Analysis
-
max time kernel
300s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 05:46
Static task
static1
Behavioral task
behavioral1
Sample
ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe
Resource
win10-20240404-en
General
-
Target
ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe
-
Size
258KB
-
MD5
94322d2ea0e171cd5a220db7f6abdf2b
-
SHA1
e640d66c618adc0b1d8d8cdfc9f34c77f240b5fc
-
SHA256
ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62
-
SHA512
74516132dcf9bc1b664faeb1087a7e8f4a5fb893382dd691170979d2a2f8cdb6c191c2d86257ad605659b8884a8767a449d91318c6d2d7b3106d625b3b93f57e
-
SSDEEP
3072:COKst9RZ/6ANm46z78+vyNzClB3MF7m999jKY8d24IbS93rmS3a+5BddMZEKG+pG:xz8Uc8MRo7m99w24IbSd4+5LdwE
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1224 -
Executes dropped EXE 1 IoCs
Processes:
aghsavrpid process 684 aghsavr -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
aghsavrac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aghsavr Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aghsavr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aghsavr -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exepid process 2368 ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe 2368 ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 1224 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exeaghsavrpid process 2368 ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe 684 aghsavr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1224 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2888 wrote to memory of 684 2888 taskeng.exe aghsavr PID 2888 wrote to memory of 684 2888 taskeng.exe aghsavr PID 2888 wrote to memory of 684 2888 taskeng.exe aghsavr PID 2888 wrote to memory of 684 2888 taskeng.exe aghsavr
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe"C:\Users\Admin\AppData\Local\Temp\ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2368
-
C:\Windows\system32\taskeng.exetaskeng.exe {74DEBF2D-6DC4-485D-9FD0-061699FB77E1} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Roaming\aghsavrC:\Users\Admin\AppData\Roaming\aghsavr2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\aghsavrFilesize
258KB
MD594322d2ea0e171cd5a220db7f6abdf2b
SHA1e640d66c618adc0b1d8d8cdfc9f34c77f240b5fc
SHA256ac71084dc7df6aac889f9b4ed5e4217c7cfcaed0ce2544dbc06a8605bcdb5d62
SHA51274516132dcf9bc1b664faeb1087a7e8f4a5fb893382dd691170979d2a2f8cdb6c191c2d86257ad605659b8884a8767a449d91318c6d2d7b3106d625b3b93f57e
-
memory/684-13-0x00000000041B0000-0x00000000042B0000-memory.dmpFilesize
1024KB
-
memory/684-15-0x0000000000400000-0x0000000004034000-memory.dmpFilesize
60.2MB
-
memory/1224-3-0x0000000002D70000-0x0000000002D86000-memory.dmpFilesize
88KB
-
memory/1224-14-0x0000000002EF0000-0x0000000002F06000-memory.dmpFilesize
88KB
-
memory/2368-1-0x00000000044A0000-0x00000000045A0000-memory.dmpFilesize
1024KB
-
memory/2368-2-0x00000000003B0000-0x00000000003BB000-memory.dmpFilesize
44KB
-
memory/2368-4-0x0000000000400000-0x0000000004034000-memory.dmpFilesize
60.2MB