Analysis
-
max time kernel
300s -
max time network
300s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
21-02-2024 04:49
Static task
static1
Behavioral task
behavioral1
Sample
1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe
Resource
win10-20240214-en
General
-
Target
1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe
-
Size
135KB
-
MD5
f44d0f75c3746989168af456468d553c
-
SHA1
1bda6154c5dc86f5132fab036a30ae3b55041593
-
SHA256
1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2
-
SHA512
524a44375acf65cc1daf98c4ed281ca8b6e8d128b0a76a05dd2a543c78d8357ea6e81baa1ad487a8f36280a4bd2c5c757e68467359e26876ba56328927ab406f
-
SSDEEP
1536:93HKFCXebMDnye3MtblERG2DnWQezmfsHL7bcVnhzU+dhj1eE37i9SOpk6ovchdf:5HKCXeC3VdCHnE9Uch5p7iIXQEs1
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3300 -
Executes dropped EXE 1 IoCs
Processes:
ducuciepid process 4604 ducucie -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exeducuciedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ducucie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ducucie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ducucie -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exepid process 3592 1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe 3592 1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exeducuciepid process 3592 1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe 4604 ducucie -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3300 Token: SeCreatePagefilePrivilege 3300 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe"C:\Users\Admin\AppData\Local\Temp\1a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3592
-
C:\Users\Admin\AppData\Roaming\ducucieC:\Users\Admin\AppData\Roaming\ducucie1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
135KB
MD5f44d0f75c3746989168af456468d553c
SHA11bda6154c5dc86f5132fab036a30ae3b55041593
SHA2561a0c9d76d6bd6cf708c1939bb3f4748ccb40b0a4b0c880c6eba432be1a5910f2
SHA512524a44375acf65cc1daf98c4ed281ca8b6e8d128b0a76a05dd2a543c78d8357ea6e81baa1ad487a8f36280a4bd2c5c757e68467359e26876ba56328927ab406f