Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 23:58
Static task
static1
Behavioral task
behavioral1
Sample
636c32103ef487d1c30df530296f014b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
636c32103ef487d1c30df530296f014b.exe
Resource
win10v2004-20240226-en
General
-
Target
636c32103ef487d1c30df530296f014b.exe
-
Size
163KB
-
MD5
636c32103ef487d1c30df530296f014b
-
SHA1
f280007f3c78b0823d8978bec1c1cdf792bf5fc6
-
SHA256
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
-
SHA512
2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604
-
SSDEEP
3072:eQ37N6u0D0i+zGJKHZj+4M48iIp2WZnFzw0I:eK8u0Qi+yQHZEiIttw
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 1188 -
Executes dropped EXE 7 IoCs
Processes:
fwrcgsb8150.exe4397.exe4397.exe5380.exe7B0D.exe7B0D.tmppid process 2596 fwrcgsb 1964 8150.exe 2824 4397.exe 1388 4397.exe 2220 5380.exe 1128 7B0D.exe 1496 7B0D.tmp -
Loads dropped DLL 10 IoCs
Processes:
WerFault.exeregsvr32.exe4397.exe4397.exe7B0D.exe7B0D.tmppid process 1932 WerFault.exe 1932 WerFault.exe 1932 WerFault.exe 2716 regsvr32.exe 2824 4397.exe 1388 4397.exe 1128 7B0D.exe 1496 7B0D.tmp 1496 7B0D.tmp 1496 7B0D.tmp -
Processes:
resource yara_rule behavioral1/memory/1388-65-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1388-67-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1388-71-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1388-73-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1388-74-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1388-75-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
5380.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 5380.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4397.exedescription pid process target process PID 2824 set thread context of 1388 2824 4397.exe 4397.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1932 1964 WerFault.exe 8150.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fwrcgsb636c32103ef487d1c30df530296f014b.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fwrcgsb Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fwrcgsb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fwrcgsb -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
636c32103ef487d1c30df530296f014b.exepid process 1224 636c32103ef487d1c30df530296f014b.exe 1224 636c32103ef487d1c30df530296f014b.exe 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 1188 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
636c32103ef487d1c30df530296f014b.exefwrcgsbpid process 1224 636c32103ef487d1c30df530296f014b.exe 2596 fwrcgsb -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1188 Token: SeShutdownPrivilege 1188 Token: SeShutdownPrivilege 1188 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1188 1188 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1188 1188 -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
taskeng.exe8150.exeregsvr32.exe4397.exe7B0D.exedescription pid process target process PID 1900 wrote to memory of 2596 1900 taskeng.exe fwrcgsb PID 1900 wrote to memory of 2596 1900 taskeng.exe fwrcgsb PID 1900 wrote to memory of 2596 1900 taskeng.exe fwrcgsb PID 1900 wrote to memory of 2596 1900 taskeng.exe fwrcgsb PID 1188 wrote to memory of 1964 1188 8150.exe PID 1188 wrote to memory of 1964 1188 8150.exe PID 1188 wrote to memory of 1964 1188 8150.exe PID 1188 wrote to memory of 1964 1188 8150.exe PID 1964 wrote to memory of 1932 1964 8150.exe WerFault.exe PID 1964 wrote to memory of 1932 1964 8150.exe WerFault.exe PID 1964 wrote to memory of 1932 1964 8150.exe WerFault.exe PID 1964 wrote to memory of 1932 1964 8150.exe WerFault.exe PID 1188 wrote to memory of 576 1188 regsvr32.exe PID 1188 wrote to memory of 576 1188 regsvr32.exe PID 1188 wrote to memory of 576 1188 regsvr32.exe PID 1188 wrote to memory of 576 1188 regsvr32.exe PID 1188 wrote to memory of 576 1188 regsvr32.exe PID 576 wrote to memory of 2716 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 2716 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 2716 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 2716 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 2716 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 2716 576 regsvr32.exe regsvr32.exe PID 576 wrote to memory of 2716 576 regsvr32.exe regsvr32.exe PID 1188 wrote to memory of 2824 1188 4397.exe PID 1188 wrote to memory of 2824 1188 4397.exe PID 1188 wrote to memory of 2824 1188 4397.exe PID 1188 wrote to memory of 2824 1188 4397.exe PID 2824 wrote to memory of 1388 2824 4397.exe 4397.exe PID 2824 wrote to memory of 1388 2824 4397.exe 4397.exe PID 2824 wrote to memory of 1388 2824 4397.exe 4397.exe PID 2824 wrote to memory of 1388 2824 4397.exe 4397.exe PID 2824 wrote to memory of 1388 2824 4397.exe 4397.exe PID 2824 wrote to memory of 1388 2824 4397.exe 4397.exe PID 2824 wrote to memory of 1388 2824 4397.exe 4397.exe PID 2824 wrote to memory of 1388 2824 4397.exe 4397.exe PID 2824 wrote to memory of 1388 2824 4397.exe 4397.exe PID 1188 wrote to memory of 2220 1188 5380.exe PID 1188 wrote to memory of 2220 1188 5380.exe PID 1188 wrote to memory of 2220 1188 5380.exe PID 1188 wrote to memory of 2220 1188 5380.exe PID 1188 wrote to memory of 1128 1188 7B0D.exe PID 1188 wrote to memory of 1128 1188 7B0D.exe PID 1188 wrote to memory of 1128 1188 7B0D.exe PID 1188 wrote to memory of 1128 1188 7B0D.exe PID 1188 wrote to memory of 1128 1188 7B0D.exe PID 1188 wrote to memory of 1128 1188 7B0D.exe PID 1188 wrote to memory of 1128 1188 7B0D.exe PID 1128 wrote to memory of 1496 1128 7B0D.exe 7B0D.tmp PID 1128 wrote to memory of 1496 1128 7B0D.exe 7B0D.tmp PID 1128 wrote to memory of 1496 1128 7B0D.exe 7B0D.tmp PID 1128 wrote to memory of 1496 1128 7B0D.exe 7B0D.tmp PID 1128 wrote to memory of 1496 1128 7B0D.exe 7B0D.tmp PID 1128 wrote to memory of 1496 1128 7B0D.exe 7B0D.tmp PID 1128 wrote to memory of 1496 1128 7B0D.exe 7B0D.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1224
-
C:\Windows\system32\taskeng.exetaskeng.exe {79E392AD-AE70-4C10-AEBF-79861FECD7F1} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\AppData\Roaming\fwrcgsbC:\Users\Admin\AppData\Roaming\fwrcgsb2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2596
-
C:\Users\Admin\AppData\Local\Temp\8150.exeC:\Users\Admin\AppData\Local\Temp\8150.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 1242⤵
- Loads dropped DLL
- Program crash
PID:1932
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\F825.dll1⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\F825.dll2⤵
- Loads dropped DLL
PID:2716
-
C:\Users\Admin\AppData\Local\Temp\4397.exeC:\Users\Admin\AppData\Local\Temp\4397.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\4397.exeC:\Users\Admin\AppData\Local\Temp\4397.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388
-
C:\Users\Admin\AppData\Local\Temp\5380.exeC:\Users\Admin\AppData\Local\Temp\5380.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2220
-
C:\Users\Admin\AppData\Local\Temp\7B0D.exeC:\Users\Admin\AppData\Local\Temp\7B0D.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp"C:\Users\Admin\AppData\Local\Temp\is-12669.tmp\7B0D.tmp" /SL5="$301C0,2424585,54272,C:\Users\Admin\AppData\Local\Temp\7B0D.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
704KB
MD51df9c98963f3d20b3f3f5db8152e3052
SHA1c8203e4dee088a27c97cb3e334c1dd9aafdd0786
SHA256cb96f8c2286c4b66024b37b6b09038ba358cbf9572042077b6e1d3c6a0e8336f
SHA512bfc3c8923b0cb1baf62be9545c16c0678f28bb8d0875cf9cbea217521804cd39c35adba3f31d6adc4e9460f5a56c771596a80a7528a4c17810fb208cfce3bb60
-
Filesize
640KB
MD5668e25ec4a41c6a6fc11252eaf870560
SHA10bcbb44fd3e47037fc012f336d46736cd76e2557
SHA2565b5254a1a358a59669ff5e5a9dc662887ff8ef078bc2790378670e1708a72317
SHA512c60282db85e592ce5a40c67ed1a3cf6cbe64454639b76ce976d6c9f7467565357a5a8018446da7b1635a2d5fa069b017beac8be015fd0c10979ac66173cb87f6
-
Filesize
1.4MB
MD5057d4899785c88a4b96a30efac0a7f10
SHA12304be75b31060360a246617e18a147febbcd080
SHA25666e7dcd0c0e64d8f2e89f4e589a6928bd76342c9a7e5c2215bcba0d10c15fbd4
SHA512240b11dbadcc5d84c4b000c13d23507d7f4883a1ea12d5aba15b9252da91f3b755c7951ed4a1218fbcdf1e9e710d227d7ffd5e7fe7c09bceda7d3b05072a2574
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
320KB
MD5ed9730742925437660eea83dd42d4044
SHA1f53fecf5b09f2b7b145dfb1cad4afc28b6994d8c
SHA25662f6c635aba6b56d89e711030bd6f50b763ffd8396f5ddac0d9fdcf354afcb82
SHA512dac98e135e64c15161e8836e5ab775604373ea72954b74a975d4f4c750a41a3a039d4ef1ecc6451a8f97c3a2e2d114105e2fefd59b49f64d021b730de79d1901
-
Filesize
2.5MB
MD57b96170ca36e7650b9d3a075126b8622
SHA1311068f2f6282577513123b9181283ffb01d55ce
SHA256e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6
SHA512e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd
-
Filesize
1.3MB
MD5b30b3e3495c0b2a9895357d9b068d4b8
SHA115ab836b28afe996124efe386a0d56ad2aa479e6
SHA2563e5706a4dc08b66f67e452129e6f67d9d004a75b0f3ba2ccd2552a0bb657c07b
SHA51283e87fa3ecc9ece2701ffe45b8b7a677aa5e56ff7ee053f7697bbaec247748b3ed7540f046b5574414c951716f9e0a1ec5f6452978e28c3337f36efbe4429b57
-
Filesize
4.4MB
MD577d6b6264a2bbc1764c3c6bb45cc4c82
SHA1d4861fb655582a9bd96e9c83a6ce4b5c14bb290c
SHA256e297384a9e41adeb15aa416eded4aa2401318895aa23f33b1ec42000b119c503
SHA512ef414be344417cd7a4853b599cdbc6172b9b59b5dbbfe4da1b04640a39df76c3c9bfdcfa4e9cc7c366761b5c4acea7d083089009a7026d23a34754251e2823e0
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
163KB
MD5636c32103ef487d1c30df530296f014b
SHA1f280007f3c78b0823d8978bec1c1cdf792bf5fc6
SHA256c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
SHA5122a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604
-
Filesize
384KB
MD54b786fa564f50a06a6e84d8fc46f9cb7
SHA1d675403cf65f70494413e2e08c128adca2d8e8cf
SHA25646ded921f0e11a4834ea7e6e66867e3a1a56d3a480bb9cf1aa3244871dd81c5c
SHA51258a1532f8f28a4e36bad9d2d9324ac825f18e20629173fc3febeae70384279ee4337a0633d7583d2cecdd0ea972315d2bb3cb537666b510f587c1217dc5ad4ae
-
Filesize
689KB
MD5951ac648539bfaa0f113db5e0406de5b
SHA11b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3