Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 12:08
Static task
static1
Behavioral task
behavioral1
Sample
b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe
Resource
win10v2004-20240226-en
General
-
Target
b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe
-
Size
203KB
-
MD5
d0936de24510643fa68b2d3879ad79d9
-
SHA1
b9f5bf48d34dfae63e695bfd90efad0a8137ede9
-
SHA256
b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0
-
SHA512
4cf4dbfad11b4e9ac58243670027e6387d47bb74544777fedbe57c3e2e1373ca9fcf6727087bc1ae3c3d898e890e11f425b2b06cb611a205b8bc3c5bb89c1480
-
SSDEEP
3072:/urEskahJisaBZmTrM1ICSZRKRc5h9QWRT+qBL2A:MEska6mTrEIbRKRc5Q+u
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://gxutc2c.com/tmp/index.php
http://proekt8.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://pirateking.online/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3512 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 816 ftvaeug -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ftvaeug Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ftvaeug Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ftvaeug Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2348 b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe 2348 b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2348 b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe 816 ftvaeug -
Suspicious use of AdjustPrivilegeToken 19 IoCs
description pid Process Token: SeShutdownPrivilege 3512 Process not Found Token: SeCreatePagefilePrivilege 3512 Process not Found Token: SeShutdownPrivilege 3512 Process not Found Token: SeCreatePagefilePrivilege 3512 Process not Found Token: SeShutdownPrivilege 3512 Process not Found Token: SeCreatePagefilePrivilege 3512 Process not Found Token: SeShutdownPrivilege 3512 Process not Found Token: SeCreatePagefilePrivilege 3512 Process not Found Token: SeManageVolumePrivilege 1928 svchost.exe Token: SeShutdownPrivilege 3512 Process not Found Token: SeCreatePagefilePrivilege 3512 Process not Found Token: SeShutdownPrivilege 3512 Process not Found Token: SeCreatePagefilePrivilege 3512 Process not Found Token: SeShutdownPrivilege 3512 Process not Found Token: SeCreatePagefilePrivilege 3512 Process not Found Token: SeShutdownPrivilege 3512 Process not Found Token: SeCreatePagefilePrivilege 3512 Process not Found Token: SeShutdownPrivilege 3512 Process not Found Token: SeCreatePagefilePrivilege 3512 Process not Found -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3512 Process not Found 3512 Process not Found 3512 Process not Found 3512 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe"C:\Users\Admin\AppData\Local\Temp\b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2348
-
C:\Users\Admin\AppData\Roaming\ftvaeugC:\Users\Admin\AppData\Roaming\ftvaeug1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:816
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3620
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203KB
MD5d0936de24510643fa68b2d3879ad79d9
SHA1b9f5bf48d34dfae63e695bfd90efad0a8137ede9
SHA256b8b2ae812b47196a7be9ec41d6186eeaf28f2924b906299995db446be091d5e0
SHA5124cf4dbfad11b4e9ac58243670027e6387d47bb74544777fedbe57c3e2e1373ca9fcf6727087bc1ae3c3d898e890e11f425b2b06cb611a205b8bc3c5bb89c1480