Resubmissions
14-03-2024 11:45
240314-nw4b5sbb5v 1013-03-2024 15:01
240313-sdxtvsfh9x 1013-03-2024 14:22
240313-rpjkyagg56 10Analysis
-
max time kernel
213s -
max time network
1804s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 14:22
Static task
static1
Behavioral task
behavioral1
Sample
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
Resource
win10v2004-20240226-en
General
-
Target
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
-
Size
242KB
-
MD5
8f44c565b6605afccbab295faaf420b8
-
SHA1
a9fc5e1ca19b7034f846b12ee2e5890d8c64f3b3
-
SHA256
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0
-
SHA512
cdbf40c2def3a3dc45ac006f99ebff60d936eff53d2b16236f0424285a1749e847ee1180daa0e9e256bd86e44e76cdbc2b83d5afd1e8db1edb699d0b95900206
-
SSDEEP
3072:sY1hNzde2qx1Y7CzY8hv2BXhssNPhslWeQYmbd/5NOVAAC:11Twx2uzYvVhsspSlWbYId
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
amadey
4.17
http://185.215.113.32
-
install_dir
00c07260dc
-
install_file
explorgu.exe
-
strings_key
461809bd97c251ba0c0c8450c7055f1d
-
url_paths
/yandex/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
19E7.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 19E7.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
19E7.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 19E7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 19E7.exe -
Deletes itself 1 IoCs
Processes:
pid process 1368 -
Executes dropped EXE 3 IoCs
Processes:
19E7.exe5A04.exe5A04.exepid process 2912 19E7.exe 1240 5A04.exe 1512 5A04.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
19E7.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Wine 19E7.exe -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exe5A04.exe5A04.exepid process 2396 regsvr32.exe 1240 5A04.exe 1512 5A04.exe -
Processes:
resource yara_rule behavioral1/memory/1512-65-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-67-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-69-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-68-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-70-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-71-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-72-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-87-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-96-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-97-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-98-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-100-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-105-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-115-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-119-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-120-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-122-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-126-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-127-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-128-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-129-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-130-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-134-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-132-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-138-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-143-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-148-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-151-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-149-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-150-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-146-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-145-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-144-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-141-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-137-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral1/memory/1512-135-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5A04.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" 5A04.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 339 discord.com 826 discord.com 1473 discord.com 1492 discord.com 2110 discord.com 2167 discord.com 2553 discord.com 315 discord.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
19E7.exepid process 2912 19E7.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5A04.exedescription pid process target process PID 1240 set thread context of 1512 1240 5A04.exe 5A04.exe -
Drops file in Windows directory 1 IoCs
Processes:
19E7.exedescription ioc process File created C:\Windows\Tasks\explorgu.job 19E7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exepid process 1968 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe 1968 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exepid process 1968 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
19E7.exepid process 2912 19E7.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
regsvr32.exe5A04.exedescription pid process target process PID 1368 wrote to memory of 2912 1368 19E7.exe PID 1368 wrote to memory of 2912 1368 19E7.exe PID 1368 wrote to memory of 2912 1368 19E7.exe PID 1368 wrote to memory of 2912 1368 19E7.exe PID 1368 wrote to memory of 2380 1368 regsvr32.exe PID 1368 wrote to memory of 2380 1368 regsvr32.exe PID 1368 wrote to memory of 2380 1368 regsvr32.exe PID 1368 wrote to memory of 2380 1368 regsvr32.exe PID 1368 wrote to memory of 2380 1368 regsvr32.exe PID 2380 wrote to memory of 2396 2380 regsvr32.exe regsvr32.exe PID 2380 wrote to memory of 2396 2380 regsvr32.exe regsvr32.exe PID 2380 wrote to memory of 2396 2380 regsvr32.exe regsvr32.exe PID 2380 wrote to memory of 2396 2380 regsvr32.exe regsvr32.exe PID 2380 wrote to memory of 2396 2380 regsvr32.exe regsvr32.exe PID 2380 wrote to memory of 2396 2380 regsvr32.exe regsvr32.exe PID 2380 wrote to memory of 2396 2380 regsvr32.exe regsvr32.exe PID 1368 wrote to memory of 1240 1368 5A04.exe PID 1368 wrote to memory of 1240 1368 5A04.exe PID 1368 wrote to memory of 1240 1368 5A04.exe PID 1368 wrote to memory of 1240 1368 5A04.exe PID 1240 wrote to memory of 1512 1240 5A04.exe 5A04.exe PID 1240 wrote to memory of 1512 1240 5A04.exe 5A04.exe PID 1240 wrote to memory of 1512 1240 5A04.exe 5A04.exe PID 1240 wrote to memory of 1512 1240 5A04.exe 5A04.exe PID 1240 wrote to memory of 1512 1240 5A04.exe 5A04.exe PID 1240 wrote to memory of 1512 1240 5A04.exe 5A04.exe PID 1240 wrote to memory of 1512 1240 5A04.exe 5A04.exe PID 1240 wrote to memory of 1512 1240 5A04.exe 5A04.exe PID 1240 wrote to memory of 1512 1240 5A04.exe 5A04.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe"C:\Users\Admin\AppData\Local\Temp\c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1968
-
C:\Users\Admin\AppData\Local\Temp\19E7.exeC:\Users\Admin\AppData\Local\Temp\19E7.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2912
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\33AF.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\33AF.dll2⤵
- Loads dropped DLL
PID:2396
-
C:\Users\Admin\AppData\Local\Temp\5A04.exeC:\Users\Admin\AppData\Local\Temp\5A04.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\5A04.exeC:\Users\Admin\AppData\Local\Temp\5A04.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1512
-
C:\Windows\system32\taskeng.exetaskeng.exe {2E10A672-633A-457C-BF89-4848673E2AF8} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:8376
-
C:\Windows\system32\taskeng.exetaskeng.exe {54731948-2495-478E-8A36-2D4BF8A3FEC5} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:560
-
C:\Windows\system32\taskeng.exetaskeng.exe {83EE38D9-562F-4143-AA5F-E77AB01F984B} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:6692
-
C:\Users\Admin\AppData\Roaming\bavjhdiC:\Users\Admin\AppData\Roaming\bavjhdi2⤵PID:10008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD517c50574d15e1fc63ccdf179be258f2e
SHA121cd5e42afcdb08c88c8a61e3128de0f2b921454
SHA256939fbf5c49ffba49f42995508d5e4b616822ad48f210e8757640d1ae61683bf1
SHA512bbb53626c1e04ea7ab576e076929ca1075052234193dba45b2d8ba9a760b49d705462874c9a7862069edca715db2c16cff1df1f600914c25beb6d806ac6bda66
-
Filesize
2.8MB
MD5b0fb18cfcac1983582e7fd67b2843ce8
SHA1ca29cf7cee80be38c5d667d5e8c00e6ea11b3294
SHA2564132c2587cfe85b944d95835d8d0bf92a08a0f831ea26a45c826146048347f45
SHA5124d9e1b14ef1a8adc15d38846c0a4e1d762e76fd944c76621ef6ac3a8482d14e40cfd4d7a14853d7a99cca2a99aa438eba996e842f1172f5f9a8f34ba1d97daf9
-
Filesize
2.6MB
MD5ea7d507483dd87707fc524687c181e78
SHA18870e039c8698a4a13b972845188e4b1c4637385
SHA256808f793cb4d1219368340aa252960464396d232f6fd96df18a21e861c6789eac
SHA51224f163d03a32266b5e617680314d823d3b4de1e39cfb6d4e17ad12df9ea910583e897b7b3d4206df609e66309c4b8bd7e9d1de12ac32b7252738d4660a2e0d8a
-
Filesize
5.0MB
MD5002d810aafc35c42d1c8a5ae90b20136
SHA1ffb6c2ac28c5edcb7addd9c5571b146904615f46
SHA256dcaeb18c71992f0de183726a06f62b1b7459e804e1c23eb90123166adf570540
SHA51285d7a69c5b310305d3e0d0dc8b6db8e895f60b238c9f12e7b9e2d1f1bb842a8462cad2feee833cbe10e6acdf19642f839a647af3b2d2f9f2b101b3b9ab98485a
-
Filesize
1.8MB
MD5996c2b1fb60f980ea6618aeefbe4cebf
SHA1a8553f7f723132a1d35f7a57cae1a2e267cbc2ac
SHA256f91c0a4753cdb98cce0ade020917fdefe7a8daf88d23b4c07595de741402ca50
SHA5124af8fb921a332c5ac3d43b85bc23c859e431702e00852537bf1831c7af8b990d880808d044a1317873c77fbdecb1af7c97bed9edd9e2185bcbfa390c463f9056
-
Filesize
649KB
MD53d1135c45a0346303d2b5c60ad5919df
SHA1a15d63c00ed0f9f21adb6e51f7e96285f55b631d
SHA2565428ec43d613fb402461787c76882a9b80b3c7372a09736950a8e77ed77033f9
SHA5128289e84672e6b8fc32290438662e18eb0de9a8a538a04a1dd40495ecc4b4239991d2c3afca8b87e2c190f8a43cb9614f1696743e6487cdb1c250e7fd4cf19ea9
-
Filesize
99KB
MD58a085f861185db462b025a5fa12d042c
SHA1cbc0103598f89d5b81b10ee9aa364bd6a32ccf9f
SHA256d0bbf2708e817d0ccd3ec4cf69399bd6e01495eb9c7ea109e90c60b137c332d7
SHA5129deed11954ea84adf8756e5dd7d7f6ffacffef88ebb2bab3421a604e9176ef1d9a3e3f92bfebe130e0bb2110e636c8bce4a39cbf5952bfcf6e70a36eb24b0a09
-
Filesize
192KB
MD5dc33deb3195cb7dfa78a293170bc2eec
SHA1c310aed97fb53f955358e9b6b00f77a7110008b3
SHA256ed06d94b2866f3360386323d4d46c308415541a74131773a1a2b07d787693667
SHA51252d130cb08db41f46147b210b568de6aec0f183076211e82247547474b92a292d0b5c6354d314e03109d976042934840f7d5f6fffd953acda658c8be6da80f26
-
Filesize
64KB
MD520fc7dcc7e4bc1c5754e74683dd4dec7
SHA161fc72c7bd31165c715b4475d607879729d3b583
SHA25698f4d9e1d95a8f409c21c6344c44e6df8a88a273597c5786b450c28f8ee17574
SHA512e8c9e6025a619548f6bea1f7bfd95fb81245b1b998cf63e7d12c32c1369d2978cf35b374d4718d96277b4f6c520d259690fc7717079a27715c38329c5b0cbfae
-
Filesize
1.3MB
MD5de5192ccdf29ecae62e09ca46a1731ef
SHA174e982bcb6f5750d1ec72268b8943c6c474de072
SHA25607063dc7208d321f7893c7ad458da65eb216ad4613259899d4829519c8e7013f
SHA51299312e564408b3a462d1a250d6dc337b48bcef04765ee6b7b4cea1dd03cd1c950019340524b85e43e84d4f2d40268db7293676d0558ab2d6628a61e632a3470e
-
Filesize
748KB
MD568b43aa5e94755e9b152974616004a58
SHA1b200a6761b7c399520ba1e0be16362442a935594
SHA2566dc7792c4fd4bfae1941a60bf6264e03c87e298c2e983f7be46feb3465318fe2
SHA51243b4a6cb1cc3ba46d6a36e647f4ca687db89a079dcd638adc9a176f52b90b8d2a589774158938c03659cfb5562193e7b2a2d26330d809081d07465ffd5b15cae