Analysis
-
max time kernel
300s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-05-2024 22:37
Static task
static1
Behavioral task
behavioral1
Sample
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
Resource
win10-20240404-en
General
-
Target
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe
-
Size
307KB
-
MD5
14bc49a4e337e1d9629ae9be1955ca6c
-
SHA1
6875af987f3092686e0fb6e627088b6565434eee
-
SHA256
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4
-
SHA512
461c45c30378ae8ab3fd891dbe743f866861ec02027290de97326b6bdd2d20e10499c424bf202b531651633bdf2c75a2c6a505b8cd76daf17e4d3dea4b8e8312
-
SSDEEP
3072:mrU1NornrRpzp+1Y3Xwr+1cEFws13ppVuCC3FVwCL6BhsAH1fQQJGESXFqNcB:mtVqiCE1MCC3FephTH1fQQJGfXecB
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1256 -
Executes dropped EXE 1 IoCs
Processes:
jbjwviepid process 1536 jbjwvie -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exejbjwviedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jbjwvie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jbjwvie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jbjwvie -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exepid process 2188 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe 2188 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exejbjwviepid process 2188 1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe 1536 jbjwvie -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1256 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1256 1256 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1256 1256 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1636 wrote to memory of 1536 1636 taskeng.exe jbjwvie PID 1636 wrote to memory of 1536 1636 taskeng.exe jbjwvie PID 1636 wrote to memory of 1536 1636 taskeng.exe jbjwvie PID 1636 wrote to memory of 1536 1636 taskeng.exe jbjwvie
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe"C:\Users\Admin\AppData\Local\Temp\1e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {527C2AE5-1232-4241-A5F3-8C4821D3D142} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jbjwvieC:\Users\Admin\AppData\Roaming\jbjwvie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\jbjwvieFilesize
307KB
MD514bc49a4e337e1d9629ae9be1955ca6c
SHA16875af987f3092686e0fb6e627088b6565434eee
SHA2561e112b921c75e68a182c15a0a8c7c603d95d531f666506bc526c49cb25f31ea4
SHA512461c45c30378ae8ab3fd891dbe743f866861ec02027290de97326b6bdd2d20e10499c424bf202b531651633bdf2c75a2c6a505b8cd76daf17e4d3dea4b8e8312
-
memory/1256-4-0x0000000002DA0000-0x0000000002DB6000-memory.dmpFilesize
88KB
-
memory/1256-29-0x0000000003010000-0x0000000003026000-memory.dmpFilesize
88KB
-
memory/1536-32-0x0000000000400000-0x000000000403D000-memory.dmpFilesize
60.2MB
-
memory/2188-1-0x00000000041B0000-0x00000000042B0000-memory.dmpFilesize
1024KB
-
memory/2188-3-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2188-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2188-8-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/2188-5-0x0000000000400000-0x000000000403D000-memory.dmpFilesize
60.2MB