Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 13:38
Static task
static1
Behavioral task
behavioral1
Sample
dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe
Resource
win10v2004-20240412-en
General
-
Target
dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe
-
Size
267KB
-
MD5
8d497ad51a5e074060134dcb2d49786c
-
SHA1
a2519bbfcd1c1c4f5558df52caa038ce4cb97448
-
SHA256
dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483
-
SHA512
994ab1bcee306c42a7bcefa2c0f4747e5fb62359d2fc292084b370269ebaa2eb7fd37643d2b024dd8684ada4f8d1ec80110b219a8ab626a20ded2c82dc3cf84c
-
SSDEEP
3072:LBhoLytqNiryGxcInMp3/ZaBesq5GBrPKWZlhy8paIYWLXfag5Z34zT+yx:IERryGfnC/sM5irPK6hjtYCyQ34zT
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1140 -
Executes dropped EXE 1 IoCs
Processes:
hbfhievpid process 2604 hbfhiev -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exehbfhievdescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hbfhiev Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hbfhiev Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hbfhiev Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exepid process 2896 dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe 2896 dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 1140 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exehbfhievpid process 2896 dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe 2604 hbfhiev -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2728 wrote to memory of 2604 2728 taskeng.exe hbfhiev PID 2728 wrote to memory of 2604 2728 taskeng.exe hbfhiev PID 2728 wrote to memory of 2604 2728 taskeng.exe hbfhiev PID 2728 wrote to memory of 2604 2728 taskeng.exe hbfhiev
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe"C:\Users\Admin\AppData\Local\Temp\dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {18CCC33E-BEAE-4C73-9177-35B18B6E7BA4} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hbfhievC:\Users\Admin\AppData\Roaming\hbfhiev2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hbfhievFilesize
267KB
MD58d497ad51a5e074060134dcb2d49786c
SHA1a2519bbfcd1c1c4f5558df52caa038ce4cb97448
SHA256dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483
SHA512994ab1bcee306c42a7bcefa2c0f4747e5fb62359d2fc292084b370269ebaa2eb7fd37643d2b024dd8684ada4f8d1ec80110b219a8ab626a20ded2c82dc3cf84c
-
memory/1140-4-0x00000000024A0000-0x00000000024B6000-memory.dmpFilesize
88KB
-
memory/1140-16-0x00000000024D0000-0x00000000024E6000-memory.dmpFilesize
88KB
-
memory/2604-14-0x0000000001B40000-0x0000000001C40000-memory.dmpFilesize
1024KB
-
memory/2604-15-0x0000000000400000-0x0000000001A2F000-memory.dmpFilesize
22.2MB
-
memory/2604-19-0x0000000000400000-0x0000000001A2F000-memory.dmpFilesize
22.2MB
-
memory/2896-1-0x0000000001B40000-0x0000000001C40000-memory.dmpFilesize
1024KB
-
memory/2896-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2896-3-0x0000000000400000-0x0000000001A2F000-memory.dmpFilesize
22.2MB
-
memory/2896-5-0x0000000000400000-0x0000000001A2F000-memory.dmpFilesize
22.2MB