Analysis
-
max time kernel
300s -
max time network
280s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
22-02-2024 04:47
Static task
static1
Behavioral task
behavioral1
Sample
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe
Resource
win10-20240214-en
General
-
Target
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe
-
Size
214KB
-
MD5
24e4c36f839b0e30e8bdad2571403918
-
SHA1
bb1132c794c8cd67aff3cd78ea0c00296cb0bdcf
-
SHA256
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642
-
SHA512
2cd0abfcfb774856a6b7dbe094e18fee19ca4a814448ddec9388442471bac75299de89fe46ad17950e970403babafb3cbd43e62e003a513621842be87f19db40
-
SSDEEP
3072:4WC/TP273C7QR2GkQZg7eOtFW7tE7dFoHhSIK5JIV:RT73X2GkQZz4FQtGdof6I
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3296 -
Executes dropped EXE 1 IoCs
Processes:
fvtwdijpid process 2068 fvtwdij -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fvtwdij1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fvtwdij Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fvtwdij Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fvtwdij -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exepid process 1136 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe 1136 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 3296 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exefvtwdijpid process 1136 1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe 2068 fvtwdij -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3296 Token: SeCreatePagefilePrivilege 3296 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe"C:\Users\Admin\AppData\Local\Temp\1cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1136
-
C:\Users\Admin\AppData\Roaming\fvtwdijC:\Users\Admin\AppData\Roaming\fvtwdij1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
214KB
MD524e4c36f839b0e30e8bdad2571403918
SHA1bb1132c794c8cd67aff3cd78ea0c00296cb0bdcf
SHA2561cce3920d92add36243abaa69056c5fbbdb5ed05af6c379ae1a6f1b28c2e8642
SHA5122cd0abfcfb774856a6b7dbe094e18fee19ca4a814448ddec9388442471bac75299de89fe46ad17950e970403babafb3cbd43e62e003a513621842be87f19db40