Analysis

  • max time kernel
    300s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-05-2024 23:08

General

  • Target

    546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe

  • Size

    654KB

  • MD5

    87f8958f40e487f7d816cd1aaf52fa84

  • SHA1

    0d84722779ef406a090fd085c7a2f4ed636afb3d

  • SHA256

    546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8

  • SHA512

    717c228b27dddca019fe81a8619f6a8d11b0362140de276aa5d6746b3eb0bc1130ae4b79a7a4389541e872cdb63b781a37a1cd459b810b0380deb6b046a0e287

  • SSDEEP

    12288:IXAx/2a0CTmgQ9AlrsgsdNUUhfjersFwz3NTwBOuCUxQQZNIuJ3M7THqAi4dD4:IXAx/2z9CrsgsTUU1ioEnuCUxQQZN9Je

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 20 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1172
    • C:\Users\Admin\AppData\Local\Temp\546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe
      "C:\Users\Admin\AppData\Local\Temp\546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:112
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k move Eva Eva.cmd & Eva.cmd & exit
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2148
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:1168
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          4⤵
            PID:2532
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1680
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            4⤵
              PID:2800
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 55118045
              4⤵
                PID:2420
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "RealizedBreachAttractCasino" Sapphire
                4⤵
                  PID:2672
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Bulk + Vic + Wherever 55118045\g
                  4⤵
                    PID:2620
                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55118045\Weblog.pif
                    55118045\Weblog.pif 55118045\g
                    4⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:2556
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 5 127.0.0.1
                    4⤵
                    • Runs ping.exe
                    PID:2280
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55118045\Weblog.pif
                "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55118045\Weblog.pif"
                2⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:2744
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {746D0E88-EFF8-4B92-8244-209230380F5F} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2064
              • C:\Users\Admin\AppData\Roaming\hesihve
                C:\Users\Admin\AppData\Roaming\hesihve
                2⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                PID:2976

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Discovery

            System Information Discovery

            2
            T1082

            Query Registry

            2
            T1012

            Peripheral Device Discovery

            1
            T1120

            Process Discovery

            1
            T1057

            Remote System Discovery

            1
            T1018

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55118045\g
              Filesize

              214KB

              MD5

              296d2bbf6e73a7b42a374a60689953b3

              SHA1

              fd960c722e0e60a8fe1698c96bdae2906da5b5ec

              SHA256

              21d83dc927f662e9df2e459662e098faf55e6585436224feec00441e57351d77

              SHA512

              d87b60f93c0e3546b8d19b7216bb771320c6c6768d02e113d44bb6599f58605c2f14440cf6ac2657105ffecdeb71a63f70829afb38b0be0550b6cf5c6e5ab205

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Atlas
              Filesize

              65KB

              MD5

              ee1f72d5b02779697690575c753b3ab2

              SHA1

              4be8b375e959f56d0803f2d0757be0c8e3e8416c

              SHA256

              47c298d264557ed2d5b78eda0f14f8a1f0ddaffbb211a6cee785ec49d53336be

              SHA512

              60c4c18d8dc49c8c8cdfffa5abc47fb63546f84d1dd2e7a08c1e51fa85acf8aea8361d3a4c022b88f4e69f1351a6a34337e73ab18d9429c54fd10bd1f5b287d5

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bizrate
              Filesize

              252KB

              MD5

              ffaad75a449bd850e6468c4d9a034ff3

              SHA1

              327785fda15cc4fdca2e4813a964ac760446924c

              SHA256

              b1f2edff5c954f562c37e4c19b5c639da94186275d6a09fcf99b9a4c1a1a7b2e

              SHA512

              2af2f594fa8d3a0b46569e6832ebc864bc23120b2d376bb2973cd7a6c1c3f1d8f9dd4bc5af0717f5bdac93058f6ea55e9e54b91628e4db00d90befac4e55736f

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bulk
              Filesize

              27KB

              MD5

              011a99302e6aedccfc371e2385dce3b1

              SHA1

              ac2969c6447df8af5f0b16a43d89055b1c3cd927

              SHA256

              f3c746ba265885c3679a3d05df362fa6c02de3df5af888d32f7366efab948cf9

              SHA512

              64fc6323f52dded98efb4cc8f2649260a4aaab3d15683bef353a5f9b0609bcb70e95efd7e548aa1496695a5a156d16c89b922332bc731bd52b8e9725dc43f5ba

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Church
              Filesize

              193KB

              MD5

              dde77074cd4fc4841d8863e50165d308

              SHA1

              552f65ce1b9c4e73d83a969a0c6b49249fc4153c

              SHA256

              d75f980e9ab4e2abf7fdb4a3cc1023c8cf4992cc3cf2d3b8e51f058cadf1eacb

              SHA512

              0eaeef3d1601f0c103f9fa39d5fb2ec93b62ca726516efc555ff7ab2f4622bb2986bd2818f35e143a6faa36e2bfb882c3646f416e93ff6901cac8f4adb2b6b67

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Craig
              Filesize

              88KB

              MD5

              1378c5909a67575d7113ea9c447ec1c3

              SHA1

              f1696a1698f957bde6e76824fd64372f8edebc52

              SHA256

              73ef6f39ddccaa4ae564adf7b322c2a5ca01309de1fa0d42fe158ea0ab409b2a

              SHA512

              cd3d95081a385db6167068a43e927ce450da0ad58add5e9882af54e63c40f74c3bc903f62fa3c8fba00cdc743a08cadfa7d2f190a62648f7bdf0f376fd45e119

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Eva
              Filesize

              8KB

              MD5

              3e1810f589d8150d793a2c37fa7f5f1c

              SHA1

              def0e663b443ad59916389e12dbc683ac63588ef

              SHA256

              e14f8b41926cb04a1c4fced906196ff15e987a89ae8ddc906d2d4c7ccd075a6f

              SHA512

              ba3a5fd0a30cc54b440e9c13b061628c2037044d96db6d0132433d62ccd8261f87f636be59a3545e0ad53dabe939a560e1f3eb61f3534e4fb757b1de523786c4

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hon
              Filesize

              256KB

              MD5

              bd673916d377edc0766b9bdcdf0bd7c7

              SHA1

              d967cc371085b5dc430f85c1128fdfdce83dc38b

              SHA256

              cac7bf46fc8cba66bfd9cea2da8884aeb5b95a580207b926f4d4b84edf21b55d

              SHA512

              d92c428b2b398d2470ae8087ef8e3128b221cf7731b1461a99ffd4e474e176c1e558e7828dbf09122a3e3cb4a28ee3e14e6daf301c5ab572641b264d24de6e29

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sapphire
              Filesize

              207B

              MD5

              a5cde500d1db6a63c99d2711f6628601

              SHA1

              6b17d82b42d0bf7e37de08545a7f310565fba7e6

              SHA256

              5e65d778ca46c8619a15f27fd156f4603b357bb58f47a0e47cd1db36ed8750c7

              SHA512

              6c5612b70b7ed81fcf5deb4b5259884fc64cc3b66e431710784c3e9e2f93eb9aab39fbbf71b2c24548d8397ab5ae899c40427bf328e35cd8dfac154c6c0fcb07

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sustained
              Filesize

              18KB

              MD5

              1eb069a51524c43c3f55564346859e68

              SHA1

              5402dccf904132ee5fc86b82e512af830a410fbd

              SHA256

              3abc358356fd8f311dfa62fff7cfd0938e065e779613dd8a15d20efa23ca201d

              SHA512

              83c45c308ae5bacd2877d15bf853eefc5d3dfbcba663f450d4dbde6207bca07e3a716e68812c3141b2d2cfd93a027af392501e105180d6d5d8197bb1208665ca

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vic
              Filesize

              126KB

              MD5

              8273ad98033324191048b5e37ad2e84c

              SHA1

              ac8e6fa17ca35f6934200ebc4bfbd326219c9dba

              SHA256

              3280ece8ebb88ff6660d76d250b7d6ed295f2bd5983272b47f298daac15d7efb

              SHA512

              3a75d3cd2ba645e5e8f6ae37444ff2ba96234a7ab7f5eec38a13caa959f42d648310710a7b3bd6bf6ae7f6357773d26c095daaf3373a23c8297fe9037c0b6e31

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wherever
              Filesize

              61KB

              MD5

              198fa81b8b37d09238bcc92fa94c894c

              SHA1

              71e9219258f485a388d79b05f83e953f5c04ceec

              SHA256

              195e5d7e0081e2ac1c8d9537ffe0103d5e5968edcc2a16dcf5530095127121a6

              SHA512

              fcbdf7603dff2b89c7d42b1576f725754b45eeb516cac9fea32719eec0e74f4a384df19137f64f08461e4988b88bfa9ac51a08deb54bb985ad8326c6bf7d85af

            • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\55118045\Weblog.pif
              Filesize

              872KB

              MD5

              6ee7ddebff0a2b78c7ac30f6e00d1d11

              SHA1

              f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

              SHA256

              865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

              SHA512

              57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

            • memory/1172-35-0x0000000002DA0000-0x0000000002DB6000-memory.dmp
              Filesize

              88KB

            • memory/2976-44-0x0000000004BF0000-0x0000000004BF2000-memory.dmp
              Filesize

              8KB