Analysis
-
max time kernel
154s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe
Resource
win11-20240419-en
General
-
Target
a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe
-
Size
174KB
-
MD5
df469e0a98c5be3dbbdee404268d491a
-
SHA1
17951c7c3b3dbb7769efa595298ac0183e000c77
-
SHA256
a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba
-
SHA512
8c90c9e5b57a854b38600946659d39519a222d5cc36008ef9617df74719e662d66445ca223cff7feffabbb50ecad6028d06d436c5d8fdb349b6bf9ddd1128dfc
-
SSDEEP
1536:+ngptcHx6TyxkuM39m/wrut+8IGA/75IVL0tQlfYvm/ivedMzcfknx9Xb5Wyq9R9:+nZZBMtjruMGA/lxtbvma2dGTb5Wyq9
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
lumma
https://accountasifkwosov.shop/api
https://productivelookewr.shop/api
https://tolerateilusidjukl.shop/api
https://shatterbreathepsw.shop/api
https://shortsvelventysjo.shop/api
https://incredibleextedwj.shop/api
https://alcojoldwograpciw.shop/api
https://liabilitynighstjsko.shop/api
https://demonstationfukewko.shop/api
https://palmeventeryjusk.shop/api
https://entitlementappwo.shop/api
https://economicscreateojsu.shop/api
https://pushjellysingeywus.shop/api
https://absentconvicsjawun.shop/api
https://suitcaseacanehalk.shop/api
https://bordersoarmanusjuw.shop/api
https://mealplayerpreceodsju.shop/api
https://wifeplasterbakewis.shop/api
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
pid process 3188 -
Executes dropped EXE 3 IoCs
Processes:
F10F.exeF5C3.exeFC8B.exepid process 684 F10F.exe 2168 F5C3.exe 4848 FC8B.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 90 raw.githubusercontent.com 91 raw.githubusercontent.com 64 drive.google.com 65 drive.google.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
F5C3.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 F5C3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
F10F.exedescription pid process target process PID 684 set thread context of 4196 684 F10F.exe BitLockerToGo.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3504 4848 WerFault.exe FC8B.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exepid process 3220 a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe 3220 a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 3188 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exepid process 3220 a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 3188 Token: SeCreatePagefilePrivilege 3188 Token: SeShutdownPrivilege 3188 Token: SeCreatePagefilePrivilege 3188 Token: SeShutdownPrivilege 3188 Token: SeCreatePagefilePrivilege 3188 Token: SeShutdownPrivilege 5104 explorer.exe Token: SeCreatePagefilePrivilege 5104 explorer.exe Token: SeShutdownPrivilege 5104 explorer.exe Token: SeCreatePagefilePrivilege 5104 explorer.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cmd.execmd.exeF10F.exedescription pid process target process PID 3188 wrote to memory of 3276 3188 cmd.exe PID 3188 wrote to memory of 3276 3188 cmd.exe PID 3276 wrote to memory of 3844 3276 cmd.exe reg.exe PID 3276 wrote to memory of 3844 3276 cmd.exe reg.exe PID 3188 wrote to memory of 4980 3188 cmd.exe PID 3188 wrote to memory of 4980 3188 cmd.exe PID 4980 wrote to memory of 4208 4980 cmd.exe reg.exe PID 4980 wrote to memory of 4208 4980 cmd.exe reg.exe PID 3188 wrote to memory of 684 3188 F10F.exe PID 3188 wrote to memory of 684 3188 F10F.exe PID 3188 wrote to memory of 2168 3188 F5C3.exe PID 3188 wrote to memory of 2168 3188 F5C3.exe PID 3188 wrote to memory of 2168 3188 F5C3.exe PID 3188 wrote to memory of 4848 3188 FC8B.exe PID 3188 wrote to memory of 4848 3188 FC8B.exe PID 3188 wrote to memory of 4848 3188 FC8B.exe PID 684 wrote to memory of 4196 684 F10F.exe BitLockerToGo.exe PID 684 wrote to memory of 4196 684 F10F.exe BitLockerToGo.exe PID 684 wrote to memory of 4196 684 F10F.exe BitLockerToGo.exe PID 684 wrote to memory of 4196 684 F10F.exe BitLockerToGo.exe PID 684 wrote to memory of 4196 684 F10F.exe BitLockerToGo.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe"C:\Users\Admin\AppData\Local\Temp\a48d767621acecbb12a31fbd4007a16e77e6a0155d255c056f2400d0b17cfeba.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BD21.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CE49.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\F10F.exeC:\Users\Admin\AppData\Local\Temp\F10F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\F5C3.exeC:\Users\Admin\AppData\Local\Temp\F5C3.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\FC8B.exeC:\Users\Admin\AppData\Local\Temp\FC8B.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 3842⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4848 -ip 48481⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BD21.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\F10F.exeFilesize
9.9MB
MD52627387eb5495186ee3850fdc0b2ebde
SHA18c062c24ad34332f8033a8cac193e4519d3d7534
SHA2569e86e4796a51e2cae9487ec086aa2159b65a037808e70a0e7dbaf5a946a8801e
SHA5120c86e0b5de1b149913b7039fcc3fb8dcc17112617a5af731c3c90d6c822dbb7f2f5660e5790d0c134437383d5b6a71176839c0125c6c391f4ea26ffce0480b25
-
C:\Users\Admin\AppData\Local\Temp\F5C3.exeFilesize
421KB
MD59185b776b7a981d060b0bb0d7ffed201
SHA1427982fb520c099e8d2e831ace18294ade871aff
SHA25691a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b
SHA512cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8
-
C:\Users\Admin\AppData\Local\Temp\FC8B.exeFilesize
390KB
MD56c21c8ef344979d8e474bd775ce3010d
SHA1bb8d15a1a43284becbc0417832e6fdf23bd90b8a
SHA25668d4c2cf8164fa47d18242ceff50fdc09a68a485703bd83388a32ffc84d67dd7
SHA512ca7cdcd9c78e5149d0b3299fcf4f9b94e062f4effb62ba6d952dd65c32d200bcdba2108c9898805543fa1e22f999ae71f818727a82426f85a983cd1148df0431
-
memory/684-40-0x00007FF68EE80000-0x00007FF68F8C6000-memory.dmpFilesize
10.3MB
-
memory/684-38-0x00007FF68EE80000-0x00007FF68F8C6000-memory.dmpFilesize
10.3MB
-
memory/3188-45-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/3188-5-0x0000000001470000-0x0000000001486000-memory.dmpFilesize
88KB
-
memory/3220-9-0x0000000002BD0000-0x0000000002BDB000-memory.dmpFilesize
44KB
-
memory/3220-8-0x0000000000400000-0x0000000002AE9000-memory.dmpFilesize
38.9MB
-
memory/3220-1-0x0000000002BE0000-0x0000000002CE0000-memory.dmpFilesize
1024KB
-
memory/3220-4-0x0000000000400000-0x0000000002AE9000-memory.dmpFilesize
38.9MB
-
memory/3220-3-0x0000000000400000-0x0000000002AE9000-memory.dmpFilesize
38.9MB
-
memory/3220-2-0x0000000002BD0000-0x0000000002BDB000-memory.dmpFilesize
44KB
-
memory/4196-39-0x0000000001250000-0x000000000129F000-memory.dmpFilesize
316KB
-
memory/4196-41-0x0000000001250000-0x000000000129F000-memory.dmpFilesize
316KB
-
memory/4848-42-0x0000000000400000-0x0000000001A2D000-memory.dmpFilesize
22.2MB