Analysis
-
max time kernel
300s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-04-2024 22:28
Static task
static1
Behavioral task
behavioral1
Sample
31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe
Resource
win10-20240404-en
General
-
Target
31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe
-
Size
202KB
-
MD5
35940f30f5229a28b42a3efaa5f83d90
-
SHA1
697f728f31f8ce13423943d02220ad55eb9bd0b8
-
SHA256
31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583
-
SHA512
3c0539b0eb720aab2b76ccc809a3b7704f8ea31d8055c50097e754cfe8da3c8d0cbd93dbe2bf86d41b2750b45b99294bc411db96d43613e9c8c92910c4d1b20a
-
SSDEEP
3072:TLYL43gLfqebEDabbOe6Bz8X4LOKaMDV81Zxg8csVoKYE9WJ:TLd3gLfqebBbbsBIIJZVSDPcs
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1256 -
Executes dropped EXE 1 IoCs
Processes:
wcfajcrpid process 2740 wcfajcr -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exewcfajcrdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wcfajcr Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wcfajcr Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wcfajcr -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exepid process 2304 31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe 2304 31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exewcfajcrpid process 2304 31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe 2740 wcfajcr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1256 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1256 1256 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1256 1256 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1684 wrote to memory of 2740 1684 taskeng.exe wcfajcr PID 1684 wrote to memory of 2740 1684 taskeng.exe wcfajcr PID 1684 wrote to memory of 2740 1684 taskeng.exe wcfajcr PID 1684 wrote to memory of 2740 1684 taskeng.exe wcfajcr -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe"C:\Users\Admin\AppData\Local\Temp\31e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2304
-
C:\Windows\system32\taskeng.exetaskeng.exe {51AFEA77-01DF-43F1-891D-1D94CB84EC79} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Roaming\wcfajcrC:\Users\Admin\AppData\Roaming\wcfajcr2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\wcfajcrFilesize
202KB
MD535940f30f5229a28b42a3efaa5f83d90
SHA1697f728f31f8ce13423943d02220ad55eb9bd0b8
SHA25631e86d8e159e1a1b8be40d3317d6199ef7e44aaec1fa5b83f8c24d30b1d22583
SHA5123c0539b0eb720aab2b76ccc809a3b7704f8ea31d8055c50097e754cfe8da3c8d0cbd93dbe2bf86d41b2750b45b99294bc411db96d43613e9c8c92910c4d1b20a
-
memory/1256-4-0x0000000002CE0000-0x0000000002CF6000-memory.dmpFilesize
88KB
-
memory/1256-16-0x0000000002EE0000-0x0000000002EF6000-memory.dmpFilesize
88KB
-
memory/2304-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2304-1-0x0000000000610000-0x0000000000710000-memory.dmpFilesize
1024KB
-
memory/2304-3-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/2304-5-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/2740-15-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/2740-14-0x0000000000620000-0x0000000000720000-memory.dmpFilesize
1024KB
-
memory/2740-19-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB