Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 14:28
Static task
static1
Behavioral task
behavioral1
Sample
d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe
Resource
win10v2004-20240412-en
General
-
Target
d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe
-
Size
240KB
-
MD5
8fb08ed3ff3a89b7103fa6ac5fc0a5da
-
SHA1
6833ac4176de9221ca5f78ba56088804873676b9
-
SHA256
d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3
-
SHA512
8e1ee2ea2cc24cb64d7c9255b05dde0dc0e6f58b9a35c409dac96ec001d190674bc6cf7ee93cdb227614e87dc733e7d6a39fc15a0a62fb603a09655fd2d96990
-
SSDEEP
3072:zeFKQLnnuR1doLLt8Rql7SDi92HHygke:5Su2LFl70Hygk
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1192 -
Executes dropped EXE 1 IoCs
Processes:
dbbewcwpid process 2164 dbbewcw -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exedbbewcwdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dbbewcw Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dbbewcw Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI dbbewcw -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exepid process 2744 d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe 2744 d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exedbbewcwpid process 2744 d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe 2164 dbbewcw -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1720 wrote to memory of 2164 1720 taskeng.exe dbbewcw PID 1720 wrote to memory of 2164 1720 taskeng.exe dbbewcw PID 1720 wrote to memory of 2164 1720 taskeng.exe dbbewcw PID 1720 wrote to memory of 2164 1720 taskeng.exe dbbewcw
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe"C:\Users\Admin\AppData\Local\Temp\d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2744
-
C:\Windows\system32\taskeng.exetaskeng.exe {B6BACD62-A279-49FD-AB88-518D8F084D4E} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Roaming\dbbewcwC:\Users\Admin\AppData\Roaming\dbbewcw2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2164
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dbbewcwFilesize
240KB
MD58fb08ed3ff3a89b7103fa6ac5fc0a5da
SHA16833ac4176de9221ca5f78ba56088804873676b9
SHA256d8c8f5926d6289c742b05dd28828012ae5ea07a6388cf76667f189292f5a66d3
SHA5128e1ee2ea2cc24cb64d7c9255b05dde0dc0e6f58b9a35c409dac96ec001d190674bc6cf7ee93cdb227614e87dc733e7d6a39fc15a0a62fb603a09655fd2d96990
-
memory/1192-4-0x0000000002210000-0x0000000002226000-memory.dmpFilesize
88KB
-
memory/1192-16-0x0000000002170000-0x0000000002186000-memory.dmpFilesize
88KB
-
memory/2164-14-0x0000000002D80000-0x0000000002E80000-memory.dmpFilesize
1024KB
-
memory/2164-15-0x0000000000400000-0x0000000002C1F000-memory.dmpFilesize
40.1MB
-
memory/2164-17-0x0000000000400000-0x0000000002C1F000-memory.dmpFilesize
40.1MB
-
memory/2744-1-0x0000000002D90000-0x0000000002E90000-memory.dmpFilesize
1024KB
-
memory/2744-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2744-3-0x0000000000400000-0x0000000002C1F000-memory.dmpFilesize
40.1MB
-
memory/2744-5-0x0000000000400000-0x0000000002C1F000-memory.dmpFilesize
40.1MB