Analysis
-
max time kernel
300s -
max time network
299s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16-02-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe
Resource
win10-20240214-en
General
-
Target
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe
-
Size
236KB
-
MD5
12feeee4bc19579083e686cf16dea6e3
-
SHA1
156fef6e87be45f48055315cf134421655a3a727
-
SHA256
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9
-
SHA512
b942d5c619c6fa490edd96e9aeabb008c630f12343de4b0f0b6924bea0d50770dadf3072c2c20b2012e75bf59d9a8c7025174793177df16b405605059b921346
-
SSDEEP
3072:9nznk9/Gm+lK+SQCylz9uD4BfKVSHudaCzg25lXp0:Rg+lK+SR69uD4BfnHgn
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 1260 -
Executes dropped EXE 7 IoCs
Processes:
290.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exepid process 2592 290.exe 1924 Utsysc.exe 1528 Utsysc.exe 2448 Utsysc.exe 2440 Utsysc.exe 1988 Utsysc.exe 1888 Utsysc.exe -
Loads dropped DLL 44 IoCs
Processes:
290.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exerundll32.exepid process 2592 290.exe 2592 290.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 588 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1624 rundll32.exe 1088 WerFault.exe 1088 WerFault.exe 2852 rundll32.exe 2852 rundll32.exe 2852 rundll32.exe 2852 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 1572 WerFault.exe 1572 WerFault.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 1472 rundll32.exe 2076 rundll32.exe 2076 rundll32.exe 2076 rundll32.exe 2076 rundll32.exe 2980 WerFault.exe 2980 WerFault.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 1960 rundll32.exe 1960 rundll32.exe 1960 rundll32.exe 1960 rundll32.exe 1468 rundll32.exe 1468 rundll32.exe 1468 rundll32.exe 1468 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exepid process 2036 c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe 2036 c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 1260 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exepid process 2036 c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1260 Token: SeShutdownPrivilege 1260 Token: SeShutdownPrivilege 1260 -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
290.exepid process 1260 1260 2592 290.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1260 1260 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
290.exeUtsysc.exetaskeng.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription pid process target process PID 1260 wrote to memory of 2592 1260 290.exe PID 1260 wrote to memory of 2592 1260 290.exe PID 1260 wrote to memory of 2592 1260 290.exe PID 1260 wrote to memory of 2592 1260 290.exe PID 2592 wrote to memory of 1924 2592 290.exe Utsysc.exe PID 2592 wrote to memory of 1924 2592 290.exe Utsysc.exe PID 2592 wrote to memory of 1924 2592 290.exe Utsysc.exe PID 2592 wrote to memory of 1924 2592 290.exe Utsysc.exe PID 1924 wrote to memory of 2652 1924 Utsysc.exe schtasks.exe PID 1924 wrote to memory of 2652 1924 Utsysc.exe schtasks.exe PID 1924 wrote to memory of 2652 1924 Utsysc.exe schtasks.exe PID 1924 wrote to memory of 2652 1924 Utsysc.exe schtasks.exe PID 2188 wrote to memory of 1528 2188 taskeng.exe Utsysc.exe PID 2188 wrote to memory of 1528 2188 taskeng.exe Utsysc.exe PID 2188 wrote to memory of 1528 2188 taskeng.exe Utsysc.exe PID 2188 wrote to memory of 1528 2188 taskeng.exe Utsysc.exe PID 2188 wrote to memory of 2448 2188 taskeng.exe Utsysc.exe PID 2188 wrote to memory of 2448 2188 taskeng.exe Utsysc.exe PID 2188 wrote to memory of 2448 2188 taskeng.exe Utsysc.exe PID 2188 wrote to memory of 2448 2188 taskeng.exe Utsysc.exe PID 1924 wrote to memory of 588 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 588 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 588 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 588 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 588 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 588 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 588 1924 Utsysc.exe rundll32.exe PID 588 wrote to memory of 1624 588 rundll32.exe rundll32.exe PID 588 wrote to memory of 1624 588 rundll32.exe rundll32.exe PID 588 wrote to memory of 1624 588 rundll32.exe rundll32.exe PID 588 wrote to memory of 1624 588 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1088 1624 rundll32.exe WerFault.exe PID 1624 wrote to memory of 1088 1624 rundll32.exe WerFault.exe PID 1624 wrote to memory of 1088 1624 rundll32.exe WerFault.exe PID 1924 wrote to memory of 2852 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 2852 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 2852 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 2852 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 2852 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 2852 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 2852 1924 Utsysc.exe rundll32.exe PID 2852 wrote to memory of 3040 2852 rundll32.exe rundll32.exe PID 2852 wrote to memory of 3040 2852 rundll32.exe rundll32.exe PID 2852 wrote to memory of 3040 2852 rundll32.exe rundll32.exe PID 2852 wrote to memory of 3040 2852 rundll32.exe rundll32.exe PID 3040 wrote to memory of 1572 3040 rundll32.exe WerFault.exe PID 3040 wrote to memory of 1572 3040 rundll32.exe WerFault.exe PID 3040 wrote to memory of 1572 3040 rundll32.exe WerFault.exe PID 1924 wrote to memory of 1472 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 1472 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 1472 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 1472 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 1472 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 1472 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 1472 1924 Utsysc.exe rundll32.exe PID 1472 wrote to memory of 2076 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 2076 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 2076 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 2076 1472 rundll32.exe rundll32.exe PID 2076 wrote to memory of 2980 2076 rundll32.exe WerFault.exe PID 2076 wrote to memory of 2980 2076 rundll32.exe WerFault.exe PID 2076 wrote to memory of 2980 2076 rundll32.exe WerFault.exe PID 1924 wrote to memory of 2148 1924 Utsysc.exe rundll32.exe PID 1924 wrote to memory of 2148 1924 Utsysc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe"C:\Users\Admin\AppData\Local\Temp\c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2036
-
C:\Users\Admin\AppData\Local\Temp\290.exeC:\Users\Admin\AppData\Local\Temp\290.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:2652 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1624 -s 3125⤵
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3040 -s 3125⤵
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2076 -s 3125⤵
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:1468
-
C:\Windows\system32\taskeng.exetaskeng.exe {BF9AAB47-0F03-415F-B456-373177883B4D} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5e1dc6f36bc9f047f33b58c8c0fc2da89
SHA1cf6dfe8eaa32971eb53f02d0dc7c8ac299968880
SHA2566f861ffc77ac6529a50211ae09d7bbdf27b97b73e17f9c4cdb397e39dc85a767
SHA5126387d154ca10f44aa3abb8ef9b653c99b7fa583d152ef51b5091fccce085c6459ecc799f0491e8e3fe197f8bcd30af2d6c8fae3973311b05930fd444be962f92
-
Filesize
68KB
MD5617f54258f33d26fa039bcc5c02d688d
SHA180ec48d75fb4686f028cab550a8d5d1e92c207d8
SHA2566388a827c6dbc16afad277524b994d63b8d33bbfc4ba86f01b07e590fcf02434
SHA512191d6bf2930e1a32a8139b85b688d626bb7bea19a82438538c0794b481d779516eb8a996e029411e70dca7d45aadc405a73a5360cf7fe747abc031078129116a
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63