Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-03-2024 18:38
Static task
static1
Behavioral task
behavioral1
Sample
2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe
Resource
win10v2004-20240226-en
General
-
Target
2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe
-
Size
187KB
-
MD5
4c8da92ecf868d4042cc5252d659925a
-
SHA1
589db861e7216d9dad95c217cd09375066229da9
-
SHA256
2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9
-
SHA512
e9640761edff7ae479fc922f8dfa141daebc69244870ae5ef322c839e1fb5a893cc6d5c5ccdd189c4f2a34227e636d9c53658f740a48ff88f0794a0919b080ef
-
SSDEEP
3072:rfIuzUdiSUSCu1TzRL1Cj1ZtQ52xu/zf1MXe74v+fiv9JzpX3:UugdigCuBz6ZtQ5guBMuFgJ
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 1212 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 2876 wwvjcuv -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wwvjcuv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wwvjcuv Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wwvjcuv -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1312 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe 1312 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1312 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe 2876 wwvjcuv -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2536 wrote to memory of 2876 2536 taskeng.exe 31 PID 2536 wrote to memory of 2876 2536 taskeng.exe 31 PID 2536 wrote to memory of 2876 2536 taskeng.exe 31 PID 2536 wrote to memory of 2876 2536 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe"C:\Users\Admin\AppData\Local\Temp\2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1312
-
C:\Windows\system32\taskeng.exetaskeng.exe {2DE0CAA3-873E-4E5B-94E0-2B022EA1D50D} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Users\Admin\AppData\Roaming\wwvjcuvC:\Users\Admin\AppData\Roaming\wwvjcuv2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2876
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD54c8da92ecf868d4042cc5252d659925a
SHA1589db861e7216d9dad95c217cd09375066229da9
SHA2562c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9
SHA512e9640761edff7ae479fc922f8dfa141daebc69244870ae5ef322c839e1fb5a893cc6d5c5ccdd189c4f2a34227e636d9c53658f740a48ff88f0794a0919b080ef