Analysis
-
max time kernel
30s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-02-2024 05:07
Static task
static1
Behavioral task
behavioral1
Sample
98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe
Resource
win7-20240221-en
General
-
Target
98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe
-
Size
253KB
-
MD5
c725af162ad3190c0b65770fb08fbe23
-
SHA1
521eae0390bef9140f9a6e896066515ca7a98c5d
-
SHA256
98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee
-
SHA512
6fe7edc75ee4d52ace5450a211362808a4c24a41ae67d1e74dabd3adc687349dba35743acc4cd96e37c1d2701f03c6511a1127773f0aeb480f7025556bb3e59e
-
SSDEEP
3072:yLsGBVVoWaf88khIqzHdWu7zCJDBfukHimJ3a1XMu5Q2e45KaHTz:UdebOLo6+JDNukHbJ3+k2YqT
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2700-82-0x0000000000400000-0x0000000002D8C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/2700-97-0x0000000000400000-0x0000000002D8C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
UPX dump on OEP (original entry point) 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2724-24-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-27-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-28-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-29-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-30-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-31-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-95-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-103-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-105-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-109-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-112-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-113-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-114-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-115-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-117-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-119-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-124-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-127-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-130-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-131-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-128-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-126-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-134-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-136-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-139-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-140-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-138-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-137-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-135-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-125-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-122-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-121-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-120-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-118-0x0000000000400000-0x0000000000848000-memory.dmp UPX behavioral1/memory/2724-116-0x0000000000400000-0x0000000000848000-memory.dmp UPX -
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 1204 -
Executes dropped EXE 3 IoCs
Processes:
692F.exe692F.exe81B0.exepid process 2560 692F.exe 2724 692F.exe 2448 81B0.exe -
Loads dropped DLL 4 IoCs
Processes:
692F.exeregsvr32.exeWerFault.exepid process 2560 692F.exe 2352 regsvr32.exe 2120 WerFault.exe 2120 WerFault.exe -
Processes:
resource yara_rule behavioral1/memory/2724-24-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-27-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-28-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-29-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-30-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-31-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-95-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-103-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-105-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-109-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-112-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-113-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-114-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-115-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-117-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-119-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-124-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-127-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-130-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-131-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-128-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-126-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-134-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-136-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-139-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-140-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-138-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-137-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-135-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-125-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-122-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-121-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-120-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-118-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/2724-116-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
692F.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 692F.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
692F.exedescription pid process target process PID 2560 set thread context of 2724 2560 692F.exe 692F.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2120 2448 WerFault.exe 81B0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exepid process 1228 98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe 1228 98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exepid process 1228 98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
692F.exeregsvr32.exe81B0.exedescription pid process target process PID 1204 wrote to memory of 2560 1204 692F.exe PID 1204 wrote to memory of 2560 1204 692F.exe PID 1204 wrote to memory of 2560 1204 692F.exe PID 1204 wrote to memory of 2560 1204 692F.exe PID 2560 wrote to memory of 2724 2560 692F.exe 692F.exe PID 2560 wrote to memory of 2724 2560 692F.exe 692F.exe PID 2560 wrote to memory of 2724 2560 692F.exe 692F.exe PID 2560 wrote to memory of 2724 2560 692F.exe 692F.exe PID 2560 wrote to memory of 2724 2560 692F.exe 692F.exe PID 2560 wrote to memory of 2724 2560 692F.exe 692F.exe PID 2560 wrote to memory of 2724 2560 692F.exe 692F.exe PID 2560 wrote to memory of 2724 2560 692F.exe 692F.exe PID 2560 wrote to memory of 2724 2560 692F.exe 692F.exe PID 1204 wrote to memory of 2472 1204 regsvr32.exe PID 1204 wrote to memory of 2472 1204 regsvr32.exe PID 1204 wrote to memory of 2472 1204 regsvr32.exe PID 1204 wrote to memory of 2472 1204 regsvr32.exe PID 1204 wrote to memory of 2472 1204 regsvr32.exe PID 2472 wrote to memory of 2352 2472 regsvr32.exe regsvr32.exe PID 2472 wrote to memory of 2352 2472 regsvr32.exe regsvr32.exe PID 2472 wrote to memory of 2352 2472 regsvr32.exe regsvr32.exe PID 2472 wrote to memory of 2352 2472 regsvr32.exe regsvr32.exe PID 2472 wrote to memory of 2352 2472 regsvr32.exe regsvr32.exe PID 2472 wrote to memory of 2352 2472 regsvr32.exe regsvr32.exe PID 2472 wrote to memory of 2352 2472 regsvr32.exe regsvr32.exe PID 1204 wrote to memory of 2448 1204 81B0.exe PID 1204 wrote to memory of 2448 1204 81B0.exe PID 1204 wrote to memory of 2448 1204 81B0.exe PID 1204 wrote to memory of 2448 1204 81B0.exe PID 2448 wrote to memory of 2120 2448 81B0.exe WerFault.exe PID 2448 wrote to memory of 2120 2448 81B0.exe WerFault.exe PID 2448 wrote to memory of 2120 2448 81B0.exe WerFault.exe PID 2448 wrote to memory of 2120 2448 81B0.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe"C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1228
-
C:\Users\Admin\AppData\Local\Temp\692F.exeC:\Users\Admin\AppData\Local\Temp\692F.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\692F.exeC:\Users\Admin\AppData\Local\Temp\692F.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2724
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6F76.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\6F76.dll2⤵
- Loads dropped DLL
PID:2352
-
C:\Users\Admin\AppData\Local\Temp\81B0.exeC:\Users\Admin\AppData\Local\Temp\81B0.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 1242⤵
- Loads dropped DLL
- Program crash
PID:2120
-
C:\Users\Admin\AppData\Local\Temp\898D.exeC:\Users\Admin\AppData\Local\Temp\898D.exe1⤵PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD5ed51aa2e212f72811969b0db8682131f
SHA19d23b08bc651d9f70e28174c0544b8aa92cadd4c
SHA25668b03db481dde019b05d6c107fb796a29ae112b6872969ffba777617b4fbc396
SHA5125ba07ad7db42971467f18d384679cae8056a92fc81991bb427cab45087f29b7d552216d672f3c6bb3a0d551cf9681783c43e0acb9a386f175ab379944c9b334a
-
Filesize
1.2MB
MD5984e2050d12aaea6ea0512e832caf09c
SHA1b17f8ab9cc533dbba34bbc16fd6ff9de9105b172
SHA256bd81b032b9c18e6886bc94f90da98ea6e35683cc8186824d8ea7f0f080478530
SHA5126d2d8a0751cf6180ffd6dd6371fbf3b8093d39dbd8e46a043afc928c4bb53b51ac8e9f082d461626410aeadf36e929b7eef35172b3eb9616dcb7d8054dbaf531
-
Filesize
1.4MB
MD56f6acad159c227395d99e3e777afe1bf
SHA1c50b629119f2a842f5926d1be2886a502bdae0f9
SHA2569c69bc44be42ab3766f48caf1de6b7ef8ee6849453e08af589b5879d8421ff08
SHA512bdc7dfa1c78f11d66ce49ababb5f61e78514a8b7cfd4a0e0859d628d3ac92f8887a4b73eb80e99a9b75eb4e06b64455dcae05f47f0afc58a17a050af45b5dc67
-
Filesize
1.5MB
MD5359cb18b9b67dc44321d9c484c2710c9
SHA13ffb07be9134cd76695325399efdc50630b507c9
SHA2565b3a3bb023581294b0122b707cb88639859a1e6d3a20abded74d5e9881341adc
SHA512682d6e616251db541bec2cc6f4c4c8fa69969e0eb8fb30d0456f39b2ddc8a174e21336a2bcd9f331c5f8c428a7768739f2ab8426dff0befc079bec8f0d4cbe29
-
Filesize
65KB
MD51cc2b5d0c9ea714d9778caaf467f02ff
SHA19d2533c822fae993be0b9960dfdd29f61f245689
SHA2561ecf64c2cb78ef255613e1c8a39542ce156e3af4f98bfc76c0cf29f1ac1abf37
SHA512f8e070e8ee73eb0a0d5534cd8fb9e822d64d5fa64fad35f24e5e573ca5be3930f2e426d9f28251c370de5b03c575d982a1f9b1a40009422fcae1eff1fb77b70b
-
Filesize
1.8MB
MD5147f5f5bbc80b2ad753993e15f3f32c2
SHA116d73b4abeef12cf76414338901eb7bbef46775f
SHA25640dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA5129c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6
-
Filesize
1.9MB
MD5a6e4c2197232278046c741c6128c72a2
SHA1600e1a6bb0bbf69e3b4533a5f8d8de9a53abc615
SHA256c0d213f77d33b057da5fbfaa1847ecfd63a6284ff5a54a44157ae2379abf76e1
SHA5124e874dddaad2ea9c7c5b12d25c205464d35e60e7a5ddcc8eacef63db852312053c1ec048fbe43e19d87f5de7c7b0cfe9e436638904fe840e265ea3b3cdaa3010
-
Filesize
3.4MB
MD58bf81aa03a788ed190e0e607425d0329
SHA1be7ebc1dce27f2579ed86715dfa1783937d5b671
SHA256655f549e5bf785a06fcd9d20531f00fa3253f1049b4cd2a119ae67974d2cac37
SHA512e1af6ad59a121db2a3b5a2632cb402fa6a1e47f8e6bdb479e70f5085c4ac181fc724146a5fe09796f82f584e25183f793b19a0cb6fdfedb213ca3d7d67b9af54
-
Filesize
3.1MB
MD56cc5e43d43a4f816dab267f271d508e7
SHA11d4c9c1a4a371158afd6e0a3dbc61c8977a8184f
SHA25689c6ae2f975f341e966d07b25b9a68db044c9f3da30bdc2040522ff4babd499b
SHA51245f370fcb6a3b1c05f1afda3497065e70a8fc32a657ab189607bd0779190ed383f2dc81ce814ed1eed9d49ffebe7d31947b8a3028e6ba3f109eab8103bedb6b6
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
64KB
MD53a94f99f05c2343e9c0351c607eae248
SHA1658b44f0b2ad93669154b9d4cd7c250a996f6bb0
SHA256933e7f4447169bb8960d8d8af29420c18871dce491510d24a02ff86e4eb43dd1
SHA5128b7c6b90f06df586fed0cb6ab2eaad128357c0bbbdfab61957cefa1a18041ade62d5a6d07d4dec51e4be5ec26a593546e11740555d14e869835ee04fda78b1d0
-
Filesize
1.6MB
MD5e1837116bb692143a9d0f627f9ef5f32
SHA15d9773739c2e8fdf8003a88fc8870068ad3d9d6a
SHA25634f77d0a1abec4911f4a32a5b390181ca0b840edeea4eaf43a15a73324527ca7
SHA512c16213503795772cca05fa621476e40d8a4592f458337022b4bdf34cb7f8adde627ac763663010fcb83344effc192200e63c415a191372ca53898afd7e0b21fe
-
Filesize
2.2MB
MD544734c50fd10beb552a9fdf11c952801
SHA156b57818d8dcec39be34de5423f1d69855bfc588
SHA256dc989a510bed23c78295680ebc68aec334ac95a760591de31dfd2d0edd37be6d
SHA512e213acf8bffc2eed6f2d1c2b8fb310f3df5d05137957e00cb9bdec453242a4e90e0ff8b3560be587b592a4662cc98b7b8f8f6f885f5575c13652121a298a4e39
-
Filesize
2.3MB
MD57380983b85caff05cb70683d9aed46f4
SHA153fef1ba72de6e7f139f17b12a41cec7c81635ed
SHA2569abacdd49ab8f8b12ee9165c73307947532ed155565fd436026c9c14fd3ea3cd
SHA512b6a2de423203aee43640a1383a9eca0b0541c30850ea1365e562954b7db72cb6ab6d7df3df17a4191fef70d988dcf7e9314030c72700037193a071f205d26db5
-
Filesize
1.9MB
MD51345d94a03d17599a3fc39776ece28b0
SHA15d878eecbe2017deb757c9e22b1726aa53ec61c7
SHA256caeea162992f298eeb25830241b72eeaf704418142102d194686f8a188c55e50
SHA51266147e8942816525269b4a7bbddc37fd00ebce289cfa500e5f64d4396da27245fae549f647be2220d7cbd72665721f08bb9cbb18d0d9e72a2f41249f033b1ecc