Analysis
-
max time kernel
153s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-04-2024 21:18
Static task
static1
Behavioral task
behavioral1
Sample
71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
Resource
win10v2004-20240226-en
General
-
Target
71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe
-
Size
188KB
-
MD5
af3b9efe0035c9d1c99108fac6de59c3
-
SHA1
0d361de127c6968bcaad50968669a4bbf664b836
-
SHA256
71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77
-
SHA512
3d376f11035ea55cff7f620adcaf06d49886f0f20d2d03c05a8f9481f94dd8c34003b7f0447971aa030d022f2064ca372050fa54cbed07fed0c4206f03209640
-
SSDEEP
3072:tKIvqnajYLLYnJFi8kVHx6L1f8A/+GYx4i:thqnajYLLEnKV8L1f//+0
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1208 -
Executes dropped EXE 1 IoCs
Processes:
sfssdvspid process 2640 sfssdvs -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
sfssdvs71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfssdvs Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfssdvs Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sfssdvs -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exepid process 1708 71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe 1708 71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exesfssdvspid process 1708 71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe 2640 sfssdvs -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1208 1208 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1208 1208 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2856 wrote to memory of 2640 2856 taskeng.exe sfssdvs PID 2856 wrote to memory of 2640 2856 taskeng.exe sfssdvs PID 2856 wrote to memory of 2640 2856 taskeng.exe sfssdvs PID 2856 wrote to memory of 2640 2856 taskeng.exe sfssdvs
Processes
-
C:\Users\Admin\AppData\Local\Temp\71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe"C:\Users\Admin\AppData\Local\Temp\71f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1708
-
C:\Windows\system32\taskeng.exetaskeng.exe {5A61906E-F9B9-450A-B62E-7AC5072697CB} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Roaming\sfssdvsC:\Users\Admin\AppData\Roaming\sfssdvs2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\sfssdvsFilesize
188KB
MD5af3b9efe0035c9d1c99108fac6de59c3
SHA10d361de127c6968bcaad50968669a4bbf664b836
SHA25671f94399540f511fd483d9094337c5a5d942d8da8a8a79b061e54875fbd6ec77
SHA5123d376f11035ea55cff7f620adcaf06d49886f0f20d2d03c05a8f9481f94dd8c34003b7f0447971aa030d022f2064ca372050fa54cbed07fed0c4206f03209640
-
memory/1208-4-0x00000000029B0000-0x00000000029C6000-memory.dmpFilesize
88KB
-
memory/1208-17-0x0000000002C20000-0x0000000002C36000-memory.dmpFilesize
88KB
-
memory/1708-1-0x0000000002CB0000-0x0000000002DB0000-memory.dmpFilesize
1024KB
-
memory/1708-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/1708-3-0x0000000000400000-0x0000000002B58000-memory.dmpFilesize
39.3MB
-
memory/1708-5-0x0000000000400000-0x0000000002B58000-memory.dmpFilesize
39.3MB
-
memory/1708-8-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2640-15-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/2640-16-0x0000000000400000-0x0000000002B58000-memory.dmpFilesize
39.3MB
-
memory/2640-18-0x0000000000400000-0x0000000002B58000-memory.dmpFilesize
39.3MB