Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 07:28
Static task
static1
Behavioral task
behavioral1
Sample
c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe
Resource
win10v2004-20240412-en
General
-
Target
c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe
-
Size
242KB
-
MD5
4fd9caec64f84f02b2cfdda2309b99b5
-
SHA1
c17231b5ea677a1d5ad8f0c06ddcc3728da5bcb9
-
SHA256
c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3
-
SHA512
b3d58baf3fe33c6b30c5f13b11a76473d26fa7845b0b169947894ba797de8cad5fff5e1322a8580b1d49b436ad1ce9b613febc5bcf7752963fb7378f8d475675
-
SSDEEP
3072:XULiAfEZo3Vo8YuEgC4hraI67c5+gJO+VRmCB44:kLpmo3S8YuDCIehHgJzDp
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1196 -
Executes dropped EXE 1 IoCs
Processes:
hjhcsuspid process 2952 hjhcsus -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exehjhcsusdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hjhcsus Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hjhcsus Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI hjhcsus -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exepid process 1504 c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe 1504 c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exehjhcsuspid process 1504 c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe 2952 hjhcsus -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2468 wrote to memory of 2952 2468 taskeng.exe hjhcsus PID 2468 wrote to memory of 2952 2468 taskeng.exe hjhcsus PID 2468 wrote to memory of 2952 2468 taskeng.exe hjhcsus PID 2468 wrote to memory of 2952 2468 taskeng.exe hjhcsus
Processes
-
C:\Users\Admin\AppData\Local\Temp\c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe"C:\Users\Admin\AppData\Local\Temp\c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1504
-
C:\Windows\system32\taskeng.exetaskeng.exe {31E0D625-DAF3-43D0-ADB6-B3052C826F1E} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Roaming\hjhcsusC:\Users\Admin\AppData\Roaming\hjhcsus2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hjhcsusFilesize
242KB
MD54fd9caec64f84f02b2cfdda2309b99b5
SHA1c17231b5ea677a1d5ad8f0c06ddcc3728da5bcb9
SHA256c35b69346c336a94c9f193bac00971cf455f59d07816e72ea0b93438b5e858f3
SHA512b3d58baf3fe33c6b30c5f13b11a76473d26fa7845b0b169947894ba797de8cad5fff5e1322a8580b1d49b436ad1ce9b613febc5bcf7752963fb7378f8d475675
-
memory/1196-4-0x0000000002480000-0x0000000002496000-memory.dmpFilesize
88KB
-
memory/1196-16-0x00000000024B0000-0x00000000024C6000-memory.dmpFilesize
88KB
-
memory/1504-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/1504-1-0x0000000002DB0000-0x0000000002EB0000-memory.dmpFilesize
1024KB
-
memory/1504-3-0x0000000000400000-0x0000000002C1F000-memory.dmpFilesize
40.1MB
-
memory/1504-5-0x0000000000400000-0x0000000002C1F000-memory.dmpFilesize
40.1MB
-
memory/2952-14-0x0000000002D80000-0x0000000002E80000-memory.dmpFilesize
1024KB
-
memory/2952-15-0x0000000000400000-0x0000000002C1F000-memory.dmpFilesize
40.1MB
-
memory/2952-19-0x0000000000400000-0x0000000002C1F000-memory.dmpFilesize
40.1MB