Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
17-04-2024 13:49
General
-
Target
91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe
-
Size
259KB
-
MD5
e5477d6420e21e75a4bb411a3947201a
-
SHA1
7120bf0ba0196ecc8cc04dd0c3166185ee3f7892
-
SHA256
91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a
-
SHA512
de56dddda25e1cf9c5835613e38375f463bbcabe858b846077359b704493ef75b14e6187f21f110103bde70cc61efe17e5dac6d229456271b33afa3406c7020d
-
SSDEEP
6144:K7vq2CD3/WTO/Ukgn4olUKm4shprkwnf8/9tQ:ERM3/WTO/dgxUWshprDnatQ
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe"C:\Users\Admin\AppData\Local\Temp\91e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\711B.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {1C7E5A51-D3FA-4E71-9308-DBD3ED871C00} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ajgbtijC:\Users\Admin\AppData\Roaming\ajgbtij2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\711B.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Roaming\ajgbtijFilesize
259KB
MD5e5477d6420e21e75a4bb411a3947201a
SHA17120bf0ba0196ecc8cc04dd0c3166185ee3f7892
SHA25691e8fd048fb5df071ba6e3d7917edcb53122d9cbd9e57dcf4b5e50c72d575c7a
SHA512de56dddda25e1cf9c5835613e38375f463bbcabe858b846077359b704493ef75b14e6187f21f110103bde70cc61efe17e5dac6d229456271b33afa3406c7020d
-
memory/1152-4-0x0000000002A90000-0x0000000002AA6000-memory.dmpFilesize
88KB
-
memory/1152-25-0x0000000003E30000-0x0000000003E46000-memory.dmpFilesize
88KB
-
memory/2040-1-0x0000000000C90000-0x0000000000D90000-memory.dmpFilesize
1024KB
-
memory/2040-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2040-3-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/2040-5-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/2388-23-0x0000000000F50000-0x0000000001050000-memory.dmpFilesize
1024KB
-
memory/2388-24-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB
-
memory/2388-26-0x0000000000400000-0x0000000000AEA000-memory.dmpFilesize
6.9MB