Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
16-02-2024 17:29
Static task
static1
Behavioral task
behavioral1
Sample
09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe
Resource
win7-20231215-en
General
-
Target
09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe
-
Size
211KB
-
MD5
5bae825ffee14cf11a76bfbb6469da66
-
SHA1
ccf758627d9e6389622f8011cee06cc6400281f3
-
SHA256
09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd
-
SHA512
bda8f56f75fa2ffe769b862912cfda4e5041c59bfc95cfb2c65bb1a88b6dba204bbea720074716243df70728759b6c50eb2bb1aee6275f91564720047a5164b8
-
SSDEEP
3072:7KN8peS9QVSgasuW02zwpzynrkV/nPjW7iVImaG0ohYlmobTs:7KGpF92CsuhpzynkfPjWKIihR
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 1384 -
Executes dropped EXE 4 IoCs
Processes:
D807.exeUtsysc.exeUtsysc.exeUtsysc.exepid process 2724 D807.exe 3024 Utsysc.exe 2960 Utsysc.exe 2744 Utsysc.exe -
Loads dropped DLL 44 IoCs
Processes:
D807.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exeWerFault.exerundll32.exerundll32.exerundll32.exepid process 2724 D807.exe 2724 D807.exe 1640 rundll32.exe 1640 rundll32.exe 1640 rundll32.exe 1640 rundll32.exe 1956 rundll32.exe 1956 rundll32.exe 1956 rundll32.exe 1956 rundll32.exe 1608 WerFault.exe 1608 WerFault.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 2364 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 804 rundll32.exe 1720 WerFault.exe 1720 WerFault.exe 832 rundll32.exe 832 rundll32.exe 832 rundll32.exe 832 rundll32.exe 788 rundll32.exe 788 rundll32.exe 788 rundll32.exe 788 rundll32.exe 840 WerFault.exe 840 WerFault.exe 864 rundll32.exe 864 rundll32.exe 864 rundll32.exe 864 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 2088 rundll32.exe 1320 rundll32.exe 1320 rundll32.exe 1320 rundll32.exe 1320 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exepid process 2312 09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe 2312 09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 1384 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exepid process 2312 09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1384 Token: SeShutdownPrivilege 1384 Token: SeShutdownPrivilege 1384 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
D807.exepid process 2724 D807.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
D807.exeUtsysc.exerundll32.exerundll32.exerundll32.exerundll32.exetaskeng.exerundll32.exerundll32.exedescription pid process target process PID 1384 wrote to memory of 2724 1384 D807.exe PID 1384 wrote to memory of 2724 1384 D807.exe PID 1384 wrote to memory of 2724 1384 D807.exe PID 1384 wrote to memory of 2724 1384 D807.exe PID 2724 wrote to memory of 3024 2724 D807.exe Utsysc.exe PID 2724 wrote to memory of 3024 2724 D807.exe Utsysc.exe PID 2724 wrote to memory of 3024 2724 D807.exe Utsysc.exe PID 2724 wrote to memory of 3024 2724 D807.exe Utsysc.exe PID 3024 wrote to memory of 600 3024 Utsysc.exe schtasks.exe PID 3024 wrote to memory of 600 3024 Utsysc.exe schtasks.exe PID 3024 wrote to memory of 600 3024 Utsysc.exe schtasks.exe PID 3024 wrote to memory of 600 3024 Utsysc.exe schtasks.exe PID 3024 wrote to memory of 1640 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 1640 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 1640 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 1640 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 1640 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 1640 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 1640 3024 Utsysc.exe rundll32.exe PID 1640 wrote to memory of 1956 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 1956 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 1956 1640 rundll32.exe rundll32.exe PID 1640 wrote to memory of 1956 1640 rundll32.exe rundll32.exe PID 1956 wrote to memory of 1608 1956 rundll32.exe WerFault.exe PID 1956 wrote to memory of 1608 1956 rundll32.exe WerFault.exe PID 1956 wrote to memory of 1608 1956 rundll32.exe WerFault.exe PID 3024 wrote to memory of 2364 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 2364 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 2364 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 2364 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 2364 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 2364 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 2364 3024 Utsysc.exe rundll32.exe PID 2364 wrote to memory of 804 2364 rundll32.exe rundll32.exe PID 2364 wrote to memory of 804 2364 rundll32.exe rundll32.exe PID 2364 wrote to memory of 804 2364 rundll32.exe rundll32.exe PID 2364 wrote to memory of 804 2364 rundll32.exe rundll32.exe PID 804 wrote to memory of 1720 804 rundll32.exe WerFault.exe PID 804 wrote to memory of 1720 804 rundll32.exe WerFault.exe PID 804 wrote to memory of 1720 804 rundll32.exe WerFault.exe PID 2388 wrote to memory of 2960 2388 taskeng.exe Utsysc.exe PID 2388 wrote to memory of 2960 2388 taskeng.exe Utsysc.exe PID 2388 wrote to memory of 2960 2388 taskeng.exe Utsysc.exe PID 2388 wrote to memory of 2960 2388 taskeng.exe Utsysc.exe PID 3024 wrote to memory of 832 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 832 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 832 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 832 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 832 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 832 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 832 3024 Utsysc.exe rundll32.exe PID 832 wrote to memory of 788 832 rundll32.exe rundll32.exe PID 832 wrote to memory of 788 832 rundll32.exe rundll32.exe PID 832 wrote to memory of 788 832 rundll32.exe rundll32.exe PID 832 wrote to memory of 788 832 rundll32.exe rundll32.exe PID 788 wrote to memory of 840 788 rundll32.exe WerFault.exe PID 788 wrote to memory of 840 788 rundll32.exe WerFault.exe PID 788 wrote to memory of 840 788 rundll32.exe WerFault.exe PID 3024 wrote to memory of 864 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 864 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 864 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 864 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 864 3024 Utsysc.exe rundll32.exe PID 3024 wrote to memory of 864 3024 Utsysc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe"C:\Users\Admin\AppData\Local\Temp\09e7d4960b5529828d27c3d39bc9f65bd24e7e3daf157a2a8f93b38bb95348fd.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2312
-
C:\Users\Admin\AppData\Local\Temp\D807.exeC:\Users\Admin\AppData\Local\Temp\D807.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F3⤵
- Creates scheduled task(s)
PID:600 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1956 -s 3125⤵
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 804 -s 3125⤵
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 788 -s 3125⤵
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main3⤵
- Loads dropped DLL
PID:1320
-
C:\Windows\system32\taskeng.exetaskeng.exe {997A4797-00DD-40E6-8101-0A98043395B0} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:2744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD50d17bb156f56bb22333ba8a7b5b1f9e6
SHA11ab9ef9c0927e78ff2c74f1ff7400aadfdf978cc
SHA256f2fc9108148999e9e4da81d76cc6e3efa5bf432a2c8535de8e1c2e73b12bd2dd
SHA512d4ddcdb5179a1e623789c891714bab531e53d20742de459bda54aa71ef613d13b679045f0f72cdc839c62374f7a425cf43a5078f63debc402d64dfc7a47c566f
-
Filesize
427KB
MD5f6de33f10f890cd3491cb218269b9200
SHA147e4616e96c9a4d52ae8002a083b6886078b0742
SHA2563ed25603de60da1f4f055ef3496b58c26149563b19d0f7460c7b958db8aca190
SHA5120c8eb82689e386bd2099a38e026dd63f91e5bd652c2c2fee7d8c7e76ece62296682d138da9e7792313c4b2a8ce32250e496caf0b7dd39920d040f209f51f61b4
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63
-
Filesize
576KB
MD537e63740e52383c62de449e85c6c29da
SHA114305dc2bf941c81a6148f5929aac0a665a9b999
SHA256a4d17349ef52297d701a92b14e38599159471eeb9538e0b65396052f7e591cc0
SHA5128be7a33123fc06a90c815e27e79741c88795a14a4fee7e9643d1433fabae0a6cf9bb6e1b6f64aab869f06dd2616d9c3670739da58cbc0bf6ccb5778130136b3f
-
Filesize
725KB
MD5d5fd87602c58b9606302a094e93c259e
SHA1d27b267ce8cd5169a27d7b4064ff585442b3cbf9
SHA25682fa8909ddefad9457a3c0f7d7967c661bc7f42f3e303a7ce4ab7a4f08b24fb6
SHA512ca32f7f694bc5ad2471fbdd4535c4327306d8a53533dfc74f4ca683a7e72f3711bbc60101dc6546af58035bb8edb71b44596832231c68797ed83534dc5b17775
-
Filesize
579KB
MD5234d14c30242cbcab033c2643ff6ed5b
SHA1872e049593a042b5b60778ee880bc482fdf47010
SHA2561145f34b1a1af22e900de9d1ba58fead4380cb2c527515cadc090fa076028721
SHA512066e433ac9c488d1078e54340319a89afda2f40192771c01d46a42ac2e480d2c682ef23d822b2f60f33a2d49c1c97c8a034430dadef417627e57b6733cf315b3
-
Filesize
458KB
MD59e2c6b1746252312c26ea5932ea50276
SHA1a76a69375392c6ffa22e813f001cab28f302d463
SHA2563a595a0ab8c850cc7be91df8e984e4731d681db0418a781d588200609422b367
SHA5124c65419b2a749ca4b82ef0c3709c63861ec40a42b6b88be4502a953fb4d7fdc52016b4816ec6f67e8f677450b4328807b55a6ab28f79ea0147900369c53e4e34
-
Filesize
175KB
MD51b2d9f4d585ec25a019d37b68b27a0fb
SHA16d85693fb876d02a76a414a3dac86ba6a5cfaa4c
SHA256358f2fa639c8257f62bbdf1248a4b5314b373bc8d518ed3d33d30321e472c674
SHA512110760a43dc6a2e957d95cbb659fc4a8e5aa6cb6fa7d259679ea329d23733cdf28c0aff7df413527deac24ffc8afce45ff5fbcde07f7176a572f42f53d5be5bf
-
Filesize
142KB
MD54bb63be223a25221f7bb6842ae82fb23
SHA1ec7cd62e6daf98d865bbdc98ac146d09156876c3
SHA256a15c8ccda5610fcb7b3de92969bf9e3d3230c79a69ce7b2f446f697b39923385
SHA512642d55aa55eeda0648fb06661b79bdb5c26f5e5477ec52e068ea25e95bed23e82bb9d2df1c766a2a8c51d26dc979509e97a37ad300c5d278b41c1eadb6717dcf