Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
15-02-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe
Resource
win7-20231215-en
General
-
Target
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe
-
Size
240KB
-
MD5
32e42bd81cfc8ea5fc638a5f43a749f0
-
SHA1
37df03feda3f4da9ef7c5d2bdc308bda6d1a9b49
-
SHA256
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a
-
SHA512
8a531a29a39b663fb17ccd0c6a72d17635254d3e8061b1ee949f8f9b4cace6106e6d9363f5a8d7b4b42119233c7edfac3a9a3bb5be9c3846617c26e692944e15
-
SSDEEP
6144:6Ofqv2ATm/X4b0jtNqrqokT6MbiZ44WR:6OfhAwowKgsZ6
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 1272 -
Executes dropped EXE 2 IoCs
Processes:
1B1F.exeafrrbdjpid process 1396 1B1F.exe 2552 afrrbdj -
Loads dropped DLL 1 IoCs
Processes:
1B1F.exepid process 1396 1B1F.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exeafrrbdjdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afrrbdj Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afrrbdj Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI afrrbdj -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exepid process 3000 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe 3000 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 1272 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exeafrrbdjpid process 3000 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe 2552 afrrbdj -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1B1F.exetaskeng.exedescription pid process target process PID 1272 wrote to memory of 1396 1272 1B1F.exe PID 1272 wrote to memory of 1396 1272 1B1F.exe PID 1272 wrote to memory of 1396 1272 1B1F.exe PID 1272 wrote to memory of 1396 1272 1B1F.exe PID 1396 wrote to memory of 2612 1396 1B1F.exe 1B1F.exe PID 1396 wrote to memory of 2612 1396 1B1F.exe 1B1F.exe PID 1396 wrote to memory of 2612 1396 1B1F.exe 1B1F.exe PID 1396 wrote to memory of 2612 1396 1B1F.exe 1B1F.exe PID 1396 wrote to memory of 2612 1396 1B1F.exe 1B1F.exe PID 1396 wrote to memory of 2612 1396 1B1F.exe 1B1F.exe PID 1396 wrote to memory of 2612 1396 1B1F.exe 1B1F.exe PID 1396 wrote to memory of 2612 1396 1B1F.exe 1B1F.exe PID 1396 wrote to memory of 2612 1396 1B1F.exe 1B1F.exe PID 1396 wrote to memory of 2612 1396 1B1F.exe 1B1F.exe PID 1712 wrote to memory of 2552 1712 taskeng.exe afrrbdj PID 1712 wrote to memory of 2552 1712 taskeng.exe afrrbdj PID 1712 wrote to memory of 2552 1712 taskeng.exe afrrbdj PID 1712 wrote to memory of 2552 1712 taskeng.exe afrrbdj
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe"C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3000
-
C:\Users\Admin\AppData\Local\Temp\1B1F.exeC:\Users\Admin\AppData\Local\Temp\1B1F.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\1B1F.exeC:\Users\Admin\AppData\Local\Temp\1B1F.exe2⤵PID:2612
-
C:\Windows\system32\taskeng.exetaskeng.exe {302ADBBB-324C-41DF-A6B5-B0F2CDEAD367} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Roaming\afrrbdjC:\Users\Admin\AppData\Roaming\afrrbdj2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
389KB
MD557a16daebdf4113651b1d0a1af3ebf96
SHA1bf2dec1b7cdbe8548020f6e9c3002151fe6a20ee
SHA25654fe7416808922eb895d5a5b56aa62db6c404bf95d9d689e4e6d464b2f9e58b4
SHA512a20f4c5e9e3f3656171201e509d80dfc61b962c141512cd05945dad0129b181cc3516b21c43a76d1a04c13208760362187e894db198ecfc81664b75f744d58b6
-
Filesize
145KB
MD5cd509076d6e471194363cfecc06c46b6
SHA1d50dfba7b2ce5037145bc545172c887431f26da1
SHA256de874c7f06632d5bf1556fa21ee917915d00e7143d6fe3721128c575fe4ac82c
SHA512390d0b7b6a6eb0b879a29194e228c86c16a91a408ca9149a2065487fc7bfa66ecc65d4cffe4b39eda18e4ea51f71afe49ffbd5220135da5f56b889142ab66076
-
Filesize
240KB
MD532e42bd81cfc8ea5fc638a5f43a749f0
SHA137df03feda3f4da9ef7c5d2bdc308bda6d1a9b49
SHA2568a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a
SHA5128a531a29a39b663fb17ccd0c6a72d17635254d3e8061b1ee949f8f9b4cace6106e6d9363f5a8d7b4b42119233c7edfac3a9a3bb5be9c3846617c26e692944e15
-
Filesize
192KB
MD5b4149b4a35e02013e81f173b6e1c2c35
SHA17cd2908d39d22d3615b18c848941c3a6b39cc58c
SHA256119cd393ce755ceae61df6fed0e80c135cc988b972307db5e19e4ee1955c9886
SHA512a7de6b5cd059b13894266a02f4b05328add5dc3d9da449ec57a37f94844b32639b06d46df229b456c52177c9cd14fff95a8062be9f31223aefa68c8c3f78f77d