Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-03-2024 12:08

General

  • Target

    b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe

  • Size

    203KB

  • MD5

    d0936de24510643fa68b2d3879ad79d9

  • SHA1

    b9f5bf48d34dfae63e695bfd90efad0a8137ede9

  • SHA256

    b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0

  • SHA512

    4cf4dbfad11b4e9ac58243670027e6387d47bb74544777fedbe57c3e2e1373ca9fcf6727087bc1ae3c3d898e890e11f425b2b06cb611a205b8bc3c5bb89c1480

  • SSDEEP

    3072:/urEskahJisaBZmTrM1ICSZRKRc5h9QWRT+qBL2A:MEska6mTrEIbRKRc5Q+u

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gxutc2c.com/tmp/index.php

http://proekt8.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe
    "C:\Users\Admin\AppData\Local\Temp\b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2208
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {1D851EDE-6658-408B-A2C5-518C677FAF7A} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Roaming\jsvdgtc
      C:\Users\Admin\AppData\Roaming\jsvdgtc
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\jsvdgtc

    Filesize

    203KB

    MD5

    d0936de24510643fa68b2d3879ad79d9

    SHA1

    b9f5bf48d34dfae63e695bfd90efad0a8137ede9

    SHA256

    b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0

    SHA512

    4cf4dbfad11b4e9ac58243670027e6387d47bb74544777fedbe57c3e2e1373ca9fcf6727087bc1ae3c3d898e890e11f425b2b06cb611a205b8bc3c5bb89c1480

  • memory/1288-4-0x0000000002C00000-0x0000000002C16000-memory.dmp

    Filesize

    88KB

  • memory/1288-16-0x0000000002D30000-0x0000000002D46000-memory.dmp

    Filesize

    88KB

  • memory/1968-14-0x00000000005A0000-0x00000000006A0000-memory.dmp

    Filesize

    1024KB

  • memory/1968-15-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/1968-17-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2208-2-0x00000000003A0000-0x00000000003AB000-memory.dmp

    Filesize

    44KB

  • memory/2208-3-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB

  • memory/2208-1-0x0000000000230000-0x0000000000330000-memory.dmp

    Filesize

    1024KB

  • memory/2208-5-0x0000000000400000-0x0000000000438000-memory.dmp

    Filesize

    224KB