Analysis
-
max time kernel
300s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-02-2024 00:05
Static task
static1
Behavioral task
behavioral1
Sample
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe
Resource
win10-20240214-en
General
-
Target
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe
-
Size
232KB
-
MD5
7c376aee2b6cbf0e428d06ddcfca9b07
-
SHA1
da5068dc6f5b6e72b4c440c0b6213fc4aaca9c70
-
SHA256
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd
-
SHA512
f49cbe26ff3ab729914071aa736f7673e2423e4f78d76f0e2617e8c276e8b4fca955213b9280859bc4f91ac4683845fc03ac9b4421d8fdbf233ccfad14a1bc33
-
SSDEEP
3072:GeWZ+YBZ31CYqCq+r6WgJmlRUlMwMQJMVRRm8ds:Yv3kfI+XG
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1188 -
Executes dropped EXE 1 IoCs
Processes:
ciifgtupid process 1716 ciifgtu -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.execiifgtudescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ciifgtu Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ciifgtu Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ciifgtu Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exepid process 2052 e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe 2052 e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.execiifgtupid process 2052 e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe 1716 ciifgtu -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1188 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2952 wrote to memory of 1716 2952 taskeng.exe ciifgtu PID 2952 wrote to memory of 1716 2952 taskeng.exe ciifgtu PID 2952 wrote to memory of 1716 2952 taskeng.exe ciifgtu PID 2952 wrote to memory of 1716 2952 taskeng.exe ciifgtu
Processes
-
C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe"C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2052
-
C:\Windows\system32\taskeng.exetaskeng.exe {189493B3-9750-4FF3-BE8C-0572A1BBBE27} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Users\Admin\AppData\Roaming\ciifgtuC:\Users\Admin\AppData\Roaming\ciifgtu2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD57c376aee2b6cbf0e428d06ddcfca9b07
SHA1da5068dc6f5b6e72b4c440c0b6213fc4aaca9c70
SHA256e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd
SHA512f49cbe26ff3ab729914071aa736f7673e2423e4f78d76f0e2617e8c276e8b4fca955213b9280859bc4f91ac4683845fc03ac9b4421d8fdbf233ccfad14a1bc33