Analysis
-
max time kernel
60s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-02-2024 05:11
Static task
static1
Behavioral task
behavioral1
Sample
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe
Resource
win10v2004-20231215-en
General
-
Target
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe
-
Size
236KB
-
MD5
12feeee4bc19579083e686cf16dea6e3
-
SHA1
156fef6e87be45f48055315cf134421655a3a727
-
SHA256
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9
-
SHA512
b942d5c619c6fa490edd96e9aeabb008c630f12343de4b0f0b6924bea0d50770dadf3072c2c20b2012e75bf59d9a8c7025174793177df16b405605059b921346
-
SSDEEP
3072:9nznk9/Gm+lK+SQCylz9uD4BfKVSHudaCzg25lXp0:Rg+lK+SR69uD4BfnHgn
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1384 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exepid process 2196 c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe 2196 c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exepid process 2196 c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe"C:\Users\Admin\AppData\Local\Temp\c41b3fb6b30753a23f0b274f4f176202915d248256140e4512d541589b62bdc9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2196