Analysis
-
max time kernel
300s -
max time network
261s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
23-02-2024 04:47
Static task
static1
Behavioral task
behavioral1
Sample
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe
Resource
win10-20240214-en
General
-
Target
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe
-
Size
136KB
-
MD5
d7396862e257bd1cd7e8741eb543f147
-
SHA1
73a69269e5fdd90df5e1a470d8bb032ea562ad7a
-
SHA256
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840
-
SHA512
44b5a79bebc0e972baa76d408c5107b8eeafba6d722968f74367b12e3290c645e4c6746c8ab4b2362cef03516760b393e5f9477cb5152034f4c85614c1c2b435
-
SSDEEP
3072:lvv3PzGScDkVG8R7eK/ix5cC04p/P79KhIF/f9W:V3yScQVXR7ejcCZ/Pfp
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3308 -
Executes dropped EXE 1 IoCs
Processes:
ssucvghpid process 1520 ssucvgh -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exessucvghdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ssucvgh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ssucvgh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ssucvgh -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exepid process 764 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe 764 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 3308 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exessucvghpid process 764 04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe 1520 ssucvgh -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3308 Token: SeCreatePagefilePrivilege 3308 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe"C:\Users\Admin\AppData\Local\Temp\04b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:764
-
C:\Users\Admin\AppData\Roaming\ssucvghC:\Users\Admin\AppData\Roaming\ssucvgh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5d7396862e257bd1cd7e8741eb543f147
SHA173a69269e5fdd90df5e1a470d8bb032ea562ad7a
SHA25604b9dd522381f5c4d44fe5c321e963bea56e47841d8da727bcd408aa6fd05840
SHA51244b5a79bebc0e972baa76d408c5107b8eeafba6d722968f74367b12e3290c645e4c6746c8ab4b2362cef03516760b393e5f9477cb5152034f4c85614c1c2b435