Analysis
-
max time kernel
139s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe
Resource
win10v2004-20240426-en
General
-
Target
64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe
-
Size
273KB
-
MD5
a7a476d82ccf49fcc87bfe5dd5a395a5
-
SHA1
0daa3664b2f86c3af059ca0c867bb1f928c760a2
-
SHA256
64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd
-
SHA512
57bc1426b272bb79993f10587bcee0608d176e439b324354edd09099fe6a004cc91544893dc317192db92ba0d18d84be656c55acb1c9a4f934f9260442ee90e4
-
SSDEEP
6144:TEk00KpwnNeKgygYzRwtbhlcu2p77wmV:T90twnN3eiAaumV
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
pid process 1180 -
Executes dropped EXE 4 IoCs
Processes:
B482.exework.exepodaw.exeB7BE.exepid process 2664 B482.exe 1236 work.exe 1964 podaw.exe 2332 B7BE.exe -
Loads dropped DLL 5 IoCs
Processes:
cmd.exework.exepid process 1856 cmd.exe 1236 work.exe 1236 work.exe 1236 work.exe 1236 work.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe vmprotect behavioral1/memory/1964-81-0x0000000001330000-0x0000000001C21000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
B7BE.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 B7BE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exepid process 2328 64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe 2328 64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 1180 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 780 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exepid process 2328 64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 1180 Token: SeShutdownPrivilege 1180 Token: SeShutdownPrivilege 1180 Token: SeShutdownPrivilege 1180 Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe Token: SeShutdownPrivilege 780 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
Processes:
explorer.exepid process 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe 780 explorer.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
cmd.execmd.exeB482.execmd.exework.exedescription pid process target process PID 1180 wrote to memory of 2540 1180 cmd.exe PID 1180 wrote to memory of 2540 1180 cmd.exe PID 1180 wrote to memory of 2540 1180 cmd.exe PID 2540 wrote to memory of 2024 2540 cmd.exe reg.exe PID 2540 wrote to memory of 2024 2540 cmd.exe reg.exe PID 2540 wrote to memory of 2024 2540 cmd.exe reg.exe PID 1180 wrote to memory of 3044 1180 cmd.exe PID 1180 wrote to memory of 3044 1180 cmd.exe PID 1180 wrote to memory of 3044 1180 cmd.exe PID 3044 wrote to memory of 2472 3044 cmd.exe reg.exe PID 3044 wrote to memory of 2472 3044 cmd.exe reg.exe PID 3044 wrote to memory of 2472 3044 cmd.exe reg.exe PID 1180 wrote to memory of 2664 1180 B482.exe PID 1180 wrote to memory of 2664 1180 B482.exe PID 1180 wrote to memory of 2664 1180 B482.exe PID 1180 wrote to memory of 2664 1180 B482.exe PID 2664 wrote to memory of 1856 2664 B482.exe cmd.exe PID 2664 wrote to memory of 1856 2664 B482.exe cmd.exe PID 2664 wrote to memory of 1856 2664 B482.exe cmd.exe PID 2664 wrote to memory of 1856 2664 B482.exe cmd.exe PID 1856 wrote to memory of 1236 1856 cmd.exe work.exe PID 1856 wrote to memory of 1236 1856 cmd.exe work.exe PID 1856 wrote to memory of 1236 1856 cmd.exe work.exe PID 1856 wrote to memory of 1236 1856 cmd.exe work.exe PID 1236 wrote to memory of 1964 1236 work.exe podaw.exe PID 1236 wrote to memory of 1964 1236 work.exe podaw.exe PID 1236 wrote to memory of 1964 1236 work.exe podaw.exe PID 1236 wrote to memory of 1964 1236 work.exe podaw.exe PID 1180 wrote to memory of 2332 1180 B7BE.exe PID 1180 wrote to memory of 2332 1180 B7BE.exe PID 1180 wrote to memory of 2332 1180 B7BE.exe PID 1180 wrote to memory of 2332 1180 B7BE.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe"C:\Users\Admin\AppData\Local\Temp\64219f4d2644837ee3daa21509674404a8b316cfb6b80ed48fe98a4a534f94bd_x.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\63A3.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\73AB.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\B482.exeC:\Users\Admin\AppData\Local\Temp\B482.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B7BE.exeC:\Users\Admin\AppData\Local\Temp\B7BE.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\63A3.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\B482.exeFilesize
6.1MB
MD59fb56dd5b5beb0b9c5d0102f22373c0b
SHA15559dc162d09c11c1ed80aedf8e9fa86fd531e4c
SHA256a65b290aa9ebfb82746cf75440c19956169f48d7dcbebafde6996c9b46039539
SHA512ab6c88acddf3350f4da37e20e38fc1bd4ac56433d5320fa071649ddf261cf1b6bb4692b54791e08e47b9e887a87ba5704afde6cb9aa9220c1da7f27c85400a1c
-
C:\Users\Admin\AppData\Local\Temp\B7BE.exeFilesize
421KB
MD59185b776b7a981d060b0bb0d7ffed201
SHA1427982fb520c099e8d2e831ace18294ade871aff
SHA25691a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b
SHA512cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.batFilesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exeFilesize
5.8MB
MD58eeea65d388106b4489d07e025e17fed
SHA196651968f724c7daec51e74476403899bc7bf8c2
SHA25669efe73bf8f9669427fb25962d104fb63ae7a4fdb4fb2f0022c7541a72c8a2c3
SHA5121c5966906a89b8e7e83bf382c382e5ece1cf6827e7ba7e4ab4fc0ba0c91284bf398bf4822c53aab250520f7ffde231090a9e44d11493b6be8921899fb6d944d7
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\podaw.exeFilesize
5.5MB
MD5125c7efdef3f11c70b514739b1bab646
SHA1526560d1ff7636ea4f0404eb74f5da68f7eb8e23
SHA2562ca04fad5b8a81264292bb9877cb9c1c9f7a484cd03815ec9bb686ddf70edefa
SHA512e08218e2415a051b9b8b7e6d28e6822341227fc5256f418c22b2b39f6d3d89e763f58b77dbbdfc792f8a8a17870136be5757c736db1c98d3437e76500f768261
-
memory/1180-83-0x0000000002A30000-0x0000000002A31000-memory.dmpFilesize
4KB
-
memory/1180-4-0x0000000002D80000-0x0000000002D96000-memory.dmpFilesize
88KB
-
memory/1964-78-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1964-81-0x0000000001330000-0x0000000001C21000-memory.dmpFilesize
8.9MB
-
memory/1964-80-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/1964-76-0x00000000000E0000-0x00000000000E1000-memory.dmpFilesize
4KB
-
memory/2328-5-0x0000000000400000-0x0000000001A10000-memory.dmpFilesize
22.1MB
-
memory/2328-1-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/2328-3-0x0000000000400000-0x0000000001A10000-memory.dmpFilesize
22.1MB
-
memory/2328-2-0x00000000003A0000-0x00000000003AB000-memory.dmpFilesize
44KB