Resubmissions
14-03-2024 11:45
240314-nw4b5sbb5v 1013-03-2024 15:01
240313-sdxtvsfh9x 1013-03-2024 14:22
240313-rpjkyagg56 10Analysis
-
max time kernel
1800s -
max time network
1572s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2024 15:01
Static task
static1
Behavioral task
behavioral1
Sample
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
Resource
win10v2004-20240226-en
General
-
Target
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe
-
Size
242KB
-
MD5
8f44c565b6605afccbab295faaf420b8
-
SHA1
a9fc5e1ca19b7034f846b12ee2e5890d8c64f3b3
-
SHA256
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0
-
SHA512
cdbf40c2def3a3dc45ac006f99ebff60d936eff53d2b16236f0424285a1749e847ee1180daa0e9e256bd86e44e76cdbc2b83d5afd1e8db1edb699d0b95900206
-
SSDEEP
3072:sY1hNzde2qx1Y7CzY8hv2BXhssNPhslWeQYmbd/5NOVAAC:11Twx2uzYvVhsspSlWbYId
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3424 -
Executes dropped EXE 3 IoCs
Processes:
arwdhsharwdhsharwdhshpid process 3720 arwdhsh 2164 arwdhsh 876 arwdhsh -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
arwdhsharwdhshc88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exearwdhshdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arwdhsh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arwdhsh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arwdhsh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arwdhsh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arwdhsh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arwdhsh Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arwdhsh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arwdhsh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI arwdhsh -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exepid process 2404 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe 2404 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 3424 -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exearwdhsharwdhsharwdhshpid process 2404 c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe 3720 arwdhsh 2164 arwdhsh 876 arwdhsh -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 Token: SeShutdownPrivilege 3424 Token: SeCreatePagefilePrivilege 3424 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3424 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe"C:\Users\Admin\AppData\Local\Temp\c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2404
-
C:\Users\Admin\AppData\Roaming\arwdhshC:\Users\Admin\AppData\Roaming\arwdhsh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3720
-
C:\Users\Admin\AppData\Roaming\arwdhshC:\Users\Admin\AppData\Roaming\arwdhsh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2164
-
C:\Users\Admin\AppData\Roaming\arwdhshC:\Users\Admin\AppData\Roaming\arwdhsh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242KB
MD58f44c565b6605afccbab295faaf420b8
SHA1a9fc5e1ca19b7034f846b12ee2e5890d8c64f3b3
SHA256c88933a3bcc4494def9d0feb4568c4e865d6b333ace006256816166d34104ea0
SHA512cdbf40c2def3a3dc45ac006f99ebff60d936eff53d2b16236f0424285a1749e847ee1180daa0e9e256bd86e44e76cdbc2b83d5afd1e8db1edb699d0b95900206