Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 23:58

General

  • Target

    636c32103ef487d1c30df530296f014b.exe

  • Size

    163KB

  • MD5

    636c32103ef487d1c30df530296f014b

  • SHA1

    f280007f3c78b0823d8978bec1c1cdf792bf5fc6

  • SHA256

    c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd

  • SHA512

    2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604

  • SSDEEP

    3072:eQ37N6u0D0i+zGJKHZj+4M48iIp2WZnFzw0I:eK8u0Qi+yQHZEiIttw

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 10 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe
    "C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1224
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {79E392AD-AE70-4C10-AEBF-79861FECD7F1} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Roaming\fwrcgsb
      C:\Users\Admin\AppData\Roaming\fwrcgsb
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2596
  • C:\Users\Admin\AppData\Local\Temp\8150.exe
    C:\Users\Admin\AppData\Local\Temp\8150.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 124
      2⤵
      • Loads dropped DLL
      • Program crash
      PID:1932
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F825.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:576
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\F825.dll
      2⤵
      • Loads dropped DLL
      PID:2716
  • C:\Users\Admin\AppData\Local\Temp\4397.exe
    C:\Users\Admin\AppData\Local\Temp\4397.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\Temp\4397.exe
      C:\Users\Admin\AppData\Local\Temp\4397.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1388
  • C:\Users\Admin\AppData\Local\Temp\5380.exe
    C:\Users\Admin\AppData\Local\Temp\5380.exe
    1⤵
    • Executes dropped EXE
    • Writes to the Master Boot Record (MBR)
    PID:2220
  • C:\Users\Admin\AppData\Local\Temp\7B0D.exe
    C:\Users\Admin\AppData\Local\Temp\7B0D.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp" /SL5="$301C0,2424585,54272,C:\Users\Admin\AppData\Local\Temp\7B0D.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4397.exe

    Filesize

    704KB

    MD5

    1df9c98963f3d20b3f3f5db8152e3052

    SHA1

    c8203e4dee088a27c97cb3e334c1dd9aafdd0786

    SHA256

    cb96f8c2286c4b66024b37b6b09038ba358cbf9572042077b6e1d3c6a0e8336f

    SHA512

    bfc3c8923b0cb1baf62be9545c16c0678f28bb8d0875cf9cbea217521804cd39c35adba3f31d6adc4e9460f5a56c771596a80a7528a4c17810fb208cfce3bb60

  • C:\Users\Admin\AppData\Local\Temp\4397.exe

    Filesize

    640KB

    MD5

    668e25ec4a41c6a6fc11252eaf870560

    SHA1

    0bcbb44fd3e47037fc012f336d46736cd76e2557

    SHA256

    5b5254a1a358a59669ff5e5a9dc662887ff8ef078bc2790378670e1708a72317

    SHA512

    c60282db85e592ce5a40c67ed1a3cf6cbe64454639b76ce976d6c9f7467565357a5a8018446da7b1635a2d5fa069b017beac8be015fd0c10979ac66173cb87f6

  • C:\Users\Admin\AppData\Local\Temp\4397.exe

    Filesize

    1.4MB

    MD5

    057d4899785c88a4b96a30efac0a7f10

    SHA1

    2304be75b31060360a246617e18a147febbcd080

    SHA256

    66e7dcd0c0e64d8f2e89f4e589a6928bd76342c9a7e5c2215bcba0d10c15fbd4

    SHA512

    240b11dbadcc5d84c4b000c13d23507d7f4883a1ea12d5aba15b9252da91f3b755c7951ed4a1218fbcdf1e9e710d227d7ffd5e7fe7c09bceda7d3b05072a2574

  • C:\Users\Admin\AppData\Local\Temp\4397.exe

    Filesize

    1.9MB

    MD5

    398ab69b1cdc624298fbc00526ea8aca

    SHA1

    b2c76463ae08bb3a08accfcbf609ec4c2a9c0821

    SHA256

    ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be

    SHA512

    3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

  • C:\Users\Admin\AppData\Local\Temp\5380.exe

    Filesize

    320KB

    MD5

    ed9730742925437660eea83dd42d4044

    SHA1

    f53fecf5b09f2b7b145dfb1cad4afc28b6994d8c

    SHA256

    62f6c635aba6b56d89e711030bd6f50b763ffd8396f5ddac0d9fdcf354afcb82

    SHA512

    dac98e135e64c15161e8836e5ab775604373ea72954b74a975d4f4c750a41a3a039d4ef1ecc6451a8f97c3a2e2d114105e2fefd59b49f64d021b730de79d1901

  • C:\Users\Admin\AppData\Local\Temp\7B0D.exe

    Filesize

    2.5MB

    MD5

    7b96170ca36e7650b9d3a075126b8622

    SHA1

    311068f2f6282577513123b9181283ffb01d55ce

    SHA256

    e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6

    SHA512

    e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd

  • C:\Users\Admin\AppData\Local\Temp\7B0D.exe

    Filesize

    1.3MB

    MD5

    b30b3e3495c0b2a9895357d9b068d4b8

    SHA1

    15ab836b28afe996124efe386a0d56ad2aa479e6

    SHA256

    3e5706a4dc08b66f67e452129e6f67d9d004a75b0f3ba2ccd2552a0bb657c07b

    SHA512

    83e87fa3ecc9ece2701ffe45b8b7a677aa5e56ff7ee053f7697bbaec247748b3ed7540f046b5574414c951716f9e0a1ec5f6452978e28c3337f36efbe4429b57

  • C:\Users\Admin\AppData\Local\Temp\8150.exe

    Filesize

    4.4MB

    MD5

    77d6b6264a2bbc1764c3c6bb45cc4c82

    SHA1

    d4861fb655582a9bd96e9c83a6ce4b5c14bb290c

    SHA256

    e297384a9e41adeb15aa416eded4aa2401318895aa23f33b1ec42000b119c503

    SHA512

    ef414be344417cd7a4853b599cdbc6172b9b59b5dbbfe4da1b04640a39df76c3c9bfdcfa4e9cc7c366761b5c4acea7d083089009a7026d23a34754251e2823e0

  • C:\Users\Admin\AppData\Local\Temp\8150.exe

    Filesize

    5.0MB

    MD5

    0904e849f8483792ef67991619ece915

    SHA1

    58d04535efa58effb3c5ed53a2462aa96d676b79

    SHA256

    fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef

    SHA512

    258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

  • C:\Users\Admin\AppData\Local\Temp\F825.dll

    Filesize

    2.0MB

    MD5

    7aecbe510817ee9636a5bcbff0ee5fdd

    SHA1

    6a3f27f7789ccf1b19c948774d84c865a9ac6825

    SHA256

    b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac

    SHA512

    a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

  • C:\Users\Admin\AppData\Roaming\fwrcgsb

    Filesize

    163KB

    MD5

    636c32103ef487d1c30df530296f014b

    SHA1

    f280007f3c78b0823d8978bec1c1cdf792bf5fc6

    SHA256

    c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd

    SHA512

    2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604

  • \Users\Admin\AppData\Local\Temp\4397.exe

    Filesize

    384KB

    MD5

    4b786fa564f50a06a6e84d8fc46f9cb7

    SHA1

    d675403cf65f70494413e2e08c128adca2d8e8cf

    SHA256

    46ded921f0e11a4834ea7e6e66867e3a1a56d3a480bb9cf1aa3244871dd81c5c

    SHA512

    58a1532f8f28a4e36bad9d2d9324ac825f18e20629173fc3febeae70384279ee4337a0633d7583d2cecdd0ea972315d2bb3cb537666b510f587c1217dc5ad4ae

  • \Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp

    Filesize

    689KB

    MD5

    951ac648539bfaa0f113db5e0406de5b

    SHA1

    1b42de9ef8aaf1740de90871c5fc16963a842f43

    SHA256

    bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe

    SHA512

    795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d

  • \Users\Admin\AppData\Local\Temp\is-FE3A0.tmp\_isetup\_iscrypt.dll

    Filesize

    2KB

    MD5

    a69559718ab506675e907fe49deb71e9

    SHA1

    bc8f404ffdb1960b50c12ff9413c893b56f2e36f

    SHA256

    2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

    SHA512

    e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

  • \Users\Admin\AppData\Local\Temp\is-FE3A0.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • memory/1128-121-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/1128-98-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/1188-16-0x0000000002A30000-0x0000000002A46000-memory.dmp

    Filesize

    88KB

  • memory/1188-4-0x0000000001DB0000-0x0000000001DC6000-memory.dmp

    Filesize

    88KB

  • memory/1224-1-0x0000000002490000-0x0000000002590000-memory.dmp

    Filesize

    1024KB

  • memory/1224-5-0x0000000000400000-0x00000000022D1000-memory.dmp

    Filesize

    30.8MB

  • memory/1224-3-0x0000000000400000-0x00000000022D1000-memory.dmp

    Filesize

    30.8MB

  • memory/1224-2-0x0000000000220000-0x000000000022B000-memory.dmp

    Filesize

    44KB

  • memory/1388-75-0x0000000000400000-0x0000000000848000-memory.dmp

    Filesize

    4.3MB

  • memory/1388-74-0x0000000000400000-0x0000000000848000-memory.dmp

    Filesize

    4.3MB

  • memory/1388-122-0x0000000002AD0000-0x0000000002BDE000-memory.dmp

    Filesize

    1.1MB

  • memory/1388-109-0x0000000002AD0000-0x0000000002BDE000-memory.dmp

    Filesize

    1.1MB

  • memory/1388-104-0x0000000002AD0000-0x0000000002BDE000-memory.dmp

    Filesize

    1.1MB

  • memory/1388-93-0x00000000029A0000-0x0000000002AC9000-memory.dmp

    Filesize

    1.2MB

  • memory/1388-77-0x0000000000270000-0x0000000000276000-memory.dmp

    Filesize

    24KB

  • memory/1388-73-0x0000000000400000-0x0000000000848000-memory.dmp

    Filesize

    4.3MB

  • memory/1388-71-0x0000000000400000-0x0000000000848000-memory.dmp

    Filesize

    4.3MB

  • memory/1388-67-0x0000000000400000-0x0000000000848000-memory.dmp

    Filesize

    4.3MB

  • memory/1388-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1388-65-0x0000000000400000-0x0000000000848000-memory.dmp

    Filesize

    4.3MB

  • memory/1496-123-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

  • memory/1964-33-0x0000000077AC0000-0x0000000077AC1000-memory.dmp

    Filesize

    4KB

  • memory/1964-39-0x0000000000230000-0x0000000000ADF000-memory.dmp

    Filesize

    8.7MB

  • memory/1964-29-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

  • memory/1964-27-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

  • memory/1964-25-0x00000000000F0000-0x00000000000F1000-memory.dmp

    Filesize

    4KB

  • memory/1964-34-0x0000000000100000-0x0000000000101000-memory.dmp

    Filesize

    4KB

  • memory/1964-31-0x0000000000230000-0x0000000000ADF000-memory.dmp

    Filesize

    8.7MB

  • memory/2220-89-0x0000000000300000-0x000000000036B000-memory.dmp

    Filesize

    428KB

  • memory/2220-99-0x0000000000400000-0x0000000002D8C000-memory.dmp

    Filesize

    41.5MB

  • memory/2220-90-0x0000000000400000-0x0000000002D8C000-memory.dmp

    Filesize

    41.5MB

  • memory/2220-87-0x0000000002E60000-0x0000000002F60000-memory.dmp

    Filesize

    1024KB

  • memory/2596-14-0x0000000002460000-0x0000000002560000-memory.dmp

    Filesize

    1024KB

  • memory/2596-17-0x0000000000400000-0x00000000022D1000-memory.dmp

    Filesize

    30.8MB

  • memory/2596-15-0x0000000000400000-0x00000000022D1000-memory.dmp

    Filesize

    30.8MB

  • memory/2716-43-0x0000000000100000-0x0000000000106000-memory.dmp

    Filesize

    24KB

  • memory/2716-61-0x0000000002320000-0x000000000242E000-memory.dmp

    Filesize

    1.1MB

  • memory/2716-56-0x0000000002320000-0x000000000242E000-memory.dmp

    Filesize

    1.1MB

  • memory/2716-72-0x0000000002320000-0x000000000242E000-memory.dmp

    Filesize

    1.1MB

  • memory/2716-44-0x0000000010000000-0x000000001020A000-memory.dmp

    Filesize

    2.0MB

  • memory/2716-69-0x0000000010000000-0x000000001020A000-memory.dmp

    Filesize

    2.0MB

  • memory/2716-47-0x00000000021F0000-0x0000000002319000-memory.dmp

    Filesize

    1.2MB

  • memory/2716-48-0x0000000002320000-0x000000000242E000-memory.dmp

    Filesize

    1.1MB

  • memory/2824-60-0x0000000003530000-0x00000000036E8000-memory.dmp

    Filesize

    1.7MB

  • memory/2824-55-0x0000000003530000-0x00000000036E8000-memory.dmp

    Filesize

    1.7MB

  • memory/2824-68-0x0000000003530000-0x00000000036E8000-memory.dmp

    Filesize

    1.7MB

  • memory/2824-63-0x00000000036F0000-0x00000000038A7000-memory.dmp

    Filesize

    1.7MB