Analysis
-
max time kernel
133s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
01-05-2024 23:50
Static task
static1
Behavioral task
behavioral1
Sample
bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe
Resource
win10-20240404-en
General
-
Target
bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe
-
Size
673KB
-
MD5
6a923e65041f43e9bef4d54bfe1494ea
-
SHA1
af71e57d4b7a9217e8b58804c620fbebbde4ed0c
-
SHA256
bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4
-
SHA512
544bcf56f6d40d0420bc8558575bdae8b25fda86d31718b7b0641aac4052ca8ba6570c925b38459813f039ca22d3867e9630527ad31272eabc385e22a697b44f
-
SSDEEP
12288:VXdgVz3JSUIRhiJ7ik6l1gDe85nMZstLjGzhTjdBztew17Fly1TMiwJeV1+n:VXdgWU7YlWDeqtLjWjdBhewQ15OE8n
Malware Config
Extracted
smokeloader
pub3
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Missions.pifdescription pid process target process PID 2636 created 3316 2636 Missions.pif Explorer.EXE -
Executes dropped EXE 2 IoCs
Processes:
Missions.pifMissions.pifpid process 2636 Missions.pif 4632 Missions.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Missions.pifdescription pid process target process PID 2636 set thread context of 4632 2636 Missions.pif Missions.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Missions.pifdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Missions.pif Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Missions.pif Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Missions.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4124 tasklist.exe 4288 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Missions.pifpid process 2636 Missions.pif 2636 Missions.pif 2636 Missions.pif 2636 Missions.pif 2636 Missions.pif 2636 Missions.pif 2636 Missions.pif 2636 Missions.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 4124 tasklist.exe Token: SeDebugPrivilege 4288 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Missions.pifpid process 2636 Missions.pif 2636 Missions.pif 2636 Missions.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Missions.pifpid process 2636 Missions.pif 2636 Missions.pif 2636 Missions.pif -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.execmd.exeMissions.pifdescription pid process target process PID 3484 wrote to memory of 3612 3484 bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe cmd.exe PID 3484 wrote to memory of 3612 3484 bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe cmd.exe PID 3484 wrote to memory of 3612 3484 bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe cmd.exe PID 3612 wrote to memory of 4124 3612 cmd.exe tasklist.exe PID 3612 wrote to memory of 4124 3612 cmd.exe tasklist.exe PID 3612 wrote to memory of 4124 3612 cmd.exe tasklist.exe PID 3612 wrote to memory of 2320 3612 cmd.exe findstr.exe PID 3612 wrote to memory of 2320 3612 cmd.exe findstr.exe PID 3612 wrote to memory of 2320 3612 cmd.exe findstr.exe PID 3612 wrote to memory of 4288 3612 cmd.exe tasklist.exe PID 3612 wrote to memory of 4288 3612 cmd.exe tasklist.exe PID 3612 wrote to memory of 4288 3612 cmd.exe tasklist.exe PID 3612 wrote to memory of 3076 3612 cmd.exe findstr.exe PID 3612 wrote to memory of 3076 3612 cmd.exe findstr.exe PID 3612 wrote to memory of 3076 3612 cmd.exe findstr.exe PID 3612 wrote to memory of 3900 3612 cmd.exe cmd.exe PID 3612 wrote to memory of 3900 3612 cmd.exe cmd.exe PID 3612 wrote to memory of 3900 3612 cmd.exe cmd.exe PID 3612 wrote to memory of 3028 3612 cmd.exe findstr.exe PID 3612 wrote to memory of 3028 3612 cmd.exe findstr.exe PID 3612 wrote to memory of 3028 3612 cmd.exe findstr.exe PID 3612 wrote to memory of 4776 3612 cmd.exe cmd.exe PID 3612 wrote to memory of 4776 3612 cmd.exe cmd.exe PID 3612 wrote to memory of 4776 3612 cmd.exe cmd.exe PID 3612 wrote to memory of 2636 3612 cmd.exe Missions.pif PID 3612 wrote to memory of 2636 3612 cmd.exe Missions.pif PID 3612 wrote to memory of 2636 3612 cmd.exe Missions.pif PID 3612 wrote to memory of 1716 3612 cmd.exe PING.EXE PID 3612 wrote to memory of 1716 3612 cmd.exe PING.EXE PID 3612 wrote to memory of 1716 3612 cmd.exe PING.EXE PID 2636 wrote to memory of 4632 2636 Missions.pif Missions.pif PID 2636 wrote to memory of 4632 2636 Missions.pif Missions.pif PID 2636 wrote to memory of 4632 2636 Missions.pif Missions.pif PID 2636 wrote to memory of 4632 2636 Missions.pif Missions.pif PID 2636 wrote to memory of 4632 2636 Missions.pif Missions.pif
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe"C:\Users\Admin\AppData\Local\Temp\bce1ec6a85c3c28e516d68f23949e213fc02126cee986796be7658b1d7a082c4.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Guests Guests.cmd & Guests.cmd & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 3302334⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "MENTIONEDTITTENSISTERSRECIPIENTS" Highly4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Floor + Geology + Sparc + Rid 330233\w4⤵
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\330233\Missions.pif330233\Missions.pif 330233\w4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\330233\Missions.pifC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\330233\Missions.pif2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\330233\Missions.pifFilesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\330233\wFilesize
219KB
MD5535c2c499dd74bd24c0d1c9893a3d8c6
SHA1fee0787bddfa728c09d5d809742fa8d48ba94796
SHA256e77fd5af744ba3589343ec6cacfc3276b54364eb95d3677811a49d07ad79d620
SHA512bec422a8213b3105f6b0919e863fb65c9dad33b2bf0fa7d5dfe50df71085fce0d96f98525ae29575a1d75672b75bfed5f2cb3407af9fa07582d49e8629b4c084
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\BeastalityFilesize
188KB
MD575426c58effb683f1477bfd2236f3fc4
SHA13e1ac50077711f666cf9631231b9461b430d045b
SHA256b62492b117cd03ee096c268480844b779eab66c196a483b4edcff1e97e4269f4
SHA5127f90f6bab8b243e0ab2ffc823e95c6ab53f12d4dade4bd794276ef93daaefc8ae0869c19df8eaae2ec6d0990481813273d165b7d6223d137f4b1f49dbed4759f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\BiographiesFilesize
66KB
MD5e8061ec633d131b3112649a65ab06bc6
SHA136197468345f931477c4090803d3a00a94e026b8
SHA256f8495ee4f9102351094e1d658490fcd378893ab15da351d12e718084bf856fc3
SHA5121545a598be907876e3b61fbc016686dc02ce9fc81f3d46bb0d9007233076ab6686da7fc47db65e8373971c9e9b7a924d10870435699b3f46800775113d186efc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\EntirelyFilesize
41KB
MD539c2b02c1687db734cca8521eef23bc2
SHA1383b22037bf678a58d672ea14d19d29c931dc2fd
SHA2567755cad75efae7254f197a571c47cac43b711b096161017d1d3da6e1f97c37cc
SHA512fb7fe3ff3a18c3ae7e9763e4a031d05413a325e87e64a2ef10d815ccde40391e43bc9c66c361f718d409ccb3ee8f0ede8c4ab4a6376f13b9a727dfca72a51890
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ExtFilesize
124KB
MD5d9be48527defaba81c8c0cab9bef2522
SHA138af8ce2c0cf557e141f4bb4059e2f66aa2ac103
SHA256b33ca98e10854ebe6455d4c8470ed011695cc8c9021828a0c93e3783b0db5e3c
SHA512a31da5e9c56ffd9bd29f268deead77d13db4146b096750bd2eed7c21b48928b9c3b6c1924d52d965e43c4e0f80a034f21fdde42fed681199c89e3d406e1c6495
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\FloorFilesize
49KB
MD5e9a5ae2b9a69846e46db47be63fcaa6a
SHA17465504be0a9a21398a4939f014f6529eaac73c3
SHA2563a8803b1ecaf0c32439565f69df4f36b6bbf6b6286cbfc0b30ee9ad1ef66f956
SHA51206c52f9ea2f6bb49e4726b16be255b53922ab6f09ad4ad501878c42f5f2d0c0f5048310f0f17e2d37107548791117c8fc79785b324d9c86c70a760631f5b65d0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\GeologyFilesize
102KB
MD50db80d367c5e106859d0cfa7910c7f51
SHA13f6041e2af43736c814c7541ec88ab1ea9a5b847
SHA25645500971eb69ea4117a2c153b0b557470fe03f91f08d2955da4198c5dece806c
SHA5121eeb75064bce78fd35191ab5316e4d6ba4642da857326a017b45dbec2f8ca3b4049cd82b360228c8e4d61e68dfc4cbb729906a87db28a5a9e2cc914800e785e8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\GuestsFilesize
26KB
MD5ae3a28ef1b26c1885df771b52a984194
SHA194c3e3518af42815e3104ce2c618adf1c72d8f4d
SHA2568328b6487a7ae71001723df6ed2e35451a10ec082353f2296a963ed237ddc766
SHA512783320c000cd61e8607602e313231ca357ec971024a9cbc8e6a69d421363dea699598fa9b49458716a205a6de64d51099314610ef4ed14f3c9e015574c76548b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\HighlyFilesize
159B
MD51c6e7e49d74fc25189ab1a6b1831d380
SHA19062ae746adfe399794a2f46ebdb6b3b9058b7d8
SHA256a9de3a073a4a9b143d188370760c112700e4e4df9636315053d1ddd492984eee
SHA512bc96506b6e32bce560ef13a31ebee0a995ba65189d979536fa36b3fcb4cb86a42b985f35d6abf741583cfb4f71bbc4f6e389d399e2a540437666e5fd5451d1c8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IntroductionFilesize
61KB
MD521a606a612099e9ef8508289e5cab437
SHA19a7cd55cce1fe388151a0f3e081626b52811a9c6
SHA256b9fcc355124cf305bbcba68d3e39850d2a44ff31d70fe3b737558a673df26ec7
SHA512f8f5cd955bf59d58e9ca1178f0cda0360036d4747988daf7fa9c71c2517623f4523d8eca0a21c9c0606c6883a13fb2c17e3dde500cfcf3ba45799be35e16dcfe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\LoggingFilesize
120KB
MD53a287253d0f8df29c2aa4637aeaad1cb
SHA1bf2c07119fa6d96e8077419d28828f00cf8a87fb
SHA256d96bee12829a06fe93c01736057da0b38b5374d050501e74054718b1d02e0e55
SHA5122ec8fff9160a819fad0f75decbcdcfc1e81d90a3d9446a5777b5f35785b3a00866bb2ec29b5431b5816516cd2ff55f3056662e74c578f6f58be09ed5f1113b82
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\MsnFilesize
184KB
MD5b94c77a9879bb478a8b4d29ee754f88d
SHA1ef1b2892a64c5a8ce613d7cd64cca415b15db939
SHA25632c6fd2a1499f0dc8f50731a6e3324126f048ad7d7d363ffec4f6bb0b5fda1a9
SHA5125014ea4346ff13583f38a6a49058210d062b25fef8ebadbd300cce6dc6fb07bc8399427d38a9939b345034dc6284fd9f10c64e94d275f3b66a7bc8ca320c163c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\RidFilesize
42KB
MD5403ea3b6f734f8d7408a7329e1777f48
SHA143e65e6671cb240bc1bfe9545a3f5ad621c8b3ab
SHA256ff302d835c5f3edecf2fd3fdaeaf35bd8cec11e01d06700fcd06a2316b0ea6fd
SHA512bc6f589fbd237a9343a6cf7273861389c4561b2ebe8e7d3c15f9eb1b1a3b103fba443d32be54571de5efafd94af5c6dc3a1aa19a027732d5b6bba000e9b3a7a4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\SparcFilesize
26KB
MD53c93696cba68e73debd3baac6f2121cb
SHA135c77f349e553c8b292b2becab119c9d76a37097
SHA25619c6e4660f57f2825ca14d58aa64b5adb64e6e117174f5a158b230478503400e
SHA512f969291d65bd1263b55d83b3d26f4f7755a287e4e375974e2410fef2e1a9178bedd550396caf5c2649c15d0573ca996cc85ba0ee34306b1bf2a7c20a6fff792c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TrendsFilesize
88KB
MD503819d2f08399741f630bfe70b1844f3
SHA16bf125d8ad1116ef3b078595014d50a0ab871f25
SHA256461191fae853d1ce06b22c10ca8df5a304d357fd0bf7c6e3a7931dc446652f5f
SHA5129868bdb1ca0540b34601c026a5bd4b039632d241572351ecae9bb6b068bf91e3f269f191a6d17d4952600897f0bdf7490274169372a12750404bc66cea067d58
-
memory/4632-46-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4632-47-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB