Analysis
-
max time kernel
300s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 04:52
Static task
static1
Behavioral task
behavioral1
Sample
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
Resource
win10-20240404-en
General
-
Target
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
-
Size
307KB
-
MD5
14bc49a4e337e1d9629ae9be1955ca6c
-
SHA1
6875af987f3092686e0fb6e627088b6565434eee
-
SHA256
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4
-
SHA512
461c45c30378ae8ab3fd891dbe743f866861ec02027290de97326b6bdd2d20e10499c424bf202b531651633bdf2c75a2c6a505b8cd76daf17e4d3dea4b8e8312
-
SSDEEP
3072:mrU1NornrRpzp+1Y3Xwr+1cEFws13ppVuCC3FVwCL6BhsAH1fQQJGESXFqNcB:mtVqiCE1MCC3FephTH1fQQJGfXecB
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1204 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exepid process 2308 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe 2308 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 1204 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exepid process 2308 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1204 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe"C:\Users\Admin\AppData\Local\Temp\1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1204-4-0x0000000002980000-0x0000000002996000-memory.dmpFilesize
88KB
-
memory/2308-2-0x00000000001B0000-0x00000000001BB000-memory.dmpFilesize
44KB
-
memory/2308-1-0x00000000002D0000-0x00000000003D0000-memory.dmpFilesize
1024KB
-
memory/2308-3-0x0000000000400000-0x000000000403D000-memory.dmpFilesize
60.2MB
-
memory/2308-5-0x0000000000400000-0x000000000403D000-memory.dmpFilesize
60.2MB