Analysis
-
max time kernel
300s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
23-02-2024 04:47
Static task
static1
Behavioral task
behavioral1
Sample
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe
Resource
win10-20240214-en
General
-
Target
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe
-
Size
136KB
-
MD5
d7396862e257bd1cd7e8741eb543f147
-
SHA1
73a69269e5fdd90df5e1a470d8bb032ea562ad7a
-
SHA256
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840
-
SHA512
44b5a79bebc0e972baa76d408c5107b8eeafba6d722968f74367b12e3290c645e4c6746c8ab4b2362cef03516760b393e5f9477cb5152034f4c85614c1c2b435
-
SSDEEP
3072:lvv3PzGScDkVG8R7eK/ix5cC04p/P79KhIF/f9W:V3yScQVXR7ejcCZ/Pfp
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1064 -
Executes dropped EXE 1 IoCs
Processes:
atvwhwepid process 2440 atvwhwe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
atvwhwe04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI atvwhwe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI atvwhwe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI atvwhwe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exepid process 2924 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe 2924 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exeatvwhwepid process 2924 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe 2440 atvwhwe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1064 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1648 wrote to memory of 2440 1648 taskeng.exe atvwhwe PID 1648 wrote to memory of 2440 1648 taskeng.exe atvwhwe PID 1648 wrote to memory of 2440 1648 taskeng.exe atvwhwe PID 1648 wrote to memory of 2440 1648 taskeng.exe atvwhwe
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe"C:\Users\Admin\AppData\Local\Temp\04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2924
-
C:\Windows\system32\taskeng.exetaskeng.exe {67514099-05AB-4FE3-88F8-7146F0446CD9} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Roaming\atvwhweC:\Users\Admin\AppData\Roaming\atvwhwe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5d7396862e257bd1cd7e8741eb543f147
SHA173a69269e5fdd90df5e1a470d8bb032ea562ad7a
SHA25604b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840
SHA51244b5a79bebc0e972baa76d408c5107b8eeafba6d722968f74367b12e3290c645e4c6746c8ab4b2362cef03516760b393e5f9477cb5152034f4c85614c1c2b435