Resubmissions
14-03-2024 11:45
240314-nw4b5sbb5v 1013-03-2024 15:01
240313-sdxtvsfh9x 1013-03-2024 14:22
240313-rpjkyagg56 10Analysis
-
max time kernel
1802s -
max time network
1558s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 15:01
Static task
static1
Behavioral task
behavioral1
Sample
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
Resource
win10v2004-20240226-en
General
-
Target
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
-
Size
242KB
-
MD5
8f44c565b6605afccbab295faaf420b8
-
SHA1
a9fc5e1ca19b7034f846b12ee2e5890d8c64f3b3
-
SHA256
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0
-
SHA512
cdbf40c2def3a3dc45ac006f99ebff60d936eff53d2b16236f0424285a1749e847ee1180daa0e9e256bd86e44e76cdbc2b83d5afd1e8db1edb699d0b95900206
-
SSDEEP
3072:sY1hNzde2qx1Y7CzY8hv2BXhssNPhslWeQYmbd/5NOVAAC:11Twx2uzYvVhsspSlWbYId
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1360 -
Executes dropped EXE 3 IoCs
Processes:
cijrtjdcijrtjdcijrtjdpid process 2416 cijrtjd 1040 cijrtjd 680 cijrtjd -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.execijrtjdcijrtjdcijrtjddescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cijrtjd Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cijrtjd Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cijrtjd Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cijrtjd Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cijrtjd Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cijrtjd Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cijrtjd Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cijrtjd Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cijrtjd -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exepid process 1852 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe 1852 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.execijrtjdcijrtjdcijrtjdpid process 1852 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe 2416 cijrtjd 1040 cijrtjd 680 cijrtjd -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1360 Token: SeShutdownPrivilege 1360 Token: SeShutdownPrivilege 1360 Token: SeShutdownPrivilege 1360 Token: SeShutdownPrivilege 1360 Token: SeShutdownPrivilege 1360 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
taskeng.exetaskeng.exetaskeng.exedescription pid process target process PID 2412 wrote to memory of 2416 2412 taskeng.exe cijrtjd PID 2412 wrote to memory of 2416 2412 taskeng.exe cijrtjd PID 2412 wrote to memory of 2416 2412 taskeng.exe cijrtjd PID 2412 wrote to memory of 2416 2412 taskeng.exe cijrtjd PID 1916 wrote to memory of 1040 1916 taskeng.exe cijrtjd PID 1916 wrote to memory of 1040 1916 taskeng.exe cijrtjd PID 1916 wrote to memory of 1040 1916 taskeng.exe cijrtjd PID 1916 wrote to memory of 1040 1916 taskeng.exe cijrtjd PID 2556 wrote to memory of 680 2556 taskeng.exe cijrtjd PID 2556 wrote to memory of 680 2556 taskeng.exe cijrtjd PID 2556 wrote to memory of 680 2556 taskeng.exe cijrtjd PID 2556 wrote to memory of 680 2556 taskeng.exe cijrtjd -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe"C:\Users\Admin\AppData\Local\Temp\c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1852
-
C:\Windows\system32\taskeng.exetaskeng.exe {E15940E4-1739-4BF2-9218-86FAA28CD283} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Admin\AppData\Roaming\cijrtjdC:\Users\Admin\AppData\Roaming\cijrtjd2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2416
-
C:\Windows\system32\taskeng.exetaskeng.exe {D5CE462C-02E7-424B-BA67-50D3A8BADB35} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Roaming\cijrtjdC:\Users\Admin\AppData\Roaming\cijrtjd2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1040
-
C:\Windows\system32\taskeng.exetaskeng.exe {30CB8A3C-80BD-415E-8184-052BCB82C5B7} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\AppData\Roaming\cijrtjdC:\Users\Admin\AppData\Roaming\cijrtjd2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242KB
MD58f44c565b6605afccbab295faaf420b8
SHA1a9fc5e1ca19b7034f846b12ee2e5890d8c64f3b3
SHA256c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0
SHA512cdbf40c2def3a3dc45ac006f99ebff60d936eff53d2b16236f0424285a1749e847ee1180daa0e9e256bd86e44e76cdbc2b83d5afd1e8db1edb699d0b95900206