Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
08-04-2024 02:28
Static task
static1
Behavioral task
behavioral1
Sample
363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe
Resource
win10v2004-20240226-en
General
-
Target
363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe
-
Size
234KB
-
MD5
ebe71b5ba13ea1a61f3473ef01036eb4
-
SHA1
29a8e68384ecf60935a61b32b311002a620a85eb
-
SHA256
363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473
-
SHA512
f4c7d5b3ee3d4d1e27ef85b58b877f0d033f31881e96cddab7fe845d487a2b1d575f6bb61caada912b8e2b0b17249eafa0cefabeaa1440805a85e76227112746
-
SSDEEP
3072:+lzupUvMF2X7BHv1uhtw+LZiXhMFM4aNejxBykNwc45uhGg3eo0jCSETu:nWEF+7Bt/Akf44ePykuci+GDBjCSET
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1064 -
Executes dropped EXE 1 IoCs
Processes:
jcwchtgpid process 1360 jcwchtg -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exejcwchtgdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jcwchtg Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jcwchtg Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jcwchtg -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exepid process 2924 363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe 2924 363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 1064 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exejcwchtgpid process 2924 363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe 1360 jcwchtg -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 800 wrote to memory of 1360 800 taskeng.exe jcwchtg PID 800 wrote to memory of 1360 800 taskeng.exe jcwchtg PID 800 wrote to memory of 1360 800 taskeng.exe jcwchtg PID 800 wrote to memory of 1360 800 taskeng.exe jcwchtg
Processes
-
C:\Users\Admin\AppData\Local\Temp\363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe"C:\Users\Admin\AppData\Local\Temp\363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2924
-
C:\Windows\system32\taskeng.exetaskeng.exe {9F7C2C46-E478-4D64-8E86-80CA0E39B80A} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Users\Admin\AppData\Roaming\jcwchtgC:\Users\Admin\AppData\Roaming\jcwchtg2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\jcwchtgFilesize
234KB
MD5ebe71b5ba13ea1a61f3473ef01036eb4
SHA129a8e68384ecf60935a61b32b311002a620a85eb
SHA256363c8a59e1aa5db76fbea9790e8a5d6aea34c91c31058f27b1d74cd61176d473
SHA512f4c7d5b3ee3d4d1e27ef85b58b877f0d033f31881e96cddab7fe845d487a2b1d575f6bb61caada912b8e2b0b17249eafa0cefabeaa1440805a85e76227112746
-
memory/1064-4-0x0000000002AD0000-0x0000000002AE6000-memory.dmpFilesize
88KB
-
memory/1064-16-0x0000000002970000-0x0000000002986000-memory.dmpFilesize
88KB
-
memory/1360-14-0x00000000009C0000-0x0000000000AC0000-memory.dmpFilesize
1024KB
-
memory/1360-15-0x0000000000400000-0x0000000000857000-memory.dmpFilesize
4.3MB
-
memory/1360-17-0x0000000000400000-0x0000000000857000-memory.dmpFilesize
4.3MB
-
memory/2924-1-0x0000000000CA0000-0x0000000000DA0000-memory.dmpFilesize
1024KB
-
memory/2924-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2924-3-0x0000000000400000-0x0000000000857000-memory.dmpFilesize
4.3MB
-
memory/2924-5-0x0000000000400000-0x0000000000857000-memory.dmpFilesize
4.3MB