Malware Analysis Report

2024-11-30 04:51

Sample ID 240222-v17zfsdd86
Target 6958ACC382E71103A0B83D20BBBB37D2.exe
SHA256 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Tags
smokeloader tfd5 backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

Threat Level: Known bad

The file 6958ACC382E71103A0B83D20BBBB37D2.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader tfd5 backdoor trojan

SmokeLoader

Executes dropped EXE

Deletes itself

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 17:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 17:28

Reported

2024-02-22 17:33

Platform

win10v2004-20240221-en

Max time kernel

300s

Max time network

273s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sjgugdv N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sjgugdv N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sjgugdv N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\sjgugdv N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sjgugdv N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

C:\Users\Admin\AppData\Roaming\sjgugdv

C:\Users\Admin\AppData\Roaming\sjgugdv

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 233.81.204.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 tradein-myus.com udp
US 8.8.8.8:53 trade-inmyus.com udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/2140-1-0x0000000000700000-0x0000000000800000-memory.dmp

memory/2140-2-0x00000000006F0000-0x00000000006FB000-memory.dmp

memory/2140-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3520-4-0x00000000008C0000-0x00000000008D6000-memory.dmp

memory/2140-5-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2140-8-0x00000000006F0000-0x00000000006FB000-memory.dmp

C:\Users\Admin\AppData\Roaming\sjgugdv

MD5 6958acc382e71103a0b83d20bbbb37d2
SHA1 65bf64dfcabf7bc83e47ffc4360cda022d4dab34
SHA256 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
SHA512 ebfa8b6986630b3502409d38cdff54881e4bce48511c7ba4f027345296c29708112c19ec6c9181c4b0188fa1f5cbe17b3c5d44dc07f33858323c677ef9caaeae

memory/2496-15-0x00000000004E0000-0x00000000005E0000-memory.dmp

memory/2496-16-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3520-17-0x00000000008F0000-0x0000000000906000-memory.dmp

memory/2496-20-0x0000000000400000-0x000000000044A000-memory.dmp