Resubmissions

10-04-2024 03:08

240410-dmyp7afg6z 10

10-04-2024 03:08

240410-dmwktsce27 10

10-04-2024 03:08

240410-dmv93ace26 10

10-04-2024 03:08

240410-dmvnjafg6v 10

25-02-2024 05:02

240225-fpkmfsch6t 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-02-2024 05:02

General

  • Target

    66cab13aed3126ab1755e139bf5c2a9c7782dfd36ebeb7078045b5ec107dc4a3.exe

  • Size

    253KB

  • MD5

    74b0cc79808464e9946c8fb16d430173

  • SHA1

    1de066f1a9196d57221970199e814b6f1bc81465

  • SHA256

    66cab13aed3126ab1755e139bf5c2a9c7782dfd36ebeb7078045b5ec107dc4a3

  • SHA512

    dddd2b0aab694a236beaaa36d34e344c239e8d4e776c0b80b96d26188cc9051fb78dcbb2a20f6fd780601774827b3906621d437d9c457d38a2af338d80bb9c6c

  • SSDEEP

    3072:ylObaRVtZ5HNtWb1eikps2axEZ40kYT6rWwFdyXMnC5zuSzuATz:kO2tZhNtutkp5Z40kG6rWwSLkAT

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 2 IoCs
  • UPX dump on OEP (original entry point) 29 IoCs
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\66cab13aed3126ab1755e139bf5c2a9c7782dfd36ebeb7078045b5ec107dc4a3.exe
    "C:\Users\Admin\AppData\Local\Temp\66cab13aed3126ab1755e139bf5c2a9c7782dfd36ebeb7078045b5ec107dc4a3.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1960
  • C:\Users\Admin\AppData\Local\Temp\7964.exe
    C:\Users\Admin\AppData\Local\Temp\7964.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2588
    • C:\Users\Admin\AppData\Local\Temp\7964.exe
      C:\Users\Admin\AppData\Local\Temp\7964.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2660
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\83E0.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\83E0.dll
      2⤵
      • Loads dropped DLL
      PID:2576
  • C:\Users\Admin\AppData\Local\Temp\9011.exe
    C:\Users\Admin\AppData\Local\Temp\9011.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 124
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:1556
  • C:\Users\Admin\AppData\Local\Temp\94B4.exe
    C:\Users\Admin\AppData\Local\Temp\94B4.exe
    1⤵
    • Executes dropped EXE
    • Writes to the Master Boot Record (MBR)
    PID:2060
  • C:\Users\Admin\AppData\Local\Temp\13A4.exe
    C:\Users\Admin\AppData\Local\Temp\13A4.exe
    1⤵
    • Executes dropped EXE
    PID:612
  • C:\Users\Admin\AppData\Local\Temp\A1FF.exe
    C:\Users\Admin\AppData\Local\Temp\A1FF.exe
    1⤵
    • Executes dropped EXE
    PID:1944
  • C:\Users\Admin\AppData\Local\Temp\9E6.exe
    C:\Users\Admin\AppData\Local\Temp\9E6.exe
    1⤵
    • Executes dropped EXE
    PID:2948
  • C:\Users\Admin\AppData\Local\Temp\52F8.exe
    C:\Users\Admin\AppData\Local\Temp\52F8.exe
    1⤵
      PID:2932

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\13A4.exe

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

      Filesize

      2.6MB

      MD5

      101360b70d900277b1b8a1f08f4b1c48

      SHA1

      56e6ef73af3b7a161fe793db26df71784933706a

      SHA256

      5d5d1d2456e4d9b2d1364dfe298b77d11421d0427829749fbdb2d50aebecf387

      SHA512

      fc9c535513d1b3ee82ad219bff235936bec1a9b513bc9e1745762337670dcae96dc9c3d7107df092616ce7ec339f1b008e20100eaf5f30611652fc0c14a75b2d

    • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

      Filesize

      704KB

      MD5

      4202ba85188d7d3de2aceaf6946e9cbc

      SHA1

      3384efbe793ceee5db864a79799f72edbe8b2227

      SHA256

      91976614c518436dc5ec512af78bbe6a661a1e07ec9ffcca90b4f8ec336d0735

      SHA512

      e9a165e01099c6367a12be24b5ffec5a3ac80f44751dad5be2f7c020322f1d3c0e9288c21594963cec88ee12ad5435feca9aa6c394478186ff5f81723a6dbe5c

    • C:\Users\Admin\AppData\Local\Temp\7964.exe

      Filesize

      1.1MB

      MD5

      0c115f8bfa52df41bf55979e615fc9dc

      SHA1

      bab9e8ed03ada856024161c1455d2d188f82b507

      SHA256

      4e73110e33be1ae421aa3574b54826095efdc1000d15dd270e8204490b77e4c9

      SHA512

      51593bb257374b7258682775bba62e681ecaf6a1fb8255bcd1a00643a24f6520b055e2094549cb07596d845540c6c9e6387e6c9b6cdd36feacbd0fef4f762a5c

    • C:\Users\Admin\AppData\Local\Temp\7964.exe

      Filesize

      1.3MB

      MD5

      b2fdceb3b4d53dab1f616ff2edaab2e5

      SHA1

      34cee87e40076f6cc103b54909274b2979d95c3a

      SHA256

      c282bf5d083bed9ea61133daf494f5bdaa15338c259fbe1189f2cd42e6ddeef8

      SHA512

      bc4a775ba9609c8d028d269cd55960bcf4cbffc4489773a3c8ad7491fa3a2546a9b7ff537cd23f1199792444d234ade1c83b171a2486c6691c8036c50ea89c2b

    • C:\Users\Admin\AppData\Local\Temp\7964.exe

      Filesize

      1.8MB

      MD5

      147f5f5bbc80b2ad753993e15f3f32c2

      SHA1

      16d73b4abeef12cf76414338901eb7bbef46775f

      SHA256

      40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990

      SHA512

      9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

    • C:\Users\Admin\AppData\Local\Temp\83E0.dll

      Filesize

      1.5MB

      MD5

      7f341437d787033f6b2e746037413de6

      SHA1

      3c41114a7782cabc996183faae3c8be2fad4613b

      SHA256

      de3307883a72f85e2f2caaa0a5dfa0e76f08136bfa7e2daf78e4b15cce4d0860

      SHA512

      8ab0900bd5ed08a01fd997e8b8a106ba3d553081508d3c29f3f47965e538af4c8aee5af09cd1622ecf43da677136165b8a6b266fd574c1353de28d97f4dd5ee4

    • C:\Users\Admin\AppData\Local\Temp\9011.exe

      Filesize

      3.3MB

      MD5

      837c618c7cbbe1a6e0dd9abf561641f7

      SHA1

      6a946bc8320cb78b5208f3669a26cec5a097dc56

      SHA256

      76d8a3f96b4a49afb8097b79962e71cf8915c2a1afd5bf41ee5eba6feb3fb02e

      SHA512

      81cddf99feb6f78248b6d9a502b7f19eb8d51c7064a4582895b728b1e52a1e07d42154953c7f3c25c1c351ada15f20ebc7b577ef051d89901670d06f7918cbc5

    • C:\Users\Admin\AppData\Local\Temp\9011.exe

      Filesize

      2.7MB

      MD5

      a47f852ec1363ba368d10d82d48086b7

      SHA1

      d39992b105554e54960331d23487c61e48b5436a

      SHA256

      b1039f60690875488a72bf9ad09c5839bebee60543d0c114f48b21c7664942ea

      SHA512

      df12746fd1d060b0eeb2c821185e14485b7758d41e4ea88223a938ea97cfd12f9cc28f6a7a27a3b96e0864bbf2218b7d68b56de557ec6ea4a800fce1a881c792

    • C:\Users\Admin\AppData\Local\Temp\94B4.exe

      Filesize

      560KB

      MD5

      e6dd149f484e5dd78f545b026f4a1691

      SHA1

      3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6

      SHA256

      11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7

      SHA512

      0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

    • C:\Users\Admin\AppData\Local\Temp\9E6.exe

      Filesize

      4.2MB

      MD5

      11eb0a10f78be46588571972a4c74a2e

      SHA1

      d72959bb548e3051b97e0f13643ee4ac47604624

      SHA256

      92842e4ce17c59ca055bf2399a15f31c2b238cb086d2159ea240febe939714ed

      SHA512

      4a9ff65cb7f21653911293429f7a42cb8a38a0e2ca0567e2b6f53b5707603bdc76d7cfec8b987cd73ce8c5f525f404861bb21620d6d01c97b0d797b880d9cb83

    • C:\Users\Admin\AppData\Local\Temp\A1FF.exe

      Filesize

      253KB

      MD5

      3893d9674f9791363d8f92edae4427a7

      SHA1

      93603d9de7c259c8437f320f032ba171be67e200

      SHA256

      ad3a5d32351e9b26a5206751e45f27bf4def2890008e573dce58c4e9791fdcce

      SHA512

      9918357b96ea5af2ec3f056c0d7c41a025558fba88d6ada2ade153dc5b944670acdcc0e1abc76e52d9a9186abd15345519802f605473bf4fb59c81f972a3a6d6

    • \Users\Admin\AppData\Local\Temp\83E0.dll

      Filesize

      64KB

      MD5

      783a0d04fa675e3ac921fc4db25e73f0

      SHA1

      7c44c426dbfeb53335d931c91d8e524ac155424b

      SHA256

      09da77eec8a7f70c6db57b0ce71e08e38031e9813ae6ca0ad45f5ddb7e866d61

      SHA512

      49a621e18a4db532259ee35728ce0b902b90a3a442e79718b792907cbdf01d6826b0892ca508cf06bbf9bcd03331fe0cb9c7a7a64ce1a442d20809efd422301d

    • memory/612-223-0x0000000001080000-0x0000000001936000-memory.dmp

      Filesize

      8.7MB

    • memory/1196-4-0x0000000002DF0000-0x0000000002E06000-memory.dmp

      Filesize

      88KB

    • memory/1960-1-0x0000000002E40000-0x0000000002F40000-memory.dmp

      Filesize

      1024KB

    • memory/1960-5-0x0000000000400000-0x0000000002D3F000-memory.dmp

      Filesize

      41.2MB

    • memory/1960-2-0x0000000000220000-0x000000000022B000-memory.dmp

      Filesize

      44KB

    • memory/1960-3-0x0000000000400000-0x0000000002D3F000-memory.dmp

      Filesize

      41.2MB

    • memory/2060-70-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

      Filesize

      1024KB

    • memory/2060-85-0x0000000000400000-0x0000000002D8C000-memory.dmp

      Filesize

      41.5MB

    • memory/2060-83-0x0000000000220000-0x000000000028B000-memory.dmp

      Filesize

      428KB

    • memory/2060-91-0x0000000000400000-0x0000000002D8C000-memory.dmp

      Filesize

      41.5MB

    • memory/2576-39-0x0000000010000000-0x000000001020C000-memory.dmp

      Filesize

      2.0MB

    • memory/2576-50-0x0000000002640000-0x000000000277C000-memory.dmp

      Filesize

      1.2MB

    • memory/2576-57-0x0000000002780000-0x000000000289B000-memory.dmp

      Filesize

      1.1MB

    • memory/2576-40-0x0000000000170000-0x0000000000176000-memory.dmp

      Filesize

      24KB

    • memory/2576-97-0x0000000010000000-0x000000001020C000-memory.dmp

      Filesize

      2.0MB

    • memory/2576-69-0x0000000002780000-0x000000000289B000-memory.dmp

      Filesize

      1.1MB

    • memory/2588-17-0x0000000004860000-0x0000000004A18000-memory.dmp

      Filesize

      1.7MB

    • memory/2588-18-0x0000000004860000-0x0000000004A18000-memory.dmp

      Filesize

      1.7MB

    • memory/2588-26-0x0000000004A20000-0x0000000004BD7000-memory.dmp

      Filesize

      1.7MB

    • memory/2608-98-0x00000000000D0000-0x00000000000D1000-memory.dmp

      Filesize

      4KB

    • memory/2608-89-0x00000000000C0000-0x00000000000C1000-memory.dmp

      Filesize

      4KB

    • memory/2608-88-0x0000000000FB0000-0x000000000185F000-memory.dmp

      Filesize

      8.7MB

    • memory/2608-78-0x00000000000C0000-0x00000000000C1000-memory.dmp

      Filesize

      4KB

    • memory/2608-92-0x00000000000C0000-0x00000000000C1000-memory.dmp

      Filesize

      4KB

    • memory/2608-94-0x0000000077DB0000-0x0000000077DB1000-memory.dmp

      Filesize

      4KB

    • memory/2660-23-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-93-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2660-31-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-99-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-100-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-104-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-105-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-108-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-110-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-114-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-118-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-125-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-131-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-135-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-133-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-132-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-130-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-128-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-126-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-123-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-122-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-117-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-116-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-115-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-111-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-109-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-106-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-30-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-29-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-28-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB

    • memory/2660-27-0x0000000000400000-0x0000000000848000-memory.dmp

      Filesize

      4.3MB