Analysis
-
max time kernel
300s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21-02-2024 04:58
Static task
static1
Behavioral task
behavioral1
Sample
92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe
Resource
win10-20240214-en
General
-
Target
92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe
-
Size
140KB
-
MD5
fcb0fb8bba03aa7272d74cf4fa222889
-
SHA1
15ebe4683e9dca78d430a0b3e0ea2e824d947d70
-
SHA256
92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d
-
SHA512
0bebaa1ffad0fa62b99e3aea8e853d3fbe8c02af15661524db2bb2df0639343ae7d124e2464f098f0472cd1a65ee3bb0b54703b34703b17453c59550300fcfca
-
SSDEEP
3072:yvBSZHsPMUKdL6tf6eT2UNGNquenY7+P:yvGMPMhF6t2nOn
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1380 -
Executes dropped EXE 1 IoCs
Processes:
dftecgtpid process 2904 dftecgt -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exedftecgtdescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dftecgt Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dftecgt Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dftecgt Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exepid process 624 92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe 624 92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exedftecgtpid process 624 92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe 2904 dftecgt -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1380 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1580 wrote to memory of 2904 1580 taskeng.exe dftecgt PID 1580 wrote to memory of 2904 1580 taskeng.exe dftecgt PID 1580 wrote to memory of 2904 1580 taskeng.exe dftecgt PID 1580 wrote to memory of 2904 1580 taskeng.exe dftecgt
Processes
-
C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe"C:\Users\Admin\AppData\Local\Temp\92b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:624
-
C:\Windows\system32\taskeng.exetaskeng.exe {3FD893B9-8A7F-4C57-8355-E3B7805E5C98} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Roaming\dftecgtC:\Users\Admin\AppData\Roaming\dftecgt2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
MD5fcb0fb8bba03aa7272d74cf4fa222889
SHA115ebe4683e9dca78d430a0b3e0ea2e824d947d70
SHA25692b95597a7dde38ab3c182a7df8f27b8193370755b3f453a71b50fa670afcf8d
SHA5120bebaa1ffad0fa62b99e3aea8e853d3fbe8c02af15661524db2bb2df0639343ae7d124e2464f098f0472cd1a65ee3bb0b54703b34703b17453c59550300fcfca