b912c66939ed3b09a9683d20a47b0dda
SHA5121fdaf714398b82d3bde85ee3264200c8b9116f40b4f33a3b96a394ccdecc5a308cb671c634243cc09247f5594d9c78552c751e281c0531ae4f2e16b38bf37b8f