Analysis
-
max time kernel
247s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
05-05-2024 23:02
Static task
static1
Behavioral task
behavioral1
Sample
e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb.exe
Resource
win10-20240404-en
General
-
Target
e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb.exe
-
Size
734KB
-
MD5
0c4cb8fd1e3cc4b42556562d317e6e59
-
SHA1
8a572e6ef21e54b76cf0b38099c6ca47d607170e
-
SHA256
e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb
-
SHA512
0b7c6520fe39261743cb6f85a601d9e7306a17e25b1909150a14cd4e31e5c2d9c0faef30effbd1dc1eb1108da53b0f6284d701ce37ab5cef5dbcf9a2f8634652
-
SSDEEP
12288:dXxKusPyZi+9cn2eIIcXopkUxTBdmEkH1Vmkw8dUfmBpHG9Yg1p8mgNahqYSkjQH:dXxKusaZi+9pI3xl1u1q/fmpnepSzYSr
Malware Config
Extracted
smokeloader
pub3
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Existence.pifdescription pid process target process PID 1716 created 3260 1716 Existence.pif Explorer.EXE -
Executes dropped EXE 2 IoCs
Processes:
Existence.pifExistence.pifpid process 1716 Existence.pif 432 Existence.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Existence.pifdescription pid process target process PID 1716 set thread context of 432 1716 Existence.pif Existence.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Existence.pifdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Existence.pif Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Existence.pif Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Existence.pif -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 5092 tasklist.exe 2044 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Existence.pifpid process 1716 Existence.pif 1716 Existence.pif 1716 Existence.pif 1716 Existence.pif 1716 Existence.pif 1716 Existence.pif 1716 Existence.pif 1716 Existence.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2044 tasklist.exe Token: SeDebugPrivilege 5092 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Existence.pifpid process 1716 Existence.pif 1716 Existence.pif 1716 Existence.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Existence.pifpid process 1716 Existence.pif 1716 Existence.pif 1716 Existence.pif -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb.execmd.exeExistence.pifdescription pid process target process PID 4676 wrote to memory of 4808 4676 e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb.exe cmd.exe PID 4676 wrote to memory of 4808 4676 e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb.exe cmd.exe PID 4676 wrote to memory of 4808 4676 e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb.exe cmd.exe PID 4808 wrote to memory of 2044 4808 cmd.exe tasklist.exe PID 4808 wrote to memory of 2044 4808 cmd.exe tasklist.exe PID 4808 wrote to memory of 2044 4808 cmd.exe tasklist.exe PID 4808 wrote to memory of 1072 4808 cmd.exe findstr.exe PID 4808 wrote to memory of 1072 4808 cmd.exe findstr.exe PID 4808 wrote to memory of 1072 4808 cmd.exe findstr.exe PID 4808 wrote to memory of 5092 4808 cmd.exe tasklist.exe PID 4808 wrote to memory of 5092 4808 cmd.exe tasklist.exe PID 4808 wrote to memory of 5092 4808 cmd.exe tasklist.exe PID 4808 wrote to memory of 4320 4808 cmd.exe findstr.exe PID 4808 wrote to memory of 4320 4808 cmd.exe findstr.exe PID 4808 wrote to memory of 4320 4808 cmd.exe findstr.exe PID 4808 wrote to memory of 4908 4808 cmd.exe cmd.exe PID 4808 wrote to memory of 4908 4808 cmd.exe cmd.exe PID 4808 wrote to memory of 4908 4808 cmd.exe cmd.exe PID 4808 wrote to memory of 1408 4808 cmd.exe findstr.exe PID 4808 wrote to memory of 1408 4808 cmd.exe findstr.exe PID 4808 wrote to memory of 1408 4808 cmd.exe findstr.exe PID 4808 wrote to memory of 4124 4808 cmd.exe cmd.exe PID 4808 wrote to memory of 4124 4808 cmd.exe cmd.exe PID 4808 wrote to memory of 4124 4808 cmd.exe cmd.exe PID 4808 wrote to memory of 1716 4808 cmd.exe Existence.pif PID 4808 wrote to memory of 1716 4808 cmd.exe Existence.pif PID 4808 wrote to memory of 1716 4808 cmd.exe Existence.pif PID 4808 wrote to memory of 1336 4808 cmd.exe PING.EXE PID 4808 wrote to memory of 1336 4808 cmd.exe PING.EXE PID 4808 wrote to memory of 1336 4808 cmd.exe PING.EXE PID 1716 wrote to memory of 432 1716 Existence.pif Existence.pif PID 1716 wrote to memory of 432 1716 Existence.pif Existence.pif PID 1716 wrote to memory of 432 1716 Existence.pif Existence.pif PID 1716 wrote to memory of 432 1716 Existence.pif Existence.pif PID 1716 wrote to memory of 432 1716 Existence.pif Existence.pif
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb.exe"C:\Users\Admin\AppData\Local\Temp\e787e9b3eb07676a4848cb9ff1dad9a19a5b3aa11a220b2ba3d447ac6680abeb.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Spirit Spirit.cmd & Spirit.cmd & exit3⤵
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2044 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:1072
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5092 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:4320
-
C:\Windows\SysWOW64\cmd.execmd /c md 11614⤵PID:4908
-
C:\Windows\SysWOW64\findstr.exefindstr /V "decentrisingadvertisementssuite" Appliance4⤵PID:1408
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Annually + Protective 1161\b4⤵PID:4124
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1161\Existence.pif1161\Existence.pif 1161\b4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:1336 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1161\Existence.pifC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1161\Existence.pif2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
240KB
MD564f8b1eca7a7a76f03bd6640c813abb0
SHA13a63f2a2f6da7580102b22fc03a4d29a46231727
SHA256b882ba15802e57e6563079c7b9835e93726447a42ea00e717fbfed453e0de309
SHA5126afb5940441ef757ecef31bdf658bcaf3cab52befeadf15bb047f1aea8a4ccf1caca0af38e2e320ccd28a146b67ef5d22e23034d3d0019370c2875289d227173
-
Filesize
60KB
MD53fe7c2a4c10f38823a4a6f3c68794f44
SHA15d90b05b9b82efd6095092316a407c68fbbbd826
SHA25606a2619d732d91985a97b10924cc5ee69eca484b24fc49ba2b9390df6a5c5d40
SHA512d3cc611a5f246515f4757acb7a40eefed1471eb4c36475330e2ef4855c62cc744500ef0bddbc43ec8c5164e82c2c27a3d8dc1796d367815822f324c6af404a83
-
Filesize
173KB
MD5f2e24419a55616e4ed764bb06061e1dc
SHA19fd15636d89b3c5f17bdfe2fec8cc239891af6db
SHA25649fff67abf55f9853cddb781a2b2885d4578d0d5e1ee0466a8d3ff79e252371b
SHA51277b3d0984693ec3d5f0241b13e75b3ec0f34bcb75b753d5b6818f206c01fb5b52793d9c5b4fa1fef66e4d426aa689bbecf98250aea05f93ef00d2dda0b66a465
-
Filesize
145B
MD5aca2e7d4e532acbfe64654245feb2bcd
SHA1d5f2726049431ca5bebfe3a6f717b0984ab165fa
SHA25696e3ed72cee2a5870d9e1c5636ed4fda0b1f4ee757059728e92c8f42f02993c4
SHA512a94e5205276bf0e04b89bef60bf8080b3f234c4d687756af75f43547657c252bf8687b6a10a0e3ce5687bbd390a4b6cd5060adf4d233003d46d277dd0e825f3d
-
Filesize
39KB
MD55854f72c2bb366a66124c4f88779ac62
SHA1779263bbc5434a9f3c47b4513a4ed3552e2730fa
SHA25601c869a01416c3660c4b397be2fff90e7f3b67bfc42279fefcae1bac26bb9eaf
SHA5129ac2094530d019e349280153a373aaa20b76c82ff552be925412521cbb08b389ccf54fb6e0a669d47396da1f2ca358542dd1fae0bfc146548d7a1c06d76b0b5e
-
Filesize
11KB
MD56f346b68ccf472e391b75de7a6b9418a
SHA162aa37b8657e8f20e4c26a51cd84cac90b225403
SHA2563a2efebd6b6321314705e2ee97152902f620d6c4eddc07ed2b547b1811da1391
SHA51243a9b58820685bf2d815bfa1121a0caa4118e8ab4b72bfe4e9863b1a8d94b283a3d151daaa9b1de8b9472271101caad0af3e7db9250784cb017e292e97f4f4a2
-
Filesize
63KB
MD5170b698c7efd8e1a6aaed5f10b72db05
SHA135b6279b4f72247964ec7e69d9245f0210b061a7
SHA256aacb82679d8d27c9d8d0e4fea4a21df11a11050a0ff6bd757565c15a01f9badd
SHA512493f3abd1a0b12b1054629bf9d03fc40affa842fcada840f455c0d82d67e37d4c61b3d229808d4903de1df2464da860c3035b203d2ea4f5e7198504e6e36405b
-
Filesize
35KB
MD58064e55047d9e2959b304e09b843d01f
SHA17135612752126d7d9e27ea3e77a559036c249572
SHA256f7985985abc7af012f037eb817e0528536c84604e7466f31364d08bd148a6fd8
SHA512a8f1135199dabf9838a8ec1afc4f837f69a411cd5962ebebe12e30b9d42264655927f379e94ef6bc8a92a087c02e6f7e4b677c375131943f737ab73a6df2cc60
-
Filesize
8KB
MD5a2f21d2f4986bd778f3a4c5a4a2d7df7
SHA1df47f24cb09c3b2e282066a31c77a019babb6ff3
SHA256c0803ac9e0a11189cbb6ed62d6444df80ab3c399534453d7e03cd3e59f9669da
SHA51235d255799762f49552c37754b386ea1d92ff8213ad6666473a1af59e7a707e8098ce5da1e44ff175375473120c942071479971717a5f8ed7bfaea96d1ae9c6e9
-
Filesize
18KB
MD5e3ad485926d576272bc3834f4f711a73
SHA1e87b64a5e13f6cf404615844235e50572fd6bb78
SHA256de36b296029f55670c9d97f1864f1b20cf481e20c396e4b564344c0a4198a9cb
SHA5123c5c1ca29f6cd22e202fad8ab9e4efb6cf9bdff399cb7fd3a29b257bda76d72e625718e2e5a2486ecdeccfadf40326fb7df04c4e51c726452c806442ccc3e38d
-
Filesize
66KB
MD5402e097b13c55a275c6b549572d52ffd
SHA193ece3a1b0569f3b1d3f827abdd687b95a202801
SHA256a98131d193bda98ff749d4669a081f856aedf7a87fa3849f02bed4a3da530bd4
SHA51212fb94afab7c09de05a696abae70dcdfd4120bd9526865b0fbe0f916af8a30b39fba2a32f83df077a1620d2844ec5404b9a54492cb44b523e835e0fea49e68c9
-
Filesize
54KB
MD5209fa27e972d3c51ec64ce3ecb581bc7
SHA1a340d641d3253008f0910a8e89318fc93f4fdf84
SHA2565407b3ebb6000281ee905fd3bdd6b96436b8fb232c06e1d5b46c9878f638cdd8
SHA5126befa418099987e49789de42e42ad8d3141be94b5f81f1e5ccd4af2db837b12fbf575a855b41bb01b8fd88b62f51546a3b14f9f0558b94d7fc2a677f91db3d5b
-
Filesize
42KB
MD5f57dc13d2a4869467e378cbde8ad95cd
SHA12116be8115b8ddd0f9dd7021dccd76b518f22fe2
SHA256b7e3f2e9f08fcf3b5ea94f9fefe73275567a0f5c11263901546c6667a429cc5c
SHA512b2b2d409232c87f525fa9b06060f18db48d634aef93b22b805c940081ccdd5cd1898a1ef34099234047fec55ac6145180756fcf2c9b4a70e6067cb99b376050b
-
Filesize
44KB
MD510f390540e2f28af21be71bee91f887a
SHA1ddf48677896d773768fcfe5a1c2e326722811c01
SHA256b1ce10172dfc8c66021ec8e94a5774681d73e9fbed7cf52d21ec8b1755d0617b
SHA51291c4a011ef0dcb6329a79cf0472abf5fc1df30fc75b803bde5c3fa892c5fa893517a82c44856825b75dfd5ca0f02b8f06b3b825a89fd2fc5364a60435910f4ef
-
Filesize
41KB
MD55251998ba3fb49acde1015413ed43384
SHA154aa5290a0f0832aec2df834e94672eedf1cfb29
SHA256ff68f50ab8fee781f91a3fe0d175a97e2126b03aef3ec21139224330fbf3d330
SHA51225c0ae18d6ea7b8e14b367391f0b7b53a8bd02f182a87e6fde642ce68afcc4e51dca99c9a3cfd803ed8e2b5334f157e8d66502566f04ee7e1bfd690f882dbfaa
-
Filesize
35KB
MD5a05193bf1e68b3fa200d71c3e81b5b42
SHA16a7f84ed1e3bea9c7f300f8f4496cb16178fccb8
SHA25671ead8aa39ba5ab49fed0dd3145f89f5f75eaf0929100948a6b280f22dfb6942
SHA5126ad9d9c9408c45a077238754d379b1588a38e0f6e87e6cbfcb7e7ba15507a3c59fc0c54fdc60a5fb413362735e0ef82fbcb844e246a2f5fa02bf4d095ddce48e
-
Filesize
31KB
MD52f178344b946ac6b7eec96ca3702fdff
SHA1f033ac7af2ea73f217f881e1884311a58d027fe4
SHA25655083b8bc8f1776e7202225ea8896b0377b669a9c853d09aa294853705e08d60
SHA5128f72ce152cfa5386e20264a9f68c1442044e20c38498547d5dfefc731807fd27240fbe214ccd4d0e7ad492c6f5721ec5d1142177aa2eca1105761103637f5830
-
Filesize
67KB
MD5a2f118a6f00b962b7c579a261c7804c9
SHA1665111a5ce8fe215e18a92c247c84e887c2d4d61
SHA2568630177ed24b4143fd5d72584e01fe51cb3b407d899638f3fe95d734f389a789
SHA5123aae946543229b59cdd9c792b48e06ef00af10ee455fa17f1e0571e1321c8f86fc2c80df35d276bc050954bc70aed11a3fe845b4a767dc96a6f303a23f90dcee
-
Filesize
40KB
MD50610af0059338136bf8c338f9df9f4e9
SHA1ae56e66b0643dd15d02c6e49e419d0720a71a2cf
SHA2568b39eac835db993685ccc47fa51581d0481feb82181a024e8dc82d0c6998d5a2
SHA512fee68ef1f022cb0b791b644db311edaf94667ad7460455bad304838947e79d7262099fc7288709d9bfc5ed9d59ac1ede415fe4053abcf72ad78462d0831327f3
-
Filesize
67KB
MD556e8e3fd9abf7e1e0275b2e838a5ef57
SHA1abdc8b68b01d5910485a550bbeda6dc6ec65c20a
SHA25642aff549ff3f6be7336b9ae9a616fcc927e2cf75dc09d4a9a2e51f33968dff18
SHA5126e261ab2509a146d3e4790149c62a970f7edafc04aac1af227fd887c506e02351fbcbcce47c7b41ff51622d5267255b223c34d1f52cf52c55b63003edabb2d6e
-
Filesize
61KB
MD51db6805b4802f7e943eb19217e2e58d4
SHA10354fd0dc9ed3963713e6ba0f1db2249f36a2425
SHA256ceb583acefb2443a5bab27f21f6f15668fc853aa85f148787ddc8dab28f36cac
SHA5127a6ca112adc68347bf3aadc469650491476fe245642de16cadc031cf49622d79965fb37e2d8e4b54dd723ae08a95f28da74c35b6c10cdc4bba1276af0c13d64c
-
Filesize
36KB
MD54b932aa83e6b9828c48efc6c32f52a25
SHA136396ae5c0c3a2c46f7be2439edd654465ca5505
SHA2568d43cd6ee32a87b53944d2ef0637c629925c67b664cdc49b010c0d9bccbde87a
SHA51253116bd05a8c3d3b99821fb3cb3a96f1397e82a92f5ee03f347fe26eb9b700482d0207241f17d6ba94fb5769b34b2cf8153bc7d1c2f96397a8e2ba4cb89057f9
-
Filesize
25KB
MD56969d2308ee5afe17ced449afe8f6fbe
SHA1878d4f2b3d43265f31a0d26669d5b4ab0a02bee5
SHA256c2a330adbfbcafc43fd6a1c0e2738f4da8419719efc3fa72fc3d519024a5a701
SHA512832f28350edba8c58ae50b7861c18a550c2774bee4f5bd42d69e87c8e4e2cb61a9e28976a8162ce3020c7636809fb03a2fdea708eb7a8f5fd0161f3d3b501e66
-
Filesize
16KB
MD524ff1d39a661d345c3ab496fc46350a0
SHA146e9ed1f123904934276a9c44fee009af3d8dbf2
SHA25666c472499dff5759ea709e4412008b09aae9c8479fa325ecf47c9a5ea5776ebc
SHA51237e425d409483b4d2b4d80b0ac0bc425ef9ea61d7167bee507abd63d78aaf86b998f58fad5849ffa539875cbad97a0958490b2488040eb07a034f6204d63739a
-
Filesize
48KB
MD5be070b66ddea4f0cde50137e57909e34
SHA17e19653a320cb3227153c7b725751c2b74a3697f
SHA256a1e1fd3dd8cc3a1e978eab91c376ad040687cad05d261301a6f7eadfe9a75fb2
SHA512b90ff1df6a5b40b368373cfe0196cf632f11c20e676f52141628346933840b38b1dd96b0273cc3ec1711a1b7e0c6704e8b1304803a00dee4098bcf3d7e8104fa
-
Filesize
36KB
MD5f35dec335ef9e69710d927917b55e546
SHA188fc9b8c3b33c746e9a4dbd7a0cd752ec7b1375e
SHA256c377583fb2206d029add6182126ec7374bcdc27baaa9c3e8c17f4d1842b7a8e2
SHA51267a6f0d517bfefe6d8b7a1326f2ec8cae2ac10e799536c47f9cde93adae6cdbc41237471c7023fe5734a5a06b1177a3340c1f04c219f4d993bdf310a35b84096
-
Filesize
57KB
MD584c2e74a644aa997af6a5389be8a5e12
SHA19be822b2a46731991bf457fd856afcf11b98ac58
SHA256a2f69512d8c1ab43296ff0d0d0c74d9120581c7df5b51c03376b16db071a6153
SHA51275bbf09a0beb2fc1e8375109d007f0c101a1f4e9c0463a421ac637828b69dd0f21907a10feea1caf7fa8f710d2ccedca3330ddc3c8bd87eb2958e4580640d3f6
-
Filesize
16KB
MD57fbbe35db8693990b14cebbd28bce879
SHA1fd529b9836d8275399a160a3227ac15dea1c4fc0
SHA256807ed5ac623035d54eefd896cd6cc6f7569a27252dfa62fee547ce9cfb8418d3
SHA5120f237671ae4138605d5256e34f67242d4004727753a01870460dbf5d681b4fc86c2877328d60d23723de34927b95c88e76180380d16ce3ef428a283115af73b7