Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
17-02-2024 03:18
Static task
static1
Behavioral task
behavioral1
Sample
9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe
Resource
win7-20231215-en
General
-
Target
9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe
-
Size
209KB
-
MD5
1bbb36353f9be7af566534cd0b0dcba5
-
SHA1
00dcdcc08f6dbad9b00b35f64e238afbfd2ee746
-
SHA256
9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c
-
SHA512
6902911d8440f1462baa083261ddb497d60d553f89de3c06eb1a16ec344f56762d3cc9d75b09dca764b2dab0a4edea8d3b9b4f5e7eac7eb5e39d211c7f95110a
-
SSDEEP
3072:v3b3i7GYFGoonj7oJaS30pLSWmsqKsdoDpVh3YTVxmsoPgfJ:vLSjDmYqpeJsqrdoD1AVIspf
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Extracted
amadey
4.14
http://anfesq.com
http://cbinr.com
http://rimakc.ru
-
install_dir
68fd3d7ade
-
install_file
Utsysc.exe
-
strings_key
27ec7fd6f50f63b8af0c1d3deefcc8fe
-
url_paths
/forum/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
460D.exeUtsysc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 460D.exe Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation Utsysc.exe -
Deletes itself 1 IoCs
Processes:
pid process 3528 -
Executes dropped EXE 7 IoCs
Processes:
460D.exe460D.exeUtsysc.exewrrjccbUtsysc.exeUtsysc.exeUtsysc.exepid process 1420 460D.exe 4744 460D.exe 3516 Utsysc.exe 4488 wrrjccb 4436 Utsysc.exe 876 Utsysc.exe 556 Utsysc.exe -
Loads dropped DLL 9 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exepid process 4352 rundll32.exe 4408 rundll32.exe 4940 rundll32.exe 4624 rundll32.exe 848 rundll32.exe 4736 rundll32.exe 1844 rundll32.exe 3592 rundll32.exe 992 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
460D.exeUtsysc.exeUtsysc.exedescription pid process target process PID 1420 set thread context of 4744 1420 460D.exe 460D.exe PID 3516 set thread context of 4436 3516 Utsysc.exe Utsysc.exe PID 876 set thread context of 556 876 Utsysc.exe Utsysc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exewrrjccbdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wrrjccb Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wrrjccb Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wrrjccb -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exepid process 3012 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe 3012 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 3528 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exewrrjccbpid process 3012 9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe 4488 wrrjccb -
Suspicious use of AdjustPrivilegeToken 34 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 Token: SeShutdownPrivilege 3528 Token: SeCreatePagefilePrivilege 3528 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
460D.exepid process 4744 460D.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
460D.exe460D.exeUtsysc.exeUtsysc.exerundll32.exerundll32.exerundll32.exeUtsysc.exedescription pid process target process PID 3528 wrote to memory of 1420 3528 460D.exe PID 3528 wrote to memory of 1420 3528 460D.exe PID 3528 wrote to memory of 1420 3528 460D.exe PID 1420 wrote to memory of 4744 1420 460D.exe 460D.exe PID 1420 wrote to memory of 4744 1420 460D.exe 460D.exe PID 1420 wrote to memory of 4744 1420 460D.exe 460D.exe PID 1420 wrote to memory of 4744 1420 460D.exe 460D.exe PID 1420 wrote to memory of 4744 1420 460D.exe 460D.exe PID 1420 wrote to memory of 4744 1420 460D.exe 460D.exe PID 1420 wrote to memory of 4744 1420 460D.exe 460D.exe PID 1420 wrote to memory of 4744 1420 460D.exe 460D.exe PID 1420 wrote to memory of 4744 1420 460D.exe 460D.exe PID 1420 wrote to memory of 4744 1420 460D.exe 460D.exe PID 4744 wrote to memory of 3516 4744 460D.exe Utsysc.exe PID 4744 wrote to memory of 3516 4744 460D.exe Utsysc.exe PID 4744 wrote to memory of 3516 4744 460D.exe Utsysc.exe PID 3516 wrote to memory of 4436 3516 Utsysc.exe Utsysc.exe PID 3516 wrote to memory of 4436 3516 Utsysc.exe Utsysc.exe PID 3516 wrote to memory of 4436 3516 Utsysc.exe Utsysc.exe PID 3516 wrote to memory of 4436 3516 Utsysc.exe Utsysc.exe PID 3516 wrote to memory of 4436 3516 Utsysc.exe Utsysc.exe PID 3516 wrote to memory of 4436 3516 Utsysc.exe Utsysc.exe PID 3516 wrote to memory of 4436 3516 Utsysc.exe Utsysc.exe PID 3516 wrote to memory of 4436 3516 Utsysc.exe Utsysc.exe PID 3516 wrote to memory of 4436 3516 Utsysc.exe Utsysc.exe PID 3516 wrote to memory of 4436 3516 Utsysc.exe Utsysc.exe PID 4436 wrote to memory of 3932 4436 Utsysc.exe schtasks.exe PID 4436 wrote to memory of 3932 4436 Utsysc.exe schtasks.exe PID 4436 wrote to memory of 3932 4436 Utsysc.exe schtasks.exe PID 4436 wrote to memory of 4352 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 4352 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 4352 4436 Utsysc.exe rundll32.exe PID 4352 wrote to memory of 4408 4352 rundll32.exe rundll32.exe PID 4352 wrote to memory of 4408 4352 rundll32.exe rundll32.exe PID 4436 wrote to memory of 4940 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 4940 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 4940 4436 Utsysc.exe rundll32.exe PID 4940 wrote to memory of 4624 4940 rundll32.exe rundll32.exe PID 4940 wrote to memory of 4624 4940 rundll32.exe rundll32.exe PID 4436 wrote to memory of 848 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 848 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 848 4436 Utsysc.exe rundll32.exe PID 848 wrote to memory of 4736 848 rundll32.exe rundll32.exe PID 848 wrote to memory of 4736 848 rundll32.exe rundll32.exe PID 4436 wrote to memory of 1844 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 1844 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 1844 4436 Utsysc.exe rundll32.exe PID 876 wrote to memory of 556 876 Utsysc.exe Utsysc.exe PID 876 wrote to memory of 556 876 Utsysc.exe Utsysc.exe PID 876 wrote to memory of 556 876 Utsysc.exe Utsysc.exe PID 876 wrote to memory of 556 876 Utsysc.exe Utsysc.exe PID 876 wrote to memory of 556 876 Utsysc.exe Utsysc.exe PID 876 wrote to memory of 556 876 Utsysc.exe Utsysc.exe PID 876 wrote to memory of 556 876 Utsysc.exe Utsysc.exe PID 876 wrote to memory of 556 876 Utsysc.exe Utsysc.exe PID 876 wrote to memory of 556 876 Utsysc.exe Utsysc.exe PID 876 wrote to memory of 556 876 Utsysc.exe Utsysc.exe PID 4436 wrote to memory of 3592 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 3592 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 3592 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 992 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 992 4436 Utsysc.exe rundll32.exe PID 4436 wrote to memory of 992 4436 Utsysc.exe rundll32.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe"C:\Users\Admin\AppData\Local\Temp\9c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3012
-
C:\Users\Admin\AppData\Local\Temp\460D.exeC:\Users\Admin\AppData\Local\Temp\460D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\460D.exeC:\Users\Admin\AppData\Local\Temp\460D.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F5⤵
- Creates scheduled task(s)
PID:3932 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main6⤵
- Loads dropped DLL
PID:4408 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main6⤵
- Loads dropped DLL
PID:4624 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main6⤵
- Loads dropped DLL
PID:4736 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main5⤵
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main5⤵
- Loads dropped DLL
PID:3592 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main5⤵
- Loads dropped DLL
PID:992
-
C:\Users\Admin\AppData\Roaming\wrrjccbC:\Users\Admin\AppData\Roaming\wrrjccb1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4488
-
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exeC:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe2⤵
- Executes dropped EXE
PID:556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
389KB
MD5bfb5ddcb6390a75513f57e8e6741683d
SHA132616bc90620c42d831a5561997d4c357823e561
SHA256a4b90e49aed58d08aebd377c832aafd35faa77cbec6c5c50bc998a2408eecb3a
SHA5125a603c56a9ba1457df3636e42bb5c5c45d7b5087541ddff7bf422942daa6f8267420e527cfd8a2204efe2e66af0c4ef64a45a6851d8bc6aca3ef150927a8dca6
-
Filesize
83KB
MD594a2e7bb1774f72c59677fe503102cac
SHA17bb79ef18f89229e114b359bf3034614f911e8f3
SHA256101ec5f41b1704c1adb7d78f933b5f0eb2c0baed357cdc03adecdcb4ea372499
SHA51237ab5e4925000cafe8677d566cc030cbc2fda0d8e8713c1e3a83c80048e7c08d79bede3823e5cb15b7f3c99b352f42318f97ac7ab17b1a99329305db4b7032ab
-
Filesize
102KB
MD54194e9b8b694b1e9b672c36f0d868e32
SHA1252f27fe313c7bf8e9f36aef0c7b676383872efb
SHA25697e342fb4dbfe474ab2674682a816931bb9f56814bf13b20ff11ac1939775125
SHA512f956acdec4c0255030f784d27210d59e30c3377e0a5abec915818bde8545afc3ef04a06395a2bfa5946f86cdf1088c9089bfc5064d9fd71b8137eae14f64e5c7
-
Filesize
1.1MB
MD5f01f5bc76b9596e0cfeab8a272cba3a5
SHA119cab1291e4e518ae636f2fb3d41567e4e6e4722
SHA25683ef6d2414a5c0c9cb6cfe502cb40cdda5c425ee7408a4075e32891f4599d938
SHA512ccfa16f0bbcdb909446fc4d47c1732e0b1baa759d78866fcce9ac7c5c12f1299e74df03b23881f3e37627b358bc6ddd2941c9110e030f6d68dd79f67c9e39f63
-
Filesize
209KB
MD51bbb36353f9be7af566534cd0b0dcba5
SHA100dcdcc08f6dbad9b00b35f64e238afbfd2ee746
SHA2569c8871d1ee30f4310ac792b9d29e0f8e5b8a70a1409d459f6573b3ddd2c7615c
SHA5126902911d8440f1462baa083261ddb497d60d553f89de3c06eb1a16ec344f56762d3cc9d75b09dca764b2dab0a4edea8d3b9b4f5e7eac7eb5e39d211c7f95110a