Analysis
-
max time kernel
150s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16-02-2024 00:53
Static task
static1
Behavioral task
behavioral1
Sample
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe
Resource
win7-20231215-en
General
-
Target
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe
-
Size
240KB
-
MD5
a05efaf63385624a9a6f4cb71e3034f2
-
SHA1
00921d3aa2c3cb750b0b2799001eaee1023c6e97
-
SHA256
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f
-
SHA512
c181aedf600a55843aaaacbefc585b9f7b0bad26e87bdc7b00c63d1c908f7d5994f89ef116847a201ec91a89fe869523ac5bcbe331203ccf85923e9ff44281e5
-
SSDEEP
3072:i0omm42dpvxmiFdS4wgtKO48l2Bq3PWdkkooNymbkgeJt3hxfdU5fl6Mud:FVmvvMiptwE3PWdkk1wg2tbfo
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 1244 -
Executes dropped EXE 4 IoCs
Processes:
B413.exeUtsysc.exeUtsysc.exeUtsysc.exepid process 2708 B413.exe 2432 Utsysc.exe 2812 Utsysc.exe 988 Utsysc.exe -
Loads dropped DLL 44 IoCs
Processes:
B413.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exerundll32.exepid process 2708 B413.exe 2708 B413.exe 1180 rundll32.exe 1180 rundll32.exe 1180 rundll32.exe 1180 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 1324 WerFault.exe 1324 WerFault.exe 2452 rundll32.exe 2452 rundll32.exe 2452 rundll32.exe 2452 rundll32.exe 2300 rundll32.exe 2300 rundll32.exe 2300 rundll32.exe 2300 rundll32.exe 2996 WerFault.exe 2996 WerFault.exe 2412 rundll32.exe 2412 rundll32.exe 2412 rundll32.exe 2412 rundll32.exe 1984 rundll32.exe 1984 rundll32.exe 1984 rundll32.exe 1984 rundll32.exe 1144 WerFault.exe 1144 WerFault.exe 1912 rundll32.exe 1912 rundll32.exe 1912 rundll32.exe 1912 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2184 rundll32.exe 2184 rundll32.exe 2184 rundll32.exe 2184 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exepid process 2932 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe 2932 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 1244 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exepid process 2932 75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1244 Token: SeShutdownPrivilege 1244 Token: SeShutdownPrivilege 1244 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
B413.exepid process 1244 1244 2708 B413.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1244 1244 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
B413.exeUtsysc.exerundll32.exerundll32.exetaskeng.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 1244 wrote to memory of 2708 1244 B413.exe PID 1244 wrote to memory of 2708 1244 B413.exe PID 1244 wrote to memory of 2708 1244 B413.exe PID 1244 wrote to memory of 2708 1244 B413.exe PID 2708 wrote to memory of 2432 2708 B413.exe Utsysc.exe PID 2708 wrote to memory of 2432 2708 B413.exe Utsysc.exe PID 2708 wrote to memory of 2432 2708 B413.exe Utsysc.exe PID 2708 wrote to memory of 2432 2708 B413.exe Utsysc.exe PID 2432 wrote to memory of 2716 2432 Utsysc.exe schtasks.exe PID 2432 wrote to memory of 2716 2432 Utsysc.exe schtasks.exe PID 2432 wrote to memory of 2716 2432 Utsysc.exe schtasks.exe PID 2432 wrote to memory of 2716 2432 Utsysc.exe schtasks.exe PID 2432 wrote to memory of 1180 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1180 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1180 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1180 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1180 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1180 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1180 2432 Utsysc.exe rundll32.exe PID 1180 wrote to memory of 568 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 568 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 568 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 568 1180 rundll32.exe rundll32.exe PID 568 wrote to memory of 1324 568 rundll32.exe WerFault.exe PID 568 wrote to memory of 1324 568 rundll32.exe WerFault.exe PID 568 wrote to memory of 1324 568 rundll32.exe WerFault.exe PID 1592 wrote to memory of 2812 1592 taskeng.exe Utsysc.exe PID 1592 wrote to memory of 2812 1592 taskeng.exe Utsysc.exe PID 1592 wrote to memory of 2812 1592 taskeng.exe Utsysc.exe PID 1592 wrote to memory of 2812 1592 taskeng.exe Utsysc.exe PID 2432 wrote to memory of 2452 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2452 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2452 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2452 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2452 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2452 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2452 2432 Utsysc.exe rundll32.exe PID 2452 wrote to memory of 2300 2452 rundll32.exe rundll32.exe PID 2452 wrote to memory of 2300 2452 rundll32.exe rundll32.exe PID 2452 wrote to memory of 2300 2452 rundll32.exe rundll32.exe PID 2452 wrote to memory of 2300 2452 rundll32.exe rundll32.exe PID 2300 wrote to memory of 2996 2300 rundll32.exe WerFault.exe PID 2300 wrote to memory of 2996 2300 rundll32.exe WerFault.exe PID 2300 wrote to memory of 2996 2300 rundll32.exe WerFault.exe PID 2432 wrote to memory of 2412 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2412 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2412 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2412 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2412 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2412 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 2412 2432 Utsysc.exe rundll32.exe PID 2412 wrote to memory of 1984 2412 rundll32.exe rundll32.exe PID 2412 wrote to memory of 1984 2412 rundll32.exe rundll32.exe PID 2412 wrote to memory of 1984 2412 rundll32.exe rundll32.exe PID 2412 wrote to memory of 1984 2412 rundll32.exe rundll32.exe PID 1984 wrote to memory of 1144 1984 rundll32.exe WerFault.exe PID 1984 wrote to memory of 1144 1984 rundll32.exe WerFault.exe PID 1984 wrote to memory of 1144 1984 rundll32.exe WerFault.exe PID 2432 wrote to memory of 1912 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1912 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1912 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1912 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1912 2432 Utsysc.exe rundll32.exe PID 2432 wrote to memory of 1912 2432 Utsysc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe"C:\Users\Admin\AppData\Local\Temp\75797f5c19efd1cbecae73491e2fb1f1026ce435a01f402d67124778110b239f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2932
-
C:\Users\Admin\AppData\Local\Temp\B413.exeC:\Users\Admin\AppData\Local\Temp\B413.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:2716 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 568 -s 3125⤵
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2300 -s 3125⤵
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1984 -s 3125⤵
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:2184
-
C:\Windows\system32\taskeng.exetaskeng.exe {771EE358-D2D3-4BBD-8120-82D206D41C88} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD5f51d96c6c0a3e6b986d671c03407cfd2
SHA1e0b0c6779108c6e818264c8589af38bf96df99f2
SHA256b4324e22222736f62dfe8b7e5ed1ccebbccfb8eb2c358309884600f0aeefe042
SHA5122ae59232fabbdc2231fc479589bd5eb353aba3c8c856355fca939defb81cab86c78e1926896b1267dbd2310988ff47c30f4ac20af18841f6089ad05f00602b3c
-
Filesize
388KB
MD54bb6852748ac936523f68322f1bae54a
SHA1846ee2c620e655903aaa8e3f4ee0f9f27aec18f7
SHA256f77d971f56a9101640c5fffc0121ba5f2f3c33e6f074e9d2b91c9af10da9c43d
SHA512c13fe3c437d26caf9d4504f624d8e3ff7f5e370c476a047040d2f57a6e7905bbbd5c8023d304b2165fea2bb5ac24c5261c050a7dce39d4e79c8c2d360ddef74e
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63