Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 18:25
Static task
static1
Behavioral task
behavioral1
Sample
22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe
Resource
win7-20231215-en
General
-
Target
22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe
-
Size
217KB
-
MD5
34d6101588b61ba8e9b4d0c536ecd77c
-
SHA1
91e70f4960d0fcd1c6af828dfaedc3f705ebc773
-
SHA256
22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21
-
SHA512
79dd27db42e58f79353b4f3396d8f5b7a286b99a9b5223671bf4fe5c653a9d9bbbe792f1307d0c1002c1e44e7dfdb218d0ccab06f5e3df7cafb042572546c2c7
-
SSDEEP
3072:iH2KZ8t0X6rJrqodM+dxv1G086+6jP00ztLR5HVFUjWjJkp:iHfZ8S+RHHv1GT+P0eVR5HYjWjm
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 1384 -
Executes dropped EXE 4 IoCs
Processes:
12A6.exeUtsysc.exeUtsysc.exeUtsysc.exepid process 2920 12A6.exe 2516 Utsysc.exe 1524 Utsysc.exe 2064 Utsysc.exe -
Loads dropped DLL 44 IoCs
Processes:
12A6.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exerundll32.exepid process 2920 12A6.exe 2920 12A6.exe 2932 rundll32.exe 2932 rundll32.exe 2932 rundll32.exe 2932 rundll32.exe 2224 rundll32.exe 2224 rundll32.exe 2224 rundll32.exe 2224 rundll32.exe 2100 WerFault.exe 2100 WerFault.exe 3068 rundll32.exe 3068 rundll32.exe 3068 rundll32.exe 3068 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 2368 rundll32.exe 1448 WerFault.exe 1448 WerFault.exe 1108 rundll32.exe 1108 rundll32.exe 1108 rundll32.exe 1108 rundll32.exe 1776 rundll32.exe 1776 rundll32.exe 1776 rundll32.exe 1776 rundll32.exe 2524 WerFault.exe 2524 WerFault.exe 932 rundll32.exe 932 rundll32.exe 932 rundll32.exe 932 rundll32.exe 684 rundll32.exe 684 rundll32.exe 684 rundll32.exe 684 rundll32.exe 2304 rundll32.exe 2304 rundll32.exe 2304 rundll32.exe 2304 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exepid process 2436 22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe 2436 22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exepid process 2436 22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1384 Token: SeShutdownPrivilege 1384 Token: SeShutdownPrivilege 1384 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
12A6.exepid process 2920 12A6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
12A6.exeUtsysc.exetaskeng.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 1384 wrote to memory of 2920 1384 12A6.exe PID 1384 wrote to memory of 2920 1384 12A6.exe PID 1384 wrote to memory of 2920 1384 12A6.exe PID 1384 wrote to memory of 2920 1384 12A6.exe PID 2920 wrote to memory of 2516 2920 12A6.exe Utsysc.exe PID 2920 wrote to memory of 2516 2920 12A6.exe Utsysc.exe PID 2920 wrote to memory of 2516 2920 12A6.exe Utsysc.exe PID 2920 wrote to memory of 2516 2920 12A6.exe Utsysc.exe PID 2516 wrote to memory of 1392 2516 Utsysc.exe schtasks.exe PID 2516 wrote to memory of 1392 2516 Utsysc.exe schtasks.exe PID 2516 wrote to memory of 1392 2516 Utsysc.exe schtasks.exe PID 2516 wrote to memory of 1392 2516 Utsysc.exe schtasks.exe PID 1912 wrote to memory of 1524 1912 taskeng.exe Utsysc.exe PID 1912 wrote to memory of 1524 1912 taskeng.exe Utsysc.exe PID 1912 wrote to memory of 1524 1912 taskeng.exe Utsysc.exe PID 1912 wrote to memory of 1524 1912 taskeng.exe Utsysc.exe PID 2516 wrote to memory of 2932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 2932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 2932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 2932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 2932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 2932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 2932 2516 Utsysc.exe rundll32.exe PID 2932 wrote to memory of 2224 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 2224 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 2224 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 2224 2932 rundll32.exe rundll32.exe PID 2224 wrote to memory of 2100 2224 rundll32.exe WerFault.exe PID 2224 wrote to memory of 2100 2224 rundll32.exe WerFault.exe PID 2224 wrote to memory of 2100 2224 rundll32.exe WerFault.exe PID 2516 wrote to memory of 3068 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 3068 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 3068 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 3068 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 3068 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 3068 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 3068 2516 Utsysc.exe rundll32.exe PID 3068 wrote to memory of 2368 3068 rundll32.exe rundll32.exe PID 3068 wrote to memory of 2368 3068 rundll32.exe rundll32.exe PID 3068 wrote to memory of 2368 3068 rundll32.exe rundll32.exe PID 3068 wrote to memory of 2368 3068 rundll32.exe rundll32.exe PID 2368 wrote to memory of 1448 2368 rundll32.exe WerFault.exe PID 2368 wrote to memory of 1448 2368 rundll32.exe WerFault.exe PID 2368 wrote to memory of 1448 2368 rundll32.exe WerFault.exe PID 2516 wrote to memory of 1108 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 1108 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 1108 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 1108 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 1108 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 1108 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 1108 2516 Utsysc.exe rundll32.exe PID 1108 wrote to memory of 1776 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 1776 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 1776 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 1776 1108 rundll32.exe rundll32.exe PID 1776 wrote to memory of 2524 1776 rundll32.exe WerFault.exe PID 1776 wrote to memory of 2524 1776 rundll32.exe WerFault.exe PID 1776 wrote to memory of 2524 1776 rundll32.exe WerFault.exe PID 2516 wrote to memory of 932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 932 2516 Utsysc.exe rundll32.exe PID 2516 wrote to memory of 932 2516 Utsysc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe"C:\Users\Admin\AppData\Local\Temp\22271a5e0eb009b9c2f9526bc065037cf4b4a04fa5ab1b0c557cc3e50a67ff21.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2436
-
C:\Users\Admin\AppData\Local\Temp\12A6.exeC:\Users\Admin\AppData\Local\Temp\12A6.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:1392 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2224 -s 3125⤵
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2368 -s 3125⤵
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1776 -s 3125⤵
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:2304
-
C:\Windows\system32\taskeng.exetaskeng.exe {B99603D9-DA70-4C6B-B2FC-A8967C13E0A8} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:1524 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:2064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
395KB
MD51e42a52c9909dd21636bba1b0f00f8e8
SHA193f8c29dd3b615a97ef35b5bb3d5523bfe21d613
SHA2560747f384a5cf12ae118c194c48a59dc7dcbb23c75b9d7d43b1cb03be8c711719
SHA512400451711cf3ce5f756f63008a4461271f86faeeaa0dcfbc24caacb98f5aef7c61d897038f38f58b770d95ffc420da2fb686b8934eb573c13ce11910c6f7cf40
-
Filesize
66KB
MD53a2b89978a59b63e3bad5bff1e54ec5e
SHA1a7654dbf25c6da379995fb11d252bcb6a0ca86ee
SHA2563f9701249b389d15f2d1ca4ab29265e5a76bcbb5d9779c03e081676d571e3416
SHA51234f7c27853f2beb38eeddd8c255f8f7da698da697c5606af89710c43347c9017e16dc2f94327e665bb41ef29bcd7216b4b3ce97af711890510958f85c4439f13
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63
-
Filesize
64KB
MD5b804eeb2110d84f6e6f864ef575f7a1d
SHA182c41d00f257d84560dee6b1b506e775bf6788f4
SHA2563fa2efe45129d32341057799493740157b91644aad7253d2f83b6b7db3237906
SHA512e2d7c828551bd83f7ee3b490f7598898589e9eb2ed4a8366930fddb188d3884337e6c85d9ae54f587fa72b38456cac75892c5dcb11bb3c3e0964929dea69cb8b
-
Filesize
980KB
MD5b43b1c8b93d014610db08b741779ef09
SHA100d6617d8e5918931772e86f5a958eca664780fc
SHA2568255c51b1d428c846f5a7438beccaee2f56aca5d2918535867644db86eb2eb25
SHA512dead0c97171a3cd9708980fc00cc7a733ed757e24f3b2c7df2f1decae0a16f14ec33ac453ac4205795e559b559e0e72b36e4d336adb0c2b85a2c3a3e3db72afe
-
Filesize
896KB
MD5455600bca133c228b9480e56b4b5e681
SHA10ed599c0c25d5b16ad63b46ad43b1813723f17c6
SHA25697a9e1a7d61804b9e5695fc48197cb638639e8dcdb558194f8908d175a911429
SHA512909dc971dc82d9af1016bf70922823f27d085035d66106d802c203052155dd8bd67f80293c5ef83b9a9945c7a41e48ee7fb6797b5fe682335d1e8cf17ef081d6
-
Filesize
620KB
MD59a3d12357fc28282f982b8ed97307444
SHA1dfc36e165debb7f540bfe841e31a94b195fe7446
SHA2567a635ee120ae682816899f7abb51f9fae166d44720b5f79fa937a451a022ebed
SHA512d6882f92d09535c542a3ffff631fe52d6a50897b88ba5dc5b5ef45300ded06685b60f62a69b34d184be90831fcb17bb0e6867233ce207cf7a36d4db7cf3a9a51