Analysis
-
max time kernel
47s -
max time network
288s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
07-03-2024 04:59
Static task
static1
Behavioral task
behavioral1
Sample
a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe
Resource
win10-20240221-en
General
-
Target
a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe
-
Size
161KB
-
MD5
beb935e79a4a35da55548d745c312586
-
SHA1
404f3832c8e13dc1bbcbac9eda9cf8bea9b07d84
-
SHA256
a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008
-
SHA512
c514adbff0dfeeaaeca607a3efdefb1e71c76db2ae3293d1e465be5f175051f852c8b8ffd58de11ea2e8128bf1e612c5409616b92f92362f515c806e562027f9
-
SSDEEP
3072:rCZrijHsHF5PcguVl5AtC+U+OdxVH7pM:rariDsrd0lF7xxW
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 399D.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ B55.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion B55.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 399D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 399D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion B55.exe -
Deletes itself 1 IoCs
pid Process 3368 Process not Found -
Executes dropped EXE 5 IoCs
pid Process 4388 B55.exe 4652 11AF.exe 2044 11AF.exe 5092 2F3C.exe 2952 399D.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\Software\Wine B55.exe Key opened \REGISTRY\USER\S-1-5-21-313240725-3527728709-4038673254-1000\Software\Wine 399D.exe -
Loads dropped DLL 2 IoCs
pid Process 164 regsvr32.exe 2044 11AF.exe -
resource yara_rule behavioral2/memory/2044-47-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2044-51-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2044-52-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2044-55-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2044-56-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/2044-57-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 11AF.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4388 B55.exe 2952 399D.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4652 set thread context of 2044 4652 11AF.exe 76 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\explorgu.job B55.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3688 a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe 3688 a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found 3368 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3688 a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeShutdownPrivilege 3368 Process not Found Token: SeCreatePagefilePrivilege 3368 Process not Found Token: SeShutdownPrivilege 3368 Process not Found Token: SeCreatePagefilePrivilege 3368 Process not Found Token: SeShutdownPrivilege 3368 Process not Found Token: SeCreatePagefilePrivilege 3368 Process not Found Token: SeShutdownPrivilege 3368 Process not Found Token: SeCreatePagefilePrivilege 3368 Process not Found Token: SeShutdownPrivilege 3368 Process not Found Token: SeCreatePagefilePrivilege 3368 Process not Found -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 3368 wrote to memory of 4388 3368 Process not Found 72 PID 3368 wrote to memory of 4388 3368 Process not Found 72 PID 3368 wrote to memory of 4388 3368 Process not Found 72 PID 3368 wrote to memory of 4652 3368 Process not Found 73 PID 3368 wrote to memory of 4652 3368 Process not Found 73 PID 3368 wrote to memory of 4652 3368 Process not Found 73 PID 3368 wrote to memory of 1348 3368 Process not Found 74 PID 3368 wrote to memory of 1348 3368 Process not Found 74 PID 1348 wrote to memory of 164 1348 regsvr32.exe 75 PID 1348 wrote to memory of 164 1348 regsvr32.exe 75 PID 1348 wrote to memory of 164 1348 regsvr32.exe 75 PID 4652 wrote to memory of 2044 4652 11AF.exe 76 PID 4652 wrote to memory of 2044 4652 11AF.exe 76 PID 4652 wrote to memory of 2044 4652 11AF.exe 76 PID 4652 wrote to memory of 2044 4652 11AF.exe 76 PID 4652 wrote to memory of 2044 4652 11AF.exe 76 PID 4652 wrote to memory of 2044 4652 11AF.exe 76 PID 4652 wrote to memory of 2044 4652 11AF.exe 76 PID 4652 wrote to memory of 2044 4652 11AF.exe 76 PID 3368 wrote to memory of 5092 3368 Process not Found 77 PID 3368 wrote to memory of 5092 3368 Process not Found 77 PID 3368 wrote to memory of 5092 3368 Process not Found 77 PID 3368 wrote to memory of 2952 3368 Process not Found 78 PID 3368 wrote to memory of 2952 3368 Process not Found 78 PID 3368 wrote to memory of 2952 3368 Process not Found 78 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe"C:\Users\Admin\AppData\Local\Temp\a2c996efff932151e3d97d6c0816cc4ad58e54068bc1b037ce2d279a55521008.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3688
-
C:\Users\Admin\AppData\Local\Temp\B55.exeC:\Users\Admin\AppData\Local\Temp\B55.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
PID:4388
-
C:\Users\Admin\AppData\Local\Temp\11AF.exeC:\Users\Admin\AppData\Local\Temp\11AF.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\11AF.exeC:\Users\Admin\AppData\Local\Temp\11AF.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2044
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1951.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\1951.dll2⤵
- Loads dropped DLL
PID:164
-
-
C:\Users\Admin\AppData\Local\Temp\2F3C.exeC:\Users\Admin\AppData\Local\Temp\2F3C.exe1⤵
- Executes dropped EXE
PID:5092
-
C:\Users\Admin\AppData\Local\Temp\399D.exeC:\Users\Admin\AppData\Local\Temp\399D.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD565ac443eaa4eba05fb6befa6907fe19c
SHA1b1393809b1153fcbd645a8bad9883948cad3428f
SHA256392229ad4e3e2ee25eee282cc6375ebb092f82ffff81a52f4e0de05b7903ddd9
SHA512bc3104a77476e13caec5d7ab98d2d1f5ffd5ec88ba18341da8ac36e389e64fdc6e2fd7b280b65961080d5b54cf0317704d4dc2c7e9392e9e29dd1e746cf0c2a7
-
Filesize
1.8MB
MD5ce472c7bec2183fcb1e8b318012aa085
SHA10da398d780e6cc424d3b68ebd2903a8c849e7701
SHA256955d0dd8ae390efa84a5823fac5979f8a23f52f86abc5d5499b29bd9860c650c
SHA512ea4921b08af0977128c47dd91f48698bb7bb8b1dd278fb0b2b04fe2b9b41656f98eeb10c471da3dd627ed11bc5bbd29c9c1d776a67f617591d9319ac495378fa
-
Filesize
2.8MB
MD54f8d7e511b02f84dc194286942018d77
SHA16bcf96994536f34e59fe276319ad470a20e2b1ee
SHA256fae6b84db9375e920ded9af2983e0b48861a531f7cfd90ddc5226576668e4384
SHA512a2b3dec9ec989d372af877cc440de4aba62dd4f3d906d415e2544b98091db2039a5b7905670b63bd25077ffd701d412569e11493ef05dc35d5d6ea6dd2bdc744
-
Filesize
5.1MB
MD50c9f883f68bee172f35b87653337e142
SHA13e540599fab46b00ec82bbbd463eb84645a660da
SHA25689386cc46643c2d5d5a6160e535f186871bc0d7b8aea1052cc39a10ebe1b2b24
SHA512d0ac243e599185abf17c1dad6a70e367691e03ff83609699dc4c210ca7797e7f426e77536c7c57d6a2930133e82d0f953fc27eb1ce811a0c47e2f680db1b07de
-
Filesize
1.8MB
MD53039c5befd722f92f6f87df38c1b677d
SHA1d5f52398ef32fe71ecfff5a83b8c93cc9e8da993
SHA2566cfc00d72c160676038ff25ac0a7a99791924db9a8040b608a4803dd5ca4b060
SHA512a5eae8dac40c9a4389824793a4bf39d70e8621c7bf07b112a966a2b1fe5da9147825972ddf141a9b412bd01c28cc7c5e10afbdde4961bacc9ba28a0fcf558527
-
Filesize
1.1MB
MD574b609d95b2dcdd821aeba1fa539d635
SHA183c0ff0c7cacbd380af1267fbd7705e8a022f40b
SHA2566697726f4b3ee7ebf83925814291ba899ed84a78d58c94c8081b2ef29f96334a
SHA512d4353ea9696b82ac7e76acda8405bb47897bf08383bdc05654fac2d9e54b4567d272f26ac03a20ad3158a3ba227082023ebaeca4151c1d789b6f3f9c0edb53c2