Overview

overview

10

Static

static

3

a041839327...d1.exe

windows7-x64

10

a041839327...d1.exe

windows10-1703-x64

10

a041839327...d1.exe

windows10-2004-x64

10

a041839327...d1.exe

windows11-21h2-x64

10

b102ed1018...01.exe

windows7-x64

10

b102ed1018...01.exe

windows10-1703-x64

10

b102ed1018...01.exe

windows10-2004-x64

10

b102ed1018...01.exe

windows11-21h2-x64

1

650f0d694c...7e.exe

windows7-x64

10

650f0d694c...7e.exe

windows10-1703-x64

10

650f0d694c...7e.exe

windows10-2004-x64

10

650f0d694c...7e.exe

windows11-21h2-x64

1

Analysis

  • max time kernel
    1800s
  • max time network
    1562s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15-04-2024 12:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a041839327295fde3df12ea61374abd19c4499b87e211757c593179d6a6870d1.exe

  • Size

    255KB

  • MD5

    7fdba86bba0508054fd1f058a6a2d134

  • SHA1

    131aa6889c55b9348a452fdf369fe54c2f05ba48

  • SHA256

    a041839327295fde3df12ea61374abd19c4499b87e211757c593179d6a6870d1

  • SHA512

    901b368bf99f8b715186d22d73bbb80a87f8498fd375b9023d798651f5c0939d01d3ec3ec50ce148699b6228aca59711883e9a30e986c1c5d18e95e8ab1967f1

  • SSDEEP

    6144:VU8vCLXBfoCmgZw6NNTs9VUkIqj8m+z7:VU8apkQw6N6LUkpv+z7

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://furubujjul.net/

http://starvestitibo.org/

http://liubertiyyyul.net/

http://bururutu44org.org/

http://nvulukuluir.net/

http://gulutina49org.org/

http://hulimudulinu.net/

http://stalnnuytyt.org/

http://nuluitnulo.me/

http://youyouumenia5.org/

http://guluiiiimnstra.net/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a041839327295fde3df12ea61374abd19c4499b87e211757c593179d6a6870d1.exe
    "C:\Users\Admin\AppData\Local\Temp\a041839327295fde3df12ea61374abd19c4499b87e211757c593179d6a6870d1.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1736
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F1389875-63AB-4777-A68A-513F8A617051} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Roaming\ucbrgfc
      C:\Users\Admin\AppData\Roaming\ucbrgfc
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1060
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F2714DB0-B267-4583-BDB8-900231B365AD} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Users\Admin\AppData\Roaming\ucbrgfc
      C:\Users\Admin\AppData\Roaming\ucbrgfc
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1296
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {98CFCDF8-6CF4-4AB8-A936-56CA3CBB27CF} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:680
    • C:\Users\Admin\AppData\Roaming\ucbrgfc
      C:\Users\Admin\AppData\Roaming\ucbrgfc
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ucbrgfc
    Filesize

    255KB

    MD5

    7fdba86bba0508054fd1f058a6a2d134

    SHA1

    131aa6889c55b9348a452fdf369fe54c2f05ba48

    SHA256

    a041839327295fde3df12ea61374abd19c4499b87e211757c593179d6a6870d1

    SHA512

    901b368bf99f8b715186d22d73bbb80a87f8498fd375b9023d798651f5c0939d01d3ec3ec50ce148699b6228aca59711883e9a30e986c1c5d18e95e8ab1967f1

    Download Submit

  • memory/1060-16-0x0000000000400000-0x0000000002C2E000-memory.dmp

    Filesize

    40.2MB

    Download

  • memory/1060-18-0x0000000000400000-0x0000000002C2E000-memory.dmp

    Filesize

    40.2MB

    Download

  • memory/1060-15-0x0000000003070000-0x0000000003170000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1232-35-0x00000000029E0000-0x00000000029F6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1232-26-0x00000000029B0000-0x00000000029C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1232-4-0x0000000002170000-0x0000000002186000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1232-17-0x0000000002990000-0x00000000029A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1296-25-0x0000000000400000-0x0000000002C2E000-memory.dmp

    Filesize

    40.2MB

    Download

  • memory/1296-24-0x0000000000290000-0x0000000000390000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1296-27-0x0000000000400000-0x0000000002C2E000-memory.dmp

    Filesize

    40.2MB

    Download

  • memory/1532-33-0x0000000000250000-0x0000000000350000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1532-34-0x0000000000400000-0x0000000002C2E000-memory.dmp

    Filesize

    40.2MB

    Download

  • memory/1532-38-0x0000000000400000-0x0000000002C2E000-memory.dmp

    Filesize

    40.2MB

    Download

  • memory/1736-8-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1736-5-0x0000000000400000-0x0000000002C2E000-memory.dmp

    Filesize

    40.2MB

    Download

  • memory/1736-1-0x0000000002D80000-0x0000000002E80000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1736-3-0x0000000000400000-0x0000000002C2E000-memory.dmp

    Filesize

    40.2MB

    Download

  • memory/1736-2-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

    Download