Analysis
-
max time kernel
300s -
max time network
263s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
21-02-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe
Resource
win10-20240214-en
General
-
Target
c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe
-
Size
217KB
-
MD5
92310863fd75a7f41df0825fcb3bad84
-
SHA1
774e23031537b11377f2e82d92d5b70a53427706
-
SHA256
c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897
-
SHA512
b315f3ad1bb05b8e02256c744a4c55bef98b99da2ab966e0048e947053e68f03c8c7c62add133b4530ac604bcfd649b4c37e61b1367884e47abdc9093fa9c014
-
SSDEEP
3072:z6DtTnCKXwwUJPwOLSoyNa+isQ2wPelfy4U9bBOEynfz5idiM:YvX09LSoWa+vQ38PUhBOu
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3312 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exepid process 3508 c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe 3508 c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 3312 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exepid process 3508 c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3312 Token: SeCreatePagefilePrivilege 3312 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe"C:\Users\Admin\AppData\Local\Temp\c996728f5ce1b3f9aa5c0eae973989541ecb0646e05540b213ff89aa93d1b897.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3508