Resubmissions
09-04-2024 12:36
240409-psyg6afa72 1009-04-2024 12:36
240409-psxwmaad2s 1009-04-2024 12:36
240409-psw94afa69 1009-04-2024 12:36
240409-pswnkaac9z 1029-02-2024 04:55
240229-fkfspsdh3x 10Analysis
-
max time kernel
1801s -
max time network
1570s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 12:36
Static task
static1
Behavioral task
behavioral1
Sample
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
Resource
win11-20240221-en
General
-
Target
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
-
Size
162KB
-
MD5
5cddaacf9782c030db128e3ebfd8f301
-
SHA1
71bae291b66ecfad6ee79ab150c9b4bdc676f06c
-
SHA256
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
-
SHA512
bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797
-
SSDEEP
3072:pR3aImWaDnBilDV8X+Ld1VVuLtKsQfk1RoGJS4dNVEv:pIbWaDBilDVNLdJBsQfk77X
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid Process 1292 -
Executes dropped EXE 3 IoCs
Processes:
vaeujfvvaeujfvvaeujfvpid Process 1744 vaeujfv 3060 vaeujfv 928 vaeujfv -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vaeujfvvaeujfvvaeujfv6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaeujfv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaeujfv Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaeujfv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaeujfv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaeujfv Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaeujfv Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaeujfv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaeujfv Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI vaeujfv -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exepid Process 896 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe 896 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 1292 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid Process 1292 -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exevaeujfvvaeujfvvaeujfvpid Process 896 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe 1744 vaeujfv 3060 vaeujfv 928 vaeujfv -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
description pid Process Token: SeShutdownPrivilege 1292 Token: SeShutdownPrivilege 1292 Token: SeShutdownPrivilege 1292 Token: SeShutdownPrivilege 1292 Token: SeShutdownPrivilege 1292 Token: SeShutdownPrivilege 1292 -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
taskeng.exetaskeng.exetaskeng.exedescription pid Process procid_target PID 2216 wrote to memory of 1744 2216 taskeng.exe 31 PID 2216 wrote to memory of 1744 2216 taskeng.exe 31 PID 2216 wrote to memory of 1744 2216 taskeng.exe 31 PID 2216 wrote to memory of 1744 2216 taskeng.exe 31 PID 568 wrote to memory of 3060 568 taskeng.exe 33 PID 568 wrote to memory of 3060 568 taskeng.exe 33 PID 568 wrote to memory of 3060 568 taskeng.exe 33 PID 568 wrote to memory of 3060 568 taskeng.exe 33 PID 2056 wrote to memory of 928 2056 taskeng.exe 35 PID 2056 wrote to memory of 928 2056 taskeng.exe 35 PID 2056 wrote to memory of 928 2056 taskeng.exe 35 PID 2056 wrote to memory of 928 2056 taskeng.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:896
-
C:\Windows\system32\taskeng.exetaskeng.exe {430EA39B-1B8C-472E-A778-246BB16156F0} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Roaming\vaeujfvC:\Users\Admin\AppData\Roaming\vaeujfv2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1744
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {769D8620-F4CB-4BDC-9C5C-9AE7DCB3772F} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Roaming\vaeujfvC:\Users\Admin\AppData\Roaming\vaeujfv2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3060
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D6B21841-797F-4EC7-B8F2-5B96A300C494} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Users\Admin\AppData\Roaming\vaeujfvC:\Users\Admin\AppData\Roaming\vaeujfv2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
162KB
MD55cddaacf9782c030db128e3ebfd8f301
SHA171bae291b66ecfad6ee79ab150c9b4bdc676f06c
SHA2566d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
SHA512bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797