Analysis
-
max time kernel
300s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-04-2024 22:28
Static task
static1
Behavioral task
behavioral1
Sample
6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe
Resource
win10-20240404-en
General
-
Target
6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe
-
Size
281KB
-
MD5
fd385f55d814e14ee5a47b21479b3611
-
SHA1
22420004b06d236f1598f8c01775d9d0d0b5bf98
-
SHA256
6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa
-
SHA512
3986c8fb73edee8cdd628f5927f91b31754cc577a76fc125d9e174f0b68ddf88c873c7e5fbcd8b2bf0e7f815d4da89a15b644cb1948329dafc02419b36c9d430
-
SSDEEP
3072:/DbcvhZNvsVC80q+C+KU9iOJR86TL5eWMIxxe/b2oO:/cvBvsVlAAU9iODnTVfdxe/
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1240 -
Executes dropped EXE 1 IoCs
Processes:
gudawvhpid process 1944 gudawvh -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
gudawvh6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gudawvh Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gudawvh Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI gudawvh -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exepid process 2332 6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe 2332 6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 1240 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exegudawvhpid process 2332 6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe 1944 gudawvh -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1240 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2344 wrote to memory of 1944 2344 taskeng.exe gudawvh PID 2344 wrote to memory of 1944 2344 taskeng.exe gudawvh PID 2344 wrote to memory of 1944 2344 taskeng.exe gudawvh PID 2344 wrote to memory of 1944 2344 taskeng.exe gudawvh
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe"C:\Users\Admin\AppData\Local\Temp\6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {8BE63D86-5987-46B7-BE3A-5745CBD92AD3} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gudawvhC:\Users\Admin\AppData\Roaming\gudawvh2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gudawvhFilesize
281KB
MD5fd385f55d814e14ee5a47b21479b3611
SHA122420004b06d236f1598f8c01775d9d0d0b5bf98
SHA2566f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa
SHA5123986c8fb73edee8cdd628f5927f91b31754cc577a76fc125d9e174f0b68ddf88c873c7e5fbcd8b2bf0e7f815d4da89a15b644cb1948329dafc02419b36c9d430
-
memory/1240-4-0x0000000002950000-0x0000000002966000-memory.dmpFilesize
88KB
-
memory/1240-16-0x0000000003710000-0x0000000003726000-memory.dmpFilesize
88KB
-
memory/1944-14-0x0000000000270000-0x0000000000370000-memory.dmpFilesize
1024KB
-
memory/1944-15-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1944-19-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2332-1-0x00000000004F0000-0x00000000005F0000-memory.dmpFilesize
1024KB
-
memory/2332-3-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2332-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2332-5-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB