Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2024 13:37
Static task
static1
Behavioral task
behavioral1
Sample
bbf158c96e0fba33331ee1a827d68a4e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bbf158c96e0fba33331ee1a827d68a4e.exe
Resource
win10v2004-20240226-en
General
-
Target
bbf158c96e0fba33331ee1a827d68a4e.exe
-
Size
273KB
-
MD5
bbf158c96e0fba33331ee1a827d68a4e
-
SHA1
0d8d668ac0e69415ca76056d76b7a040037732f5
-
SHA256
6e5318326145c9caf6e20fa4c1861de5e6e137caaf4d61f3f8c4cea0fedd99ef
-
SHA512
08fef333a54a717cb4607ec89b499603ea90516202e1ec431e88d8dc765586961a9723dfc775878de79fa4a4d03acb8f17ebefe89d8831d3449c9c56f60dd440
-
SSDEEP
6144:anwT4fDmc3j3zM21LuxjZhY9KJKu7hRJRDNgV9AZVfU9T:RTaDmajM89cp9TRD6vN
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3412 Process not Found -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bbf158c96e0fba33331ee1a827d68a4e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bbf158c96e0fba33331ee1a827d68a4e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bbf158c96e0fba33331ee1a827d68a4e.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2212 bbf158c96e0fba33331ee1a827d68a4e.exe 2212 bbf158c96e0fba33331ee1a827d68a4e.exe 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found 3412 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2212 bbf158c96e0fba33331ee1a827d68a4e.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeShutdownPrivilege 3412 Process not Found Token: SeCreatePagefilePrivilege 3412 Process not Found Token: SeShutdownPrivilege 3412 Process not Found Token: SeCreatePagefilePrivilege 3412 Process not Found Token: SeShutdownPrivilege 3412 Process not Found Token: SeCreatePagefilePrivilege 3412 Process not Found Token: SeShutdownPrivilege 3412 Process not Found Token: SeCreatePagefilePrivilege 3412 Process not Found Token: SeShutdownPrivilege 3412 Process not Found Token: SeCreatePagefilePrivilege 3412 Process not Found Token: SeShutdownPrivilege 3412 Process not Found Token: SeCreatePagefilePrivilege 3412 Process not Found Token: SeShutdownPrivilege 3412 Process not Found Token: SeCreatePagefilePrivilege 3412 Process not Found Token: SeShutdownPrivilege 3412 Process not Found Token: SeCreatePagefilePrivilege 3412 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3412 Process not Found 3412 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.