Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 14:29
Static task
static1
Behavioral task
behavioral1
Sample
ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe
Resource
win10v2004-20240412-en
General
-
Target
ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe
-
Size
244KB
-
MD5
1a1dfe0fb4917f9f6c0585af695ffc45
-
SHA1
9cfbb619dc98498f9791cf8b759bd1fca6983243
-
SHA256
ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336
-
SHA512
0d9d6f4a7f2ea94a4877cf51a35b86141ff9e2ffd855986de097200f1f6bac1fef641275932cd1ea759fc555343ae94d8582cad237b02956758bc2338457e64e
-
SSDEEP
3072:/wZm1wLxrRmddvRLByDde2D0IifymfM3Md6kbYZQTdNRunrcSO4Dtl16/AaqP:Am1widpLByDdPD0lBfMfZjrNh
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://sjyey.com/tmp/index.php
http://babonwo.ru/tmp/index.php
http://mth.com.ua/tmp/index.php
http://piratia.pw/tmp/index.php
http://go-piratia.ru/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1336 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exepid process 2220 ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe 2220 ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 1336 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exepid process 2220 ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1336 1336 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1336 1336 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe"C:\Users\Admin\AppData\Local\Temp\ff0500a380008b913b550a84c7ddcc17f4a8c07b6778f24e7dc333988b1fe336.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5f345d0d2c23153e057817c6217621fc0
SHA184c05564934e21ff1571e1a615f47db8065b76f9
SHA256a86a64b0020220199e32f89ced447f6848c8ca753d5753236430a8046bdca44b
SHA5128cfa689f81dbf066a628e58e351e7cdcef5b20c41c9029c3d12d618a0e082154fb7eee602c054330dd103a4296272f94e9b788f6144da339d0aa8438052cde40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD58c3b26ae0487bcca7dbe0145dc1c9b53
SHA1080adca622947d32b5fa54d7ea4413b314ea655b
SHA2565703877474d5083225fc3b537834eaaa75fc73b8fd0b551145bfb1f7c1dba279
SHA51243950605e5bed783fb7da64dd96f97534f4dd896d023bbfabb949436747a54ebb1048d781e7a465f18126673cb5f93b443fcd69f4e261f95182bbb0989e4dfbe
-
C:\Users\Admin\AppData\Local\Temp\Tar84DE.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
memory/1336-4-0x0000000002E30000-0x0000000002E46000-memory.dmpFilesize
88KB
-
memory/2220-1-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/2220-3-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB
-
memory/2220-2-0x00000000003A0000-0x00000000003AB000-memory.dmpFilesize
44KB
-
memory/2220-5-0x0000000000400000-0x0000000000449000-memory.dmpFilesize
292KB