Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
16-02-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe
Resource
win7-20240215-en
General
-
Target
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe
-
Size
288KB
-
MD5
e88da5d3f528d78eabc2de83797c2195
-
SHA1
7937c0b3fac48fa50aa74e80387a6ff6f463c978
-
SHA256
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300
-
SHA512
4dfb673cfab033d7d40ef383ef36841d3c8fd1a1f2c80bfd05c896aa3d9c38c08301d89e4543e9b300a44787c9a57a13e34654f5374d6788c1e56e37c69be9a9
-
SSDEEP
3072:OziRfFi3WzI2OfoyFIUVvBmAx0H3q0eJ5cLw5p0s0hQUxaIa2VM:/RfFDG3FJVvtyeJ5JKQUxaIh
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 1204 -
Executes dropped EXE 5 IoCs
Processes:
7668.exeUtsysc.exeUtsysc.exeUtsysc.exeewgvvugpid process 3016 7668.exe 2472 Utsysc.exe 2044 Utsysc.exe 2604 Utsysc.exe 2616 ewgvvug -
Loads dropped DLL 44 IoCs
Processes:
7668.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exerundll32.exepid process 3016 7668.exe 3016 7668.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 1908 rundll32.exe 1908 rundll32.exe 1908 rundll32.exe 1908 rundll32.exe 1688 WerFault.exe 1688 WerFault.exe 2080 rundll32.exe 2080 rundll32.exe 2080 rundll32.exe 2080 rundll32.exe 2284 rundll32.exe 2284 rundll32.exe 2284 rundll32.exe 2284 rundll32.exe 2988 WerFault.exe 2988 WerFault.exe 480 rundll32.exe 480 rundll32.exe 480 rundll32.exe 480 rundll32.exe 692 rundll32.exe 692 rundll32.exe 692 rundll32.exe 692 rundll32.exe 936 WerFault.exe 936 WerFault.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 2272 rundll32.exe 2272 rundll32.exe 2272 rundll32.exe 2272 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ewgvvug4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ewgvvug Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ewgvvug Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ewgvvug -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exepid process 1772 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe 1772 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exeewgvvugpid process 1772 4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe 2616 ewgvvug -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1204 Token: SeShutdownPrivilege 1204 Token: SeShutdownPrivilege 1204 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7668.exepid process 3016 7668.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7668.exeUtsysc.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exetaskeng.exedescription pid process target process PID 1204 wrote to memory of 3016 1204 7668.exe PID 1204 wrote to memory of 3016 1204 7668.exe PID 1204 wrote to memory of 3016 1204 7668.exe PID 1204 wrote to memory of 3016 1204 7668.exe PID 3016 wrote to memory of 2472 3016 7668.exe Utsysc.exe PID 3016 wrote to memory of 2472 3016 7668.exe Utsysc.exe PID 3016 wrote to memory of 2472 3016 7668.exe Utsysc.exe PID 3016 wrote to memory of 2472 3016 7668.exe Utsysc.exe PID 2472 wrote to memory of 2516 2472 Utsysc.exe schtasks.exe PID 2472 wrote to memory of 2516 2472 Utsysc.exe schtasks.exe PID 2472 wrote to memory of 2516 2472 Utsysc.exe schtasks.exe PID 2472 wrote to memory of 2516 2472 Utsysc.exe schtasks.exe PID 2472 wrote to memory of 808 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 808 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 808 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 808 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 808 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 808 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 808 2472 Utsysc.exe rundll32.exe PID 808 wrote to memory of 1908 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1908 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1908 808 rundll32.exe rundll32.exe PID 808 wrote to memory of 1908 808 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1688 1908 rundll32.exe WerFault.exe PID 1908 wrote to memory of 1688 1908 rundll32.exe WerFault.exe PID 1908 wrote to memory of 1688 1908 rundll32.exe WerFault.exe PID 2472 wrote to memory of 2080 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 2080 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 2080 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 2080 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 2080 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 2080 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 2080 2472 Utsysc.exe rundll32.exe PID 2080 wrote to memory of 2284 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2284 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2284 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2284 2080 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2988 2284 rundll32.exe WerFault.exe PID 2284 wrote to memory of 2988 2284 rundll32.exe WerFault.exe PID 2284 wrote to memory of 2988 2284 rundll32.exe WerFault.exe PID 2472 wrote to memory of 480 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 480 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 480 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 480 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 480 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 480 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 480 2472 Utsysc.exe rundll32.exe PID 480 wrote to memory of 692 480 rundll32.exe rundll32.exe PID 480 wrote to memory of 692 480 rundll32.exe rundll32.exe PID 480 wrote to memory of 692 480 rundll32.exe rundll32.exe PID 480 wrote to memory of 692 480 rundll32.exe rundll32.exe PID 692 wrote to memory of 936 692 rundll32.exe WerFault.exe PID 692 wrote to memory of 936 692 rundll32.exe WerFault.exe PID 692 wrote to memory of 936 692 rundll32.exe WerFault.exe PID 312 wrote to memory of 2044 312 taskeng.exe Utsysc.exe PID 312 wrote to memory of 2044 312 taskeng.exe Utsysc.exe PID 312 wrote to memory of 2044 312 taskeng.exe Utsysc.exe PID 312 wrote to memory of 2044 312 taskeng.exe Utsysc.exe PID 2472 wrote to memory of 1592 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 1592 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 1592 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 1592 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 1592 2472 Utsysc.exe rundll32.exe PID 2472 wrote to memory of 1592 2472 Utsysc.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe"C:\Users\Admin\AppData\Local\Temp\4b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1772
-
C:\Users\Admin\AppData\Local\Temp\7668.exeC:\Users\Admin\AppData\Local\Temp\7668.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:2516 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1908 -s 3085⤵
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2284 -s 3085⤵
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:2272
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 692 -s 3081⤵
- Loads dropped DLL
PID:936
-
C:\Windows\system32\taskeng.exetaskeng.exe {9CB2A9A6-7D71-463F-9F3A-5208CCC5E9E3} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:2604 -
C:\Users\Admin\AppData\Roaming\ewgvvugC:\Users\Admin\AppData\Roaming\ewgvvug2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD52532f33b5213982f3a2195bd4dfdfcd9
SHA15b30c24994726ef2258c1c48cc27fc5c1edd7f30
SHA256c564e73adb96add3824715e92224bee4c7a7eb7e41c09f37f01dbe6eae0c65a6
SHA512be670110f7540f1f628b5a70ab6d494b0d4d44bc1986a69ea6477769b6e03f330eb9dc950355863fb047d8aebaea3c1acc8c81ccc013c752d835affccac21424
-
Filesize
240KB
MD5444c85d855c718c2c26ead27d0233b40
SHA16e4841ff426ddbce06f0864520bc3a5e24fadeb5
SHA256273d9593822af78e4dd486fcefb2d664dd4ea2dc766534f0329b91483bdcada9
SHA512b90d815124795d85c77198e1d5f40656012acfa5e4eb0089013f6d68010ce24bd51d360d21662808b52059bacb47fbb19550b14e0d77825b0465255578f1cf6b
-
Filesize
384KB
MD5e1dc6f36bc9f047f33b58c8c0fc2da89
SHA1cf6dfe8eaa32971eb53f02d0dc7c8ac299968880
SHA2566f861ffc77ac6529a50211ae09d7bbdf27b97b73e17f9c4cdb397e39dc85a767
SHA5126387d154ca10f44aa3abb8ef9b653c99b7fa583d152ef51b5091fccce085c6459ecc799f0491e8e3fe197f8bcd30af2d6c8fae3973311b05930fd444be962f92
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63
-
Filesize
288KB
MD5e88da5d3f528d78eabc2de83797c2195
SHA17937c0b3fac48fa50aa74e80387a6ff6f463c978
SHA2564b06c62c07429d0bbc7f9126a18c2e959e5c52c09236dbfb5b16a09390f0a300
SHA5124dfb673cfab033d7d40ef383ef36841d3c8fd1a1f2c80bfd05c896aa3d9c38c08301d89e4543e9b300a44787c9a57a13e34654f5374d6788c1e56e37c69be9a9
-
Filesize
269KB
MD509d5a2daa014b5d40e7ce7154c0b8cd8
SHA1f4d330c8fe5018f2c327b9118594dace43fc86a1
SHA2564b977e5546e773765fc8c528fae74a96ac6a380b1c7129df0ae8b119c539467a
SHA51230b6f46f02839174b846c351c0e8638fd0a60ca78d3e482ec185c195762863819b8144904b8687dbf86767521b4775563cb3eb117380550181ffe0cb35e15700