Analysis
-
max time kernel
195s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-05-2024 23:08
Static task
static1
Behavioral task
behavioral1
Sample
546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe
Resource
win10-20240404-en
General
-
Target
546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe
-
Size
654KB
-
MD5
87f8958f40e487f7d816cd1aaf52fa84
-
SHA1
0d84722779ef406a090fd085c7a2f4ed636afb3d
-
SHA256
546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8
-
SHA512
717c228b27dddca019fe81a8619f6a8d11b0362140de276aa5d6746b3eb0bc1130ae4b79a7a4389541e872cdb63b781a37a1cd459b810b0380deb6b046a0e287
-
SSDEEP
12288:IXAx/2a0CTmgQ9AlrsgsdNUUhfjersFwz3NTwBOuCUxQQZNIuJ3M7THqAi4dD4:IXAx/2z9CrsgsTUU1ioEnuCUxQQZN9Je
Malware Config
Extracted
smokeloader
pub3
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Weblog.pifdescription pid process target process PID 3728 created 3264 3728 Weblog.pif Explorer.EXE -
Executes dropped EXE 2 IoCs
Processes:
Weblog.pifWeblog.pifpid process 3728 Weblog.pif 3392 Weblog.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Weblog.pifdescription pid process target process PID 3728 set thread context of 3392 3728 Weblog.pif Weblog.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Weblog.pifdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Weblog.pif Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Weblog.pif Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Weblog.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4288 tasklist.exe 4932 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
Weblog.pifpid process 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 4288 tasklist.exe Token: SeDebugPrivilege 4932 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Weblog.pifpid process 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Weblog.pifpid process 3728 Weblog.pif 3728 Weblog.pif 3728 Weblog.pif -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.execmd.exeWeblog.pifdescription pid process target process PID 1104 wrote to memory of 4912 1104 546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe cmd.exe PID 1104 wrote to memory of 4912 1104 546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe cmd.exe PID 1104 wrote to memory of 4912 1104 546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe cmd.exe PID 4912 wrote to memory of 4288 4912 cmd.exe tasklist.exe PID 4912 wrote to memory of 4288 4912 cmd.exe tasklist.exe PID 4912 wrote to memory of 4288 4912 cmd.exe tasklist.exe PID 4912 wrote to memory of 380 4912 cmd.exe findstr.exe PID 4912 wrote to memory of 380 4912 cmd.exe findstr.exe PID 4912 wrote to memory of 380 4912 cmd.exe findstr.exe PID 4912 wrote to memory of 4932 4912 cmd.exe tasklist.exe PID 4912 wrote to memory of 4932 4912 cmd.exe tasklist.exe PID 4912 wrote to memory of 4932 4912 cmd.exe tasklist.exe PID 4912 wrote to memory of 1708 4912 cmd.exe findstr.exe PID 4912 wrote to memory of 1708 4912 cmd.exe findstr.exe PID 4912 wrote to memory of 1708 4912 cmd.exe findstr.exe PID 4912 wrote to memory of 2736 4912 cmd.exe cmd.exe PID 4912 wrote to memory of 2736 4912 cmd.exe cmd.exe PID 4912 wrote to memory of 2736 4912 cmd.exe cmd.exe PID 4912 wrote to memory of 4184 4912 cmd.exe findstr.exe PID 4912 wrote to memory of 4184 4912 cmd.exe findstr.exe PID 4912 wrote to memory of 4184 4912 cmd.exe findstr.exe PID 4912 wrote to memory of 5008 4912 cmd.exe cmd.exe PID 4912 wrote to memory of 5008 4912 cmd.exe cmd.exe PID 4912 wrote to memory of 5008 4912 cmd.exe cmd.exe PID 4912 wrote to memory of 3728 4912 cmd.exe Weblog.pif PID 4912 wrote to memory of 3728 4912 cmd.exe Weblog.pif PID 4912 wrote to memory of 3728 4912 cmd.exe Weblog.pif PID 4912 wrote to memory of 4816 4912 cmd.exe PING.EXE PID 4912 wrote to memory of 4816 4912 cmd.exe PING.EXE PID 4912 wrote to memory of 4816 4912 cmd.exe PING.EXE PID 3728 wrote to memory of 3392 3728 Weblog.pif Weblog.pif PID 3728 wrote to memory of 3392 3728 Weblog.pif Weblog.pif PID 3728 wrote to memory of 3392 3728 Weblog.pif Weblog.pif PID 3728 wrote to memory of 3392 3728 Weblog.pif Weblog.pif PID 3728 wrote to memory of 3392 3728 Weblog.pif Weblog.pif
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe"C:\Users\Admin\AppData\Local\Temp\546d7f26d8b2a42b4a917e3642c2fffa89a1be3a41795da4ccf8afb2e0f417e8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Eva Eva.cmd & Eva.cmd & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 551181054⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "RealizedBreachAttractCasino" Sapphire4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Bulk + Vic + Wherever 55118105\g4⤵
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55118105\Weblog.pif55118105\Weblog.pif 55118105\g4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55118105\Weblog.pifC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55118105\Weblog.pif2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55118105\Weblog.pifFilesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\55118105\gFilesize
214KB
MD5296d2bbf6e73a7b42a374a60689953b3
SHA1fd960c722e0e60a8fe1698c96bdae2906da5b5ec
SHA25621d83dc927f662e9df2e459662e098faf55e6585436224feec00441e57351d77
SHA512d87b60f93c0e3546b8d19b7216bb771320c6c6768d02e113d44bb6599f58605c2f14440cf6ac2657105ffecdeb71a63f70829afb38b0be0550b6cf5c6e5ab205
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\AtlasFilesize
65KB
MD5ee1f72d5b02779697690575c753b3ab2
SHA14be8b375e959f56d0803f2d0757be0c8e3e8416c
SHA25647c298d264557ed2d5b78eda0f14f8a1f0ddaffbb211a6cee785ec49d53336be
SHA51260c4c18d8dc49c8c8cdfffa5abc47fb63546f84d1dd2e7a08c1e51fa85acf8aea8361d3a4c022b88f4e69f1351a6a34337e73ab18d9429c54fd10bd1f5b287d5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\BizrateFilesize
252KB
MD5ffaad75a449bd850e6468c4d9a034ff3
SHA1327785fda15cc4fdca2e4813a964ac760446924c
SHA256b1f2edff5c954f562c37e4c19b5c639da94186275d6a09fcf99b9a4c1a1a7b2e
SHA5122af2f594fa8d3a0b46569e6832ebc864bc23120b2d376bb2973cd7a6c1c3f1d8f9dd4bc5af0717f5bdac93058f6ea55e9e54b91628e4db00d90befac4e55736f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\BulkFilesize
27KB
MD5011a99302e6aedccfc371e2385dce3b1
SHA1ac2969c6447df8af5f0b16a43d89055b1c3cd927
SHA256f3c746ba265885c3679a3d05df362fa6c02de3df5af888d32f7366efab948cf9
SHA51264fc6323f52dded98efb4cc8f2649260a4aaab3d15683bef353a5f9b0609bcb70e95efd7e548aa1496695a5a156d16c89b922332bc731bd52b8e9725dc43f5ba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ChurchFilesize
193KB
MD5dde77074cd4fc4841d8863e50165d308
SHA1552f65ce1b9c4e73d83a969a0c6b49249fc4153c
SHA256d75f980e9ab4e2abf7fdb4a3cc1023c8cf4992cc3cf2d3b8e51f058cadf1eacb
SHA5120eaeef3d1601f0c103f9fa39d5fb2ec93b62ca726516efc555ff7ab2f4622bb2986bd2818f35e143a6faa36e2bfb882c3646f416e93ff6901cac8f4adb2b6b67
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\CraigFilesize
88KB
MD51378c5909a67575d7113ea9c447ec1c3
SHA1f1696a1698f957bde6e76824fd64372f8edebc52
SHA25673ef6f39ddccaa4ae564adf7b322c2a5ca01309de1fa0d42fe158ea0ab409b2a
SHA512cd3d95081a385db6167068a43e927ce450da0ad58add5e9882af54e63c40f74c3bc903f62fa3c8fba00cdc743a08cadfa7d2f190a62648f7bdf0f376fd45e119
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\EvaFilesize
8KB
MD53e1810f589d8150d793a2c37fa7f5f1c
SHA1def0e663b443ad59916389e12dbc683ac63588ef
SHA256e14f8b41926cb04a1c4fced906196ff15e987a89ae8ddc906d2d4c7ccd075a6f
SHA512ba3a5fd0a30cc54b440e9c13b061628c2037044d96db6d0132433d62ccd8261f87f636be59a3545e0ad53dabe939a560e1f3eb61f3534e4fb757b1de523786c4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\HonFilesize
256KB
MD5bd673916d377edc0766b9bdcdf0bd7c7
SHA1d967cc371085b5dc430f85c1128fdfdce83dc38b
SHA256cac7bf46fc8cba66bfd9cea2da8884aeb5b95a580207b926f4d4b84edf21b55d
SHA512d92c428b2b398d2470ae8087ef8e3128b221cf7731b1461a99ffd4e474e176c1e558e7828dbf09122a3e3cb4a28ee3e14e6daf301c5ab572641b264d24de6e29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SapphireFilesize
207B
MD5a5cde500d1db6a63c99d2711f6628601
SHA16b17d82b42d0bf7e37de08545a7f310565fba7e6
SHA2565e65d778ca46c8619a15f27fd156f4603b357bb58f47a0e47cd1db36ed8750c7
SHA5126c5612b70b7ed81fcf5deb4b5259884fc64cc3b66e431710784c3e9e2f93eb9aab39fbbf71b2c24548d8397ab5ae899c40427bf328e35cd8dfac154c6c0fcb07
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SustainedFilesize
18KB
MD51eb069a51524c43c3f55564346859e68
SHA15402dccf904132ee5fc86b82e512af830a410fbd
SHA2563abc358356fd8f311dfa62fff7cfd0938e065e779613dd8a15d20efa23ca201d
SHA51283c45c308ae5bacd2877d15bf853eefc5d3dfbcba663f450d4dbde6207bca07e3a716e68812c3141b2d2cfd93a027af392501e105180d6d5d8197bb1208665ca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\VicFilesize
126KB
MD58273ad98033324191048b5e37ad2e84c
SHA1ac8e6fa17ca35f6934200ebc4bfbd326219c9dba
SHA2563280ece8ebb88ff6660d76d250b7d6ed295f2bd5983272b47f298daac15d7efb
SHA5123a75d3cd2ba645e5e8f6ae37444ff2ba96234a7ab7f5eec38a13caa959f42d648310710a7b3bd6bf6ae7f6357773d26c095daaf3373a23c8297fe9037c0b6e31
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\WhereverFilesize
61KB
MD5198fa81b8b37d09238bcc92fa94c894c
SHA171e9219258f485a388d79b05f83e953f5c04ceec
SHA256195e5d7e0081e2ac1c8d9537ffe0103d5e5968edcc2a16dcf5530095127121a6
SHA512fcbdf7603dff2b89c7d42b1576f725754b45eeb516cac9fea32719eec0e74f4a384df19137f64f08461e4988b88bfa9ac51a08deb54bb985ad8326c6bf7d85af
-
memory/3392-30-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3392-31-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB