Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 07:20
Static task
static1
Behavioral task
behavioral1
Sample
fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe
Resource
win10v2004-20231215-en
General
-
Target
fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe
-
Size
268KB
-
MD5
0246c2089c513dd176ac575774839ace
-
SHA1
28e5beccd02777662bcca7d833abef9b42bd80b9
-
SHA256
fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52
-
SHA512
c973508dac2e5ecd2cd7ae1c7c54a83d9f0b5f5667b497206e03b96eea102a32bfd19f828265e842d47c595e7dfe2e5c1c285bb6a385c5fd551b2a7c8c88d338
-
SSDEEP
3072:r9UvDqVxAN56xdtdaYP4Mush+zEfiXhBtui6as0ttsRc8EhEnRr4nby6dH/Pxn2F:wa8Y5u4AE6LZvsRycUVfPx2nT
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3344 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exepid process 3420 fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe 3420 fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 3344 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exepid process 3420 fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe"C:\Users\Admin\AppData\Local\Temp\fa248af9181fe1164f9eb2e88b45861e347dbb6ca60ff8a2fd40b3e7bb1a4b52.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3344-4-0x0000000003130000-0x0000000003146000-memory.dmpFilesize
88KB
-
memory/3420-1-0x0000000000950000-0x0000000000A50000-memory.dmpFilesize
1024KB
-
memory/3420-2-0x0000000000930000-0x000000000093B000-memory.dmpFilesize
44KB
-
memory/3420-3-0x0000000000400000-0x0000000000860000-memory.dmpFilesize
4.4MB
-
memory/3420-5-0x0000000000400000-0x0000000000860000-memory.dmpFilesize
4.4MB