Analysis
-
max time kernel
300s -
max time network
294s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
19-02-2024 00:05
Static task
static1
Behavioral task
behavioral1
Sample
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe
Resource
win10-20240214-en
General
-
Target
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe
-
Size
232KB
-
MD5
7c376aee2b6cbf0e428d06ddcfca9b07
-
SHA1
da5068dc6f5b6e72b4c440c0b6213fc4aaca9c70
-
SHA256
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd
-
SHA512
f49cbe26ff3ab729914071aa736f7673e2423e4f78d76f0e2617e8c276e8b4fca955213b9280859bc4f91ac4683845fc03ac9b4421d8fdbf233ccfad14a1bc33
-
SSDEEP
3072:GeWZ+YBZ31CYqCq+r6WgJmlRUlMwMQJMVRRm8ds:Yv3kfI+XG
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3404 -
Executes dropped EXE 1 IoCs
Processes:
cftgviwpid process 3264 cftgviw -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.execftgviwdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cftgviw Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cftgviw Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cftgviw -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exepid process 2536 e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe 2536 e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 3404 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.execftgviwpid process 2536 e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe 3264 cftgviw -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3404 Token: SeCreatePagefilePrivilege 3404 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe"C:\Users\Admin\AppData\Local\Temp\e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2536
-
C:\Users\Admin\AppData\Roaming\cftgviwC:\Users\Admin\AppData\Roaming\cftgviw1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
232KB
MD57c376aee2b6cbf0e428d06ddcfca9b07
SHA1da5068dc6f5b6e72b4c440c0b6213fc4aaca9c70
SHA256e51cbc1ad281483bfad92ced80e1f4e673226b63cbc85b79108c2c9d86962cbd
SHA512f49cbe26ff3ab729914071aa736f7673e2423e4f78d76f0e2617e8c276e8b4fca955213b9280859bc4f91ac4683845fc03ac9b4421d8fdbf233ccfad14a1bc33