Analysis
-
max time kernel
210s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 12:29
Static task
static1
Behavioral task
behavioral1
Sample
7b60671c.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
7b60671c.exe
Resource
win10v2004-20240226-en
General
-
Target
7b60671c.exe
-
Size
313KB
-
MD5
849a173f9eeb87cb0675298e884e3e19
-
SHA1
059d4c20611f181f6d201898a21b74bbf2cd33f0
-
SHA256
b7ba148ee92911133697415435ef33d98829b0311a641e479b37e8a0468bad6c
-
SHA512
ac60c500a7a75697db92ee6f9dc62c278ebc76e53608b424d0aa7b4eff79a4cd19f8dfa867654c79bd8f1c290704926be055bd3713a1e70ac213c3afc6140809
-
SSDEEP
3072:VLEfWCd21xkD+ywZXh2DZotrdHvyLJW/G5pwqgJdkNNlDH3oBlMT6a:VI3MzkDQLtZ8+G5pTgP80BCT
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3356 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
7b60671c.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7b60671c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7b60671c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7b60671c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7b60671c.exepid process 2756 7b60671c.exe 2756 7b60671c.exe 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 3356 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3356 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
7b60671c.exepid process 2756 7b60671c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3356 Token: SeCreatePagefilePrivilege 3356 -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 3356 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.