Analysis
-
max time kernel
300s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-02-2024 04:47
Static task
static1
Behavioral task
behavioral1
Sample
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe
Resource
win10-20240214-en
General
-
Target
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe
-
Size
214KB
-
MD5
24e4c36f839b0e30e8bdad2571403918
-
SHA1
bb1132c794c8cd67aff3cd78ea0c00296cb0bdcf
-
SHA256
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642
-
SHA512
2cd0abfcfb774856a6b7dbe094e18fee19ca4a814448ddec9388442471bac75299de89fe46ad17950e970403babafb3cbd43e62e003a513621842be87f19db40
-
SSDEEP
3072:4WC/TP273C7QR2GkQZg7eOtFW7tE7dFoHhSIK5JIV:RT73X2GkQZz4FQtGdof6I
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1208 -
Executes dropped EXE 1 IoCs
Processes:
cdjswabpid process 2792 cdjswab -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.execdjswabdescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cdjswab Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cdjswab Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cdjswab Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exepid process 2292 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe 2292 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.execdjswabpid process 2292 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe 2792 cdjswab -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1208 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1208 1208 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1208 1208 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 348 wrote to memory of 2792 348 taskeng.exe cdjswab PID 348 wrote to memory of 2792 348 taskeng.exe cdjswab PID 348 wrote to memory of 2792 348 taskeng.exe cdjswab PID 348 wrote to memory of 2792 348 taskeng.exe cdjswab
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe"C:\Users\Admin\AppData\Local\Temp\1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2292
-
C:\Windows\system32\taskeng.exetaskeng.exe {B1F5BD5C-BD82-49D5-A8B3-9FA3A63BBB4C} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Users\Admin\AppData\Roaming\cdjswabC:\Users\Admin\AppData\Roaming\cdjswab2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD524e4c36f839b0e30e8bdad2571403918
SHA1bb1132c794c8cd67aff3cd78ea0c00296cb0bdcf
SHA2561cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642
SHA5122cd0abfcfb774856a6b7dbe094e18fee19ca4a814448ddec9388442471bac75299de89fe46ad17950e970403babafb3cbd43e62e003a513621842be87f19db40