Analysis
-
max time kernel
150s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 23:56
Static task
static1
Behavioral task
behavioral1
Sample
636c32103ef487d1c30df530296f014b.exe
Resource
win7-20240220-en
General
-
Target
636c32103ef487d1c30df530296f014b.exe
-
Size
163KB
-
MD5
636c32103ef487d1c30df530296f014b
-
SHA1
f280007f3c78b0823d8978bec1c1cdf792bf5fc6
-
SHA256
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
-
SHA512
2a01b0fb459a710c4d8ffb20fe2907bbb5ca091769cb8b3216d909208ee662f9c2f6f035fa1c8aeb9222ee7018c6da15615414b2556e02f0bbcc3bd05337f604
-
SSDEEP
3072:eQ37N6u0D0i+zGJKHZj+4M48iIp2WZnFzw0I:eK8u0Qi+yQHZEiIttw
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3352 -
Executes dropped EXE 3 IoCs
Processes:
F4FF.exeB0AF.exeB0AF.exepid process 4268 F4FF.exe 3928 B0AF.exe 2264 B0AF.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exeB0AF.exepid process 3128 regsvr32.exe 2264 B0AF.exe -
Processes:
resource yara_rule behavioral2/memory/2264-46-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2264-47-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2264-43-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2264-48-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2264-49-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2264-50-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
Processes:
B0AF.exedescription pid process target process PID 3928 set thread context of 2264 3928 B0AF.exe B0AF.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
636c32103ef487d1c30df530296f014b.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 636c32103ef487d1c30df530296f014b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
636c32103ef487d1c30df530296f014b.exepid process 3884 636c32103ef487d1c30df530296f014b.exe 3884 636c32103ef487d1c30df530296f014b.exe 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 3352 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
636c32103ef487d1c30df530296f014b.exepid process 3884 636c32103ef487d1c30df530296f014b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3352 Token: SeCreatePagefilePrivilege 3352 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3352 -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
regsvr32.exeB0AF.exedescription pid process target process PID 3352 wrote to memory of 4268 3352 F4FF.exe PID 3352 wrote to memory of 4268 3352 F4FF.exe PID 3352 wrote to memory of 4268 3352 F4FF.exe PID 3352 wrote to memory of 4912 3352 regsvr32.exe PID 3352 wrote to memory of 4912 3352 regsvr32.exe PID 4912 wrote to memory of 3128 4912 regsvr32.exe regsvr32.exe PID 4912 wrote to memory of 3128 4912 regsvr32.exe regsvr32.exe PID 4912 wrote to memory of 3128 4912 regsvr32.exe regsvr32.exe PID 3352 wrote to memory of 3928 3352 B0AF.exe PID 3352 wrote to memory of 3928 3352 B0AF.exe PID 3352 wrote to memory of 3928 3352 B0AF.exe PID 3928 wrote to memory of 2264 3928 B0AF.exe B0AF.exe PID 3928 wrote to memory of 2264 3928 B0AF.exe B0AF.exe PID 3928 wrote to memory of 2264 3928 B0AF.exe B0AF.exe PID 3928 wrote to memory of 2264 3928 B0AF.exe B0AF.exe PID 3928 wrote to memory of 2264 3928 B0AF.exe B0AF.exe PID 3928 wrote to memory of 2264 3928 B0AF.exe B0AF.exe PID 3928 wrote to memory of 2264 3928 B0AF.exe B0AF.exe PID 3928 wrote to memory of 2264 3928 B0AF.exe B0AF.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"C:\Users\Admin\AppData\Local\Temp\636c32103ef487d1c30df530296f014b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3884
-
C:\Users\Admin\AppData\Local\Temp\F4FF.exeC:\Users\Admin\AppData\Local\Temp\F4FF.exe1⤵
- Executes dropped EXE
PID:4268
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\61F2.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\61F2.dll2⤵
- Loads dropped DLL
PID:3128
-
C:\Users\Admin\AppData\Local\Temp\B0AF.exeC:\Users\Admin\AppData\Local\Temp\B0AF.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\B0AF.exeC:\Users\Admin\AppData\Local\Temp\B0AF.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
1.9MB
MD50642278745fba16597e65937093b4610
SHA19409ea6dd562c7b66b1fbd73ba5af5974b21b4af
SHA256040ae9c155ffde932d4c62f1334f4afcc6cabeb991b3602f8cea7747c64c1755
SHA512b8560457bf9cc89ba39203476cbbe1c2a7e31ede4af0ff022c8fab232ad7b739b73ff4f02b9084dea147336d6e11e46940a985fbf2141280f4cf0716692ddca5
-
Filesize
1.9MB
MD5398ab69b1cdc624298fbc00526ea8aca
SHA1b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA5123b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739
-
Filesize
1.6MB
MD53a57dc900df7d0c26658c8359e9cf0ed
SHA113bf3442ea417341c42a99fc00627fda7d3cf623
SHA256d86b53f57b7e62d4e0d02d9566e6a893c2ca85d7b81c8623d3f362e61fc4cf84
SHA51257153a2e069a8ce6879529c6bc47e6ef970796bd6d1e354e5f7fd231f6408e2c0935b3c0f1b83f96d9ae9aff715dd9a2d7f058ed7f2afd9702348cbb5cdc893e
-
Filesize
5.0MB
MD50904e849f8483792ef67991619ece915
SHA158d04535efa58effb3c5ed53a2462aa96d676b79
SHA256fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5