Analysis
-
max time kernel
300s -
max time network
294s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
16-02-2024 04:50
Static task
static1
Behavioral task
behavioral1
Sample
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe
Resource
win10-20240214-en
General
-
Target
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe
-
Size
236KB
-
MD5
12feeee4bc19579083e686cf16dea6e3
-
SHA1
156fef6e87be45f48055315cf134421655a3a727
-
SHA256
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9
-
SHA512
b942d5c619c6fa490edd96e9aeabb008c630f12343de4b0f0b6924bea0d50770dadf3072c2c20b2012e75bf59d9a8c7025174793177df16b405605059b921346
-
SSDEEP
3072:9nznk9/Gm+lK+SQCylz9uD4BfKVSHudaCzg25lXp0:Rg+lK+SR69uD4BfnHgn
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 3328 -
Executes dropped EXE 1 IoCs
Processes:
EB0C.exepid process 3084 EB0C.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 9 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3492 3084 WerFault.exe EB0C.exe 2184 3084 WerFault.exe EB0C.exe 4616 3084 WerFault.exe EB0C.exe 4228 3084 WerFault.exe EB0C.exe 676 3084 WerFault.exe EB0C.exe 644 3084 WerFault.exe EB0C.exe 1492 3084 WerFault.exe EB0C.exe 4244 3084 WerFault.exe EB0C.exe 808 3084 WerFault.exe EB0C.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exepid process 2528 c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe 2528 c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 3328 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exepid process 2528 c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3328 Token: SeCreatePagefilePrivilege 3328 Token: SeShutdownPrivilege 3328 Token: SeCreatePagefilePrivilege 3328 Token: SeShutdownPrivilege 3328 Token: SeCreatePagefilePrivilege 3328 Token: SeShutdownPrivilege 3328 Token: SeCreatePagefilePrivilege 3328 Token: SeShutdownPrivilege 3328 Token: SeCreatePagefilePrivilege 3328 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
description pid process target process PID 3328 wrote to memory of 3084 3328 EB0C.exe PID 3328 wrote to memory of 3084 3328 EB0C.exe PID 3328 wrote to memory of 3084 3328 EB0C.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe"C:\Users\Admin\AppData\Local\Temp\c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2528
-
C:\Users\Admin\AppData\Local\Temp\EB0C.exeC:\Users\Admin\AppData\Local\Temp\EB0C.exe1⤵
- Executes dropped EXE
PID:3084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 5642⤵
- Program crash
PID:3492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 6402⤵
- Program crash
PID:2184 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 7322⤵
- Program crash
PID:4616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 7802⤵
- Program crash
PID:4228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 8082⤵
- Program crash
PID:676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 8522⤵
- Program crash
PID:644 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 10442⤵
- Program crash
PID:1492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 10722⤵
- Program crash
PID:4244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 11042⤵
- Program crash
PID:808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD5e1dc6f36bc9f047f33b58c8c0fc2da89
SHA1cf6dfe8eaa32971eb53f02d0dc7c8ac299968880
SHA2566f861ffc77ac6529a50211ae09d7bbdf27b97b73e17f9c4cdb397e39dc85a767
SHA5126387d154ca10f44aa3abb8ef9b653c99b7fa583d152ef51b5091fccce085c6459ecc799f0491e8e3fe197f8bcd30af2d6c8fae3973311b05930fd444be962f92