Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe
Resource
win7-20231215-en
General
-
Target
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe
-
Size
240KB
-
MD5
32e42bd81cfc8ea5fc638a5f43a749f0
-
SHA1
37df03feda3f4da9ef7c5d2bdc308bda6d1a9b49
-
SHA256
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a
-
SHA512
8a531a29a39b663fb17ccd0c6a72d17635254d3e8061b1ee949f8f9b4cace6106e6d9363f5a8d7b4b42119233c7edfac3a9a3bb5be9c3846617c26e692944e15
-
SSDEEP
6144:6Ofqv2ATm/X4b0jtNqrqokT6MbiZ44WR:6OfhAwowKgsZ6
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
C757.exeUtsysc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C757.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation Utsysc.exe -
Deletes itself 1 IoCs
Processes:
pid process 3536 -
Executes dropped EXE 9 IoCs
Processes:
C757.exeC757.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeavctrehpid process 456 C757.exe 2344 C757.exe 3988 Utsysc.exe 556 Utsysc.exe 792 Utsysc.exe 4540 Utsysc.exe 1136 Utsysc.exe 4688 Utsysc.exe 5024 avctreh -
Loads dropped DLL 9 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 3496 rundll32.exe 1276 rundll32.exe 2356 rundll32.exe 4636 rundll32.exe 2176 rundll32.exe 1472 rundll32.exe 2068 rundll32.exe 2816 rundll32.exe 2032 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
C757.exeUtsysc.exeUtsysc.exeUtsysc.exedescription pid process target process PID 456 set thread context of 2344 456 C757.exe C757.exe PID 3988 set thread context of 556 3988 Utsysc.exe Utsysc.exe PID 792 set thread context of 4540 792 Utsysc.exe Utsysc.exe PID 1136 set thread context of 4688 1136 Utsysc.exe Utsysc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exeavctrehdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avctreh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avctreh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avctreh -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exepid process 2300 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe 2300 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 3536 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exeavctrehpid process 2300 8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe 5024 avctreh -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 Token: SeShutdownPrivilege 3536 Token: SeCreatePagefilePrivilege 3536 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
C757.exepid process 2344 C757.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
C757.exeC757.exeUtsysc.exeUtsysc.exerundll32.exerundll32.exeUtsysc.exerundll32.exeUtsysc.exedescription pid process target process PID 3536 wrote to memory of 456 3536 C757.exe PID 3536 wrote to memory of 456 3536 C757.exe PID 3536 wrote to memory of 456 3536 C757.exe PID 456 wrote to memory of 2344 456 C757.exe C757.exe PID 456 wrote to memory of 2344 456 C757.exe C757.exe PID 456 wrote to memory of 2344 456 C757.exe C757.exe PID 456 wrote to memory of 2344 456 C757.exe C757.exe PID 456 wrote to memory of 2344 456 C757.exe C757.exe PID 456 wrote to memory of 2344 456 C757.exe C757.exe PID 456 wrote to memory of 2344 456 C757.exe C757.exe PID 456 wrote to memory of 2344 456 C757.exe C757.exe PID 456 wrote to memory of 2344 456 C757.exe C757.exe PID 456 wrote to memory of 2344 456 C757.exe C757.exe PID 2344 wrote to memory of 3988 2344 C757.exe Utsysc.exe PID 2344 wrote to memory of 3988 2344 C757.exe Utsysc.exe PID 2344 wrote to memory of 3988 2344 C757.exe Utsysc.exe PID 3988 wrote to memory of 556 3988 Utsysc.exe Utsysc.exe PID 3988 wrote to memory of 556 3988 Utsysc.exe Utsysc.exe PID 3988 wrote to memory of 556 3988 Utsysc.exe Utsysc.exe PID 3988 wrote to memory of 556 3988 Utsysc.exe Utsysc.exe PID 3988 wrote to memory of 556 3988 Utsysc.exe Utsysc.exe PID 3988 wrote to memory of 556 3988 Utsysc.exe Utsysc.exe PID 3988 wrote to memory of 556 3988 Utsysc.exe Utsysc.exe PID 3988 wrote to memory of 556 3988 Utsysc.exe Utsysc.exe PID 3988 wrote to memory of 556 3988 Utsysc.exe Utsysc.exe PID 3988 wrote to memory of 556 3988 Utsysc.exe Utsysc.exe PID 556 wrote to memory of 2096 556 Utsysc.exe schtasks.exe PID 556 wrote to memory of 2096 556 Utsysc.exe schtasks.exe PID 556 wrote to memory of 2096 556 Utsysc.exe schtasks.exe PID 556 wrote to memory of 3496 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 3496 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 3496 556 Utsysc.exe rundll32.exe PID 3496 wrote to memory of 1276 3496 rundll32.exe rundll32.exe PID 3496 wrote to memory of 1276 3496 rundll32.exe rundll32.exe PID 556 wrote to memory of 2356 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2356 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2356 556 Utsysc.exe rundll32.exe PID 2356 wrote to memory of 4636 2356 rundll32.exe rundll32.exe PID 2356 wrote to memory of 4636 2356 rundll32.exe rundll32.exe PID 792 wrote to memory of 4540 792 Utsysc.exe Utsysc.exe PID 792 wrote to memory of 4540 792 Utsysc.exe Utsysc.exe PID 792 wrote to memory of 4540 792 Utsysc.exe Utsysc.exe PID 792 wrote to memory of 4540 792 Utsysc.exe Utsysc.exe PID 792 wrote to memory of 4540 792 Utsysc.exe Utsysc.exe PID 792 wrote to memory of 4540 792 Utsysc.exe Utsysc.exe PID 792 wrote to memory of 4540 792 Utsysc.exe Utsysc.exe PID 792 wrote to memory of 4540 792 Utsysc.exe Utsysc.exe PID 792 wrote to memory of 4540 792 Utsysc.exe Utsysc.exe PID 792 wrote to memory of 4540 792 Utsysc.exe Utsysc.exe PID 556 wrote to memory of 2176 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2176 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2176 556 Utsysc.exe rundll32.exe PID 2176 wrote to memory of 1472 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 1472 2176 rundll32.exe rundll32.exe PID 556 wrote to memory of 2068 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2068 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2068 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2816 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2816 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2816 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2032 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2032 556 Utsysc.exe rundll32.exe PID 556 wrote to memory of 2032 556 Utsysc.exe rundll32.exe PID 1136 wrote to memory of 4688 1136 Utsysc.exe Utsysc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe"C:\Users\Admin\AppData\Local\Temp\8a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2300
-
C:\Users\Admin\AppData\Local\Temp\C757.exeC:\Users\Admin\AppData\Local\Temp\C757.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Users\Admin\AppData\Local\Temp\C757.exeC:\Users\Admin\AppData\Local\Temp\C757.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F5⤵
- Creates scheduled task(s)
PID:2096 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main6⤵
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main6⤵
- Loads dropped DLL
PID:4636 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main6⤵
- Loads dropped DLL
PID:1472 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main5⤵
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main5⤵
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main5⤵
- Loads dropped DLL
PID:2032
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:4540
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:4688
-
C:\Users\Admin\AppData\Roaming\avctrehC:\Users\Admin\AppData\Roaming\avctreh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
78KB
MD5b567fea2f064c6b697be5ffc72d10ad9
SHA1b5b22d1d3b68737fee3a0e22327da3f3b2e19380
SHA256ebf0cd7b2b3a87f289964038b6a527a7fb220a17b48c2653aa0b763422639a71
SHA512279bfbfb7b2c391167388b9aacc42f2bf570d278482a844a2086294297468957b016031576a5e39d6cdc868990eaacce5fcada107a25f385f8c9b951dc2020e0
-
Filesize
389KB
MD557a16daebdf4113651b1d0a1af3ebf96
SHA1bf2dec1b7cdbe8548020f6e9c3002151fe6a20ee
SHA25654fe7416808922eb895d5a5b56aa62db6c404bf95d9d689e4e6d464b2f9e58b4
SHA512a20f4c5e9e3f3656171201e509d80dfc61b962c141512cd05945dad0129b181cc3516b21c43a76d1a04c13208760362187e894db198ecfc81664b75f744d58b6
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63
-
Filesize
240KB
MD532e42bd81cfc8ea5fc638a5f43a749f0
SHA137df03feda3f4da9ef7c5d2bdc308bda6d1a9b49
SHA2568a0cc572475268a9ca1e1f9f65bbcd875b3aeb0522014d627e780e615092cd9a
SHA5128a531a29a39b663fb17ccd0c6a72d17635254d3e8061b1ee949f8f9b4cace6106e6d9363f5a8d7b4b42119233c7edfac3a9a3bb5be9c3846617c26e692944e15