Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
12-02-2024 18:35
Static task
static1
Behavioral task
behavioral1
Sample
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe
Resource
win7-20231215-en
General
-
Target
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe
-
Size
217KB
-
MD5
d722704eff46ac5ca68723e9d35e9c81
-
SHA1
c08f9166337b98a774fd43b771c652bead0b57af
-
SHA256
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387
-
SHA512
80f2c9d8e5f630e1b2b511a7460a31c4b98ff8e628fecba33546205a00c11b5638a484c559b7c466cb7d2f2bc9f92b791fa7ab4e7d15cc55c4a0ff65de7a0e9b
-
SSDEEP
6144:DHfZ8S+RSDnm9WwgFyzE9P08R5HYjWjm:TfZ8S+ILm9PgFyzO08R5f
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 1208 -
Executes dropped EXE 4 IoCs
Processes:
F0E4.exeUtsysc.exeUtsysc.exeUtsysc.exepid process 2580 F0E4.exe 2812 Utsysc.exe 1624 Utsysc.exe 868 Utsysc.exe -
Loads dropped DLL 44 IoCs
Processes:
F0E4.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exerundll32.exepid process 2580 F0E4.exe 2580 F0E4.exe 668 rundll32.exe 668 rundll32.exe 668 rundll32.exe 668 rundll32.exe 1348 rundll32.exe 1348 rundll32.exe 1348 rundll32.exe 1348 rundll32.exe 2424 WerFault.exe 2424 WerFault.exe 380 rundll32.exe 380 rundll32.exe 380 rundll32.exe 380 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 1496 rundll32.exe 2260 WerFault.exe 2260 WerFault.exe 680 rundll32.exe 680 rundll32.exe 680 rundll32.exe 680 rundll32.exe 1280 rundll32.exe 1280 rundll32.exe 1280 rundll32.exe 1280 rundll32.exe 1144 WerFault.exe 1144 WerFault.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2796 rundll32.exe 2412 rundll32.exe 2412 rundll32.exe 2412 rundll32.exe 2412 rundll32.exe 1716 rundll32.exe 1716 rundll32.exe 1716 rundll32.exe 1716 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exepid process 2420 ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe 2420 ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exepid process 2420 ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1208 Token: SeShutdownPrivilege 1208 Token: SeShutdownPrivilege 1208 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
F0E4.exepid process 2580 F0E4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
F0E4.exeUtsysc.exetaskeng.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 1208 wrote to memory of 2580 1208 F0E4.exe PID 1208 wrote to memory of 2580 1208 F0E4.exe PID 1208 wrote to memory of 2580 1208 F0E4.exe PID 1208 wrote to memory of 2580 1208 F0E4.exe PID 2580 wrote to memory of 2812 2580 F0E4.exe Utsysc.exe PID 2580 wrote to memory of 2812 2580 F0E4.exe Utsysc.exe PID 2580 wrote to memory of 2812 2580 F0E4.exe Utsysc.exe PID 2580 wrote to memory of 2812 2580 F0E4.exe Utsysc.exe PID 2812 wrote to memory of 2388 2812 Utsysc.exe schtasks.exe PID 2812 wrote to memory of 2388 2812 Utsysc.exe schtasks.exe PID 2812 wrote to memory of 2388 2812 Utsysc.exe schtasks.exe PID 2812 wrote to memory of 2388 2812 Utsysc.exe schtasks.exe PID 2484 wrote to memory of 1624 2484 taskeng.exe Utsysc.exe PID 2484 wrote to memory of 1624 2484 taskeng.exe Utsysc.exe PID 2484 wrote to memory of 1624 2484 taskeng.exe Utsysc.exe PID 2484 wrote to memory of 1624 2484 taskeng.exe Utsysc.exe PID 2812 wrote to memory of 668 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 668 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 668 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 668 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 668 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 668 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 668 2812 Utsysc.exe rundll32.exe PID 668 wrote to memory of 1348 668 rundll32.exe rundll32.exe PID 668 wrote to memory of 1348 668 rundll32.exe rundll32.exe PID 668 wrote to memory of 1348 668 rundll32.exe rundll32.exe PID 668 wrote to memory of 1348 668 rundll32.exe rundll32.exe PID 1348 wrote to memory of 2424 1348 rundll32.exe WerFault.exe PID 1348 wrote to memory of 2424 1348 rundll32.exe WerFault.exe PID 1348 wrote to memory of 2424 1348 rundll32.exe WerFault.exe PID 2812 wrote to memory of 380 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 380 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 380 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 380 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 380 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 380 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 380 2812 Utsysc.exe rundll32.exe PID 380 wrote to memory of 1496 380 rundll32.exe rundll32.exe PID 380 wrote to memory of 1496 380 rundll32.exe rundll32.exe PID 380 wrote to memory of 1496 380 rundll32.exe rundll32.exe PID 380 wrote to memory of 1496 380 rundll32.exe rundll32.exe PID 1496 wrote to memory of 2260 1496 rundll32.exe WerFault.exe PID 1496 wrote to memory of 2260 1496 rundll32.exe WerFault.exe PID 1496 wrote to memory of 2260 1496 rundll32.exe WerFault.exe PID 2812 wrote to memory of 680 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 680 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 680 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 680 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 680 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 680 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 680 2812 Utsysc.exe rundll32.exe PID 680 wrote to memory of 1280 680 rundll32.exe rundll32.exe PID 680 wrote to memory of 1280 680 rundll32.exe rundll32.exe PID 680 wrote to memory of 1280 680 rundll32.exe rundll32.exe PID 680 wrote to memory of 1280 680 rundll32.exe rundll32.exe PID 1280 wrote to memory of 1144 1280 rundll32.exe WerFault.exe PID 1280 wrote to memory of 1144 1280 rundll32.exe WerFault.exe PID 1280 wrote to memory of 1144 1280 rundll32.exe WerFault.exe PID 2812 wrote to memory of 2796 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 2796 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 2796 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 2796 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 2796 2812 Utsysc.exe rundll32.exe PID 2812 wrote to memory of 2796 2812 Utsysc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe"C:\Users\Admin\AppData\Local\Temp\ecb01d7f140ad632a0d1dbc641d961c1fb83520b5c8d4010038c084757825387.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2420
-
C:\Users\Admin\AppData\Local\Temp\F0E4.exeC:\Users\Admin\AppData\Local\Temp\F0E4.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:2388 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1348 -s 3125⤵
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1496 -s 3125⤵
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1280 -s 3125⤵
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:1716
-
C:\Windows\system32\taskeng.exetaskeng.exe {61E17E13-96EA-4A15-83F3-7F7DA0F8D141} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD55eaf1f6b6b27383efc75a55a0152471c
SHA1b266ef9ca050bde8be0bfd6b063c26fe4ba98ef2
SHA256b164a93f7b62511837e6241c67eb05f451ae4a401702eaa78df6b2def7c3b6e7
SHA51238285757ba5230e15d86d0176cfb7db326efb185489c3f59621d79b2bcb14118ffea5f4f439bbfca5ae116fdaa581b59291106b9ee5a0dc5e0c63e557c332588
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
395KB
MD51e42a52c9909dd21636bba1b0f00f8e8
SHA193f8c29dd3b615a97ef35b5bb3d5523bfe21d613
SHA2560747f384a5cf12ae118c194c48a59dc7dcbb23c75b9d7d43b1cb03be8c711719
SHA512400451711cf3ce5f756f63008a4461271f86faeeaa0dcfbc24caacb98f5aef7c61d897038f38f58b770d95ffc420da2fb686b8934eb573c13ce11910c6f7cf40
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63
-
Filesize
64KB
MD5b804eeb2110d84f6e6f864ef575f7a1d
SHA182c41d00f257d84560dee6b1b506e775bf6788f4
SHA2563fa2efe45129d32341057799493740157b91644aad7253d2f83b6b7db3237906
SHA512e2d7c828551bd83f7ee3b490f7598898589e9eb2ed4a8366930fddb188d3884337e6c85d9ae54f587fa72b38456cac75892c5dcb11bb3c3e0964929dea69cb8b
-
Filesize
768KB
MD51137bb03ae308656ce5a7d6dc3e44a62
SHA18495e66bb8ab43225bedc2b016de16b970f04ddf
SHA256e904a49bc1530bb7395e69f8c713b3276e91b2cca10e7ff30003f87b82d9e559
SHA512c5ec27e9a1e6abd820e49c135409698a8007cde19bc49e613c8a86294a6a2749c37d027f7b60523d073ed1efc39024be96140c25adf9cbe7b1420ce66cb94345
-
Filesize
256KB
MD588ff6bd6535d972c27833efa93bb1b3c
SHA1c57943c227d5e764fedbe2de04869f0c5329908c
SHA256062576a1b39a34fb1e870b4b9f04d048df47e71c0430a05b55fd50819c04cfd7
SHA51243d39a1aa846767ca524f445b811f75bcd64ee30961454767b1f1e16bdd3eaab03c9832e474e0a28e54448a744c9705138fe3120ca15d9bebd7dd57ecf4c1299
-
Filesize
128KB
MD5c502c6201c4f93f3954978e850bc300e
SHA1568fae8484e92a3c7df771a1368359890ecdeadf
SHA2563fab7b1af00cf5e4b8d6dbaad33377fa706d69f377bc5ad8c18f492051c65d51
SHA51264b275a34db90b84dd14d6b56e3a8d361b335658c09ac22bb58865da9d555f31094142ffd7838246a6f78f1879f0ab2d8d785933deb483238c874de9c0f09841
-
Filesize
281KB
MD555d9ed2d77bc7df51233d115cd447347
SHA1c195dea44abc1c30eae9f6bb66cea211c3536216
SHA256f4be3a994213292c16ba9768f45d6ca2a0719c37cb6966e70e946393edeae12e
SHA51243d0392fd97dd2b03862ff3502cea028172027517347e66e2426a83fdfd535b1e1d1c77a02afc2dc0d4d58ac2b2a7235cb0ebe9b9ebd47abc3cf285cf1536e96