Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-03-2024 18:38
Static task
static1
Behavioral task
behavioral1
Sample
2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe
Resource
win10v2004-20240226-en
General
-
Target
2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe
-
Size
187KB
-
MD5
4c8da92ecf868d4042cc5252d659925a
-
SHA1
589db861e7216d9dad95c217cd09375066229da9
-
SHA256
2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9
-
SHA512
e9640761edff7ae479fc922f8dfa141daebc69244870ae5ef322c839e1fb5a893cc6d5c5ccdd189c4f2a34227e636d9c53658f740a48ff88f0794a0919b080ef
-
SSDEEP
3072:rfIuzUdiSUSCu1TzRL1Cj1ZtQ52xu/zf1MXe74v+fiv9JzpX3:UugdigCuBz6ZtQ5guBMuFgJ
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3356 Process not Found -
Executes dropped EXE 1 IoCs
pid Process 4268 sjsgwiv -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sjsgwiv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sjsgwiv Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sjsgwiv -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2264 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe 2264 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found 3356 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2264 2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe 4268 sjsgwiv -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3356 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe"C:\Users\Admin\AppData\Local\Temp\2c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2264
-
C:\Users\Admin\AppData\Roaming\sjsgwivC:\Users\Admin\AppData\Roaming\sjsgwiv1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
187KB
MD54c8da92ecf868d4042cc5252d659925a
SHA1589db861e7216d9dad95c217cd09375066229da9
SHA2562c23e348735e23bfa0c31760dadae7045a43fb5997e5b93e8bb155663e4652f9
SHA512e9640761edff7ae479fc922f8dfa141daebc69244870ae5ef322c839e1fb5a893cc6d5c5ccdd189c4f2a34227e636d9c53658f740a48ff88f0794a0919b080ef