Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 23:58
Static task
static1
Behavioral task
behavioral1
Sample
636c32103ef487d1c30df530296f014b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
636c32103ef487d1c30df530296f014b.exe
Resource
win10v2004-20240226-en
General
-
Target
636c32103ef487d1c30df530296f014b.exe
-
Size
163KB
-
MD5
636c32103ef487d1c30df530296f014b
-
SHA1
f280007f3c78b0823d8978bec1c1cdf792bf5fc6
-
SHA256
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
-
SHA512
2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604
-
SSDEEP
3072:eQ37N6u0D0i+zGJKHZj+4M48iIp2WZnFzw0I:eK8u0Qi+yQHZEiIttw
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
Processes:
pid process 3232 -
Executes dropped EXE 9 IoCs
Processes:
cusribhA4A7.exe28ED.exe28ED.exe6589.exe992D.exe992D.tmpmmediabuilder.exemmediabuilder.exepid process 1164 cusribh 400 A4A7.exe 5108 28ED.exe 1956 28ED.exe 4328 6589.exe 3920 992D.exe 4124 992D.tmp 2752 mmediabuilder.exe 3220 mmediabuilder.exe -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exe28ED.exe992D.tmppid process 3688 regsvr32.exe 1956 28ED.exe 4124 992D.tmp -
Processes:
resource yara_rule behavioral2/memory/1956-54-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1956-56-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1956-57-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1956-58-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1956-59-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1956-60-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1956-65-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1956-84-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1956-87-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/1956-100-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
28ED.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 28ED.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
6589.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 6589.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
28ED.exedescription pid process target process PID 5108 set thread context of 1956 5108 28ED.exe 28ED.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
636c32103ef487d1c30df530296f014b.execusribhdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cusribh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cusribh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cusribh -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
636c32103ef487d1c30df530296f014b.exepid process 1692 636c32103ef487d1c30df530296f014b.exe 1692 636c32103ef487d1c30df530296f014b.exe 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 3232 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
636c32103ef487d1c30df530296f014b.execusribhpid process 1692 636c32103ef487d1c30df530296f014b.exe 1164 cusribh -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 Token: SeShutdownPrivilege 3232 Token: SeCreatePagefilePrivilege 3232 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
992D.tmppid process 4124 992D.tmp -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
regsvr32.exe28ED.exe992D.exe992D.tmpdescription pid process target process PID 3232 wrote to memory of 400 3232 A4A7.exe PID 3232 wrote to memory of 400 3232 A4A7.exe PID 3232 wrote to memory of 400 3232 A4A7.exe PID 3232 wrote to memory of 3516 3232 regsvr32.exe PID 3232 wrote to memory of 3516 3232 regsvr32.exe PID 3516 wrote to memory of 3688 3516 regsvr32.exe regsvr32.exe PID 3516 wrote to memory of 3688 3516 regsvr32.exe regsvr32.exe PID 3516 wrote to memory of 3688 3516 regsvr32.exe regsvr32.exe PID 3232 wrote to memory of 5108 3232 28ED.exe PID 3232 wrote to memory of 5108 3232 28ED.exe PID 3232 wrote to memory of 5108 3232 28ED.exe PID 5108 wrote to memory of 1956 5108 28ED.exe 28ED.exe PID 5108 wrote to memory of 1956 5108 28ED.exe 28ED.exe PID 5108 wrote to memory of 1956 5108 28ED.exe 28ED.exe PID 5108 wrote to memory of 1956 5108 28ED.exe 28ED.exe PID 5108 wrote to memory of 1956 5108 28ED.exe 28ED.exe PID 5108 wrote to memory of 1956 5108 28ED.exe 28ED.exe PID 5108 wrote to memory of 1956 5108 28ED.exe 28ED.exe PID 5108 wrote to memory of 1956 5108 28ED.exe 28ED.exe PID 3232 wrote to memory of 4328 3232 6589.exe PID 3232 wrote to memory of 4328 3232 6589.exe PID 3232 wrote to memory of 4328 3232 6589.exe PID 3232 wrote to memory of 3920 3232 992D.exe PID 3232 wrote to memory of 3920 3232 992D.exe PID 3232 wrote to memory of 3920 3232 992D.exe PID 3920 wrote to memory of 4124 3920 992D.exe 992D.tmp PID 3920 wrote to memory of 4124 3920 992D.exe 992D.tmp PID 3920 wrote to memory of 4124 3920 992D.exe 992D.tmp PID 4124 wrote to memory of 2752 4124 992D.tmp mmediabuilder.exe PID 4124 wrote to memory of 2752 4124 992D.tmp mmediabuilder.exe PID 4124 wrote to memory of 2752 4124 992D.tmp mmediabuilder.exe PID 4124 wrote to memory of 3220 4124 992D.tmp mmediabuilder.exe PID 4124 wrote to memory of 3220 4124 992D.tmp mmediabuilder.exe PID 4124 wrote to memory of 3220 4124 992D.tmp mmediabuilder.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1692
-
C:\Users\Admin\AppData\Roaming\cusribhC:\Users\Admin\AppData\Roaming\cusribh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1164
-
C:\Users\Admin\AppData\Local\Temp\A4A7.exeC:\Users\Admin\AppData\Local\Temp\A4A7.exe1⤵
- Executes dropped EXE
PID:400
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\D667.dll1⤵
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\D667.dll2⤵
- Loads dropped DLL
PID:3688
-
C:\Users\Admin\AppData\Local\Temp\28ED.exeC:\Users\Admin\AppData\Local\Temp\28ED.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\28ED.exeC:\Users\Admin\AppData\Local\Temp\28ED.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1956
-
C:\Users\Admin\AppData\Local\Temp\6589.exeC:\Users\Admin\AppData\Local\Temp\6589.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4328
-
C:\Users\Admin\AppData\Local\Temp\992D.exeC:\Users\Admin\AppData\Local\Temp\992D.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp"C:\Users\Admin\AppData\Local\Temp\is-AKFG7.tmp\992D.tmp" /SL5="$B0218,2424585,54272,C:\Users\Admin\AppData\Local\Temp\992D.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4124 -
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -i3⤵
- Executes dropped EXE
PID:2752 -
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -s3⤵
- Executes dropped EXE
PID:3220
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD598590314e78d26036e8341291de3fbfa
SHA12427e2f5da4d0f619336425f13aafc35f420164c
SHA256a149f27599f37290d503d9b27e77deb968fafaa6f29e6e1db0440cbd34482a79
SHA51251c2351befd13a7ff2dc23a54ffb6732de8bed3c7800871bf09ec0949ac8b963ae5e9fc9e65c750074afabd040d9c373a5c0d5c4749a9ca94e5680a1f385c680
-
Filesize
512KB
MD55d62d9346de4243e2a1520805b8bdb98
SHA1a1d0a5733124b32ea742d11cf5f8a456962aa529
SHA25630bca3149a8b92bfb3d23aa3afd7420fbd5e77fdd7fd444a7c84c7c6aec0898e
SHA51223b6952afa9bc66299192f1ac8a70fa07d84b1d2cee8d0673cd19692fd747074e7937c1d32334f190ee3bbf5971b5d2b406ab96a1c05e1b13ad5b55d47e2a2bf
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
2.5MB
MD57b96170ca36e7650b9d3a075126b8622
SHA1311068f2f6282577513123b9181283ffb01d55ce
SHA256e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6
SHA512e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd
-
Filesize
2.9MB
MD533310448df23034a9132bb8d15c52743
SHA14864ae2d2fbce448b192f71df7c27e9857eab2be
SHA256c92f6252d6f75b2369432f2d9aea26bf0f11f2c6f7e1642530dea21e9d502bf9
SHA5126cd8db44bf20303bdf4f4f47849eda852639c2984930f3b5a595715ce0b9f4ae492e4957c08bda5922d42871dc237cc2476f7e33757a0d5d65ea21ea5234d38d
-
Filesize
4.4MB
MD577d6b6264a2bbc1764c3c6bb45cc4c82
SHA1d4861fb655582a9bd96e9c83a6ce4b5c14bb290c
SHA256e297384a9e41adeb15aa416eded4aa2401318895aa23f33b1ec42000b119c503
SHA512ef414be344417cd7a4853b599cdbc6172b9b59b5dbbfe4da1b04640a39df76c3c9bfdcfa4e9cc7c366761b5c4acea7d083089009a7026d23a34754251e2823e0
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
239KB
MD5b281b2ff6c24a4d052ebb8c8bbb22ea6
SHA12860c3d79cd4f4d47152308efbee9ade924b699f
SHA256e8a9c3be47df78b631e677041eecad534f8e0a61360d45edcbd9df811aaea92d
SHA512ea4d3c3f4df8cf29e0c0fa483d5b998f11aae2204cb40db73f8afd523bf360ed1c5aed12dbf23f954d950f04372f6244e237512d194d384a20180a7a8e3cfcf4
-
Filesize
689KB
MD5951ac648539bfaa0f113db5e0406de5b
SHA11b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
163KB
MD5636c32103ef487d1c30df530296f014b
SHA1f280007f3c78b0823d8978bec1c1cdf792bf5fc6
SHA256c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
SHA5122a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604