Analysis

  • max time kernel
    300s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06-05-2024 22:48

General

  • Target

    7dc8133fb148b87f8cfcfa834c1a0134647f9dd55d5f59dec510f8f1b320ea66.exe

  • Size

    696KB

  • MD5

    8fad1b737e2fb852710b43eba52d6b52

  • SHA1

    bad376c9582758c4e64956fd6a3df3f10462ba19

  • SHA256

    7dc8133fb148b87f8cfcfa834c1a0134647f9dd55d5f59dec510f8f1b320ea66

  • SHA512

    44acc7fea7525f3fceb38746d1190e56e42618f72f10c9bb2a3404000d77fa696285bce968786f6b1f5df70f402927ce4dc4f0d42ffeaef06a97d70da0938c92

  • SSDEEP

    12288:/Mw4PBDrHW6ncbkrC41L99OVhFHKQGQ9Ua+nQNtl0nD9rBmCvcpj3PmZ7fG4Erw8:/Mw45lncbk+4z9uFqQGXayC30bmCvcqw

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 20 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\7dc8133fb148b87f8cfcfa834c1a0134647f9dd55d5f59dec510f8f1b320ea66.exe
      "C:\Users\Admin\AppData\Local\Temp\7dc8133fb148b87f8cfcfa834c1a0134647f9dd55d5f59dec510f8f1b320ea66.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k move Informative Informative.cmd & Informative.cmd & exit
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2800
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "wrsa.exe opssvc.exe"
          4⤵
            PID:2616
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            4⤵
              PID:2928
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c md 22102
              4⤵
                PID:2488
              • C:\Windows\SysWOW64\findstr.exe
                findstr /V "PUERTOTEXEVPENDANT" Monday
                4⤵
                  PID:2128
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Bundle 22102\W
                  4⤵
                    PID:2444
                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22102\Lo.pif
                    22102\Lo.pif 22102\W
                    4⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:2676
                  • C:\Windows\SysWOW64\PING.EXE
                    ping -n 5 127.0.0.1
                    4⤵
                    • Runs ping.exe
                    PID:2684
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22102\Lo.pif
                "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22102\Lo.pif"
                2⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:976
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {114C39C7-8B1E-4D54-B60B-218A03010C11} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1104
              • C:\Users\Admin\AppData\Roaming\stiuceg
                C:\Users\Admin\AppData\Roaming\stiuceg
                2⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                PID:1452

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\22102\Lo.pif

              Filesize

              925KB

              MD5

              62d09f076e6e0240548c2f837536a46a

              SHA1

              26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

              SHA256

              1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

              SHA512

              32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Appeared

              Filesize

              64KB

              MD5

              a99e42c6268a8966e21ef681ae3003ef

              SHA1

              516c2150277cf0516ac65e7299385d56be68b681

              SHA256

              484edf5ae1741615cd49592173a802c19edfb1780934283fa03a30cb29f5d547

              SHA512

              78b01f3498d5f4232988eda74dd69f28d11724ec91507dd25bb8ac6d7d84b3697f993a1c283b6deb6a7946875c1001f7b7f9d968a2aaecb62df4ad143ddaf52d

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Associations

              Filesize

              52KB

              MD5

              15278235f8eb5b81640d3ec4ae0754a7

              SHA1

              ce079a9e49d7a527b26142860bba3e771454417f

              SHA256

              8e838fab097c87a35076f47c81e3389f7d58ec69793220d03c691fc9751bcd4f

              SHA512

              2f06e1edce636ba95c050339aaee71081685878d85ee0dc284cc2a3af0a50bf24f353201859a9469acebe27ef254cec31b566859d123af8ce453d9537e9aadd5

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bell

              Filesize

              44KB

              MD5

              3b41c5064d98562406d4d3bc09136429

              SHA1

              b8cf7d66a6d2fbb87720bf55ef3cd94a02a145e5

              SHA256

              579fe20cd1dbbb8960fff9462d86f63793837c02d7abf6c03b0f8ba645aaa6a5

              SHA512

              34916a2410d57405321461838f75827b87381524fa192d90a9c4414000a6c7f37530f35ea8d21fc0dfe44b75769eca9baa7b7a21a38832db6017fac684451265

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Beverly

              Filesize

              49KB

              MD5

              2ad32796d704b7da70c09a63f735c14a

              SHA1

              9aea388cbdf87cd6361c07ada55a2537851357af

              SHA256

              5defdcb7d2ebab7d1fe3c3496fbac5e818f153004dc0cbb1717b3f55d75de563

              SHA512

              097e76f8a6cc03e0678bb106cb9b466a1ad07f1308ce1a961939e7cea6d6436c16eda35a536d33124793b1156c98886deedde16e3b3d2bd0d56f51a87e8bd83d

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bundle

              Filesize

              191KB

              MD5

              b2801b1d743ada5b4d3c94f1c68732c5

              SHA1

              82f8cfca3a3ccd40398662561977ff443a84d2cf

              SHA256

              78dfb0ea8c82ee35bd9142f78c684d6c58a76607281475fe118b45060e7bd58d

              SHA512

              4166c326711ba510bac99e40cada5ec02ba54ce8e09d96b302c032a365b515d145afb1e79c635e61d69bc4f7d3ef7d923ba8eb6a08363f3f7589d5f84bafbeb9

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Consult

              Filesize

              59KB

              MD5

              7b6e886d3724fd8cf8916be492a3021a

              SHA1

              1b7e25437b93700a9949a89d744fc88c3fe2b615

              SHA256

              294fcf58495010daeacff475e13595b617d1ea167cfb5bb5e30d1e00cf9454c1

              SHA512

              0c728d3d606da32d09f336ea13aa3899c699819399e08ea7faf1d00b69baff3312198e44e89a6a23fbd6a4d6fdb34653fd06d634d7d2c724b7203be86ecb6184

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Couple

              Filesize

              59KB

              MD5

              345821de13da9c6c7926f7b55fdbf756

              SHA1

              8ba40c5b0bb536a8710ba44a2967960bbbeefa93

              SHA256

              3be37b634bec5056ef1fd090da01a5ce9106926611ac82dcb1dac32154c12eb0

              SHA512

              c21a457d290003109d295eeaf51efcdc5e38a11360adf1dae036afb44aad9b7b8c57e4ba1025fd4ff50e0c755284d3c1de8de08b04abe7955bdb59a57e0a204c

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Downloading

              Filesize

              55KB

              MD5

              b5cd1d73edd6d7accfa98cfa28726934

              SHA1

              cbf7bfb61284f586d5620fccc976f7eb052c27bd

              SHA256

              1de97d8cc83a4c4367fe6476b310dd316fd3bc74c546efe0d385becca24137a6

              SHA512

              a0ccb3c1490b850e383f9b9836152031cc689261fa8a3eb0c296d8b87292155985b94fd9ba5a94f7194c88126b11e78f4164b8abbf53ed1c53d4784b07f423c7

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Flashing

              Filesize

              27KB

              MD5

              3bf2c246b8706d809e92c2c846b3ff90

              SHA1

              e8d3f8638c30fa2fa96f4e28cf956cc4465aa1fb

              SHA256

              6fe047eb41e4beca693f757c5c26bd6bcae3be930b2864b8f9b04f3288aefd3c

              SHA512

              98562728db0b6c13b4b1680ad4ccf114bb4aec8d32bd3d9aa1f63fe5259b7c76338b85f6ce740b471e933bc116766974ee15ce5c62d79509c8905803f806a01e

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Gasoline

              Filesize

              62KB

              MD5

              d4cea97f13087fc0fc666ed54341b07c

              SHA1

              0fcafe3b3c06f26ae3e1917651c4da2e5684f8f8

              SHA256

              b093bc052bc285282689f187fa7951f1a509687e1295a4e00aec43bc6cc5ec7e

              SHA512

              1084ba53330eef0c164d4932079b34610ca8da9a3938913cd5c457bb0a1c53b2ba50dfa3db1f3418dea160773533e74650d3daebde0e0db19b58c4fe08cb239a

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ice

              Filesize

              12KB

              MD5

              fb49a58e5653d7f51d381d65e1e822ed

              SHA1

              88bdad86c7d0e7281d38d7ab3a853d076670dd7b

              SHA256

              9b865d477e319fd66c6ce3d6ec01f5081d255ecf3298b34533966c5b56f778d1

              SHA512

              3581419428f6e721c2567be58f62af94fb036811f056c0200a927459fa401b896441968f7f19093677f7a1fbb17b1d0264463759543f0b681cd5306e3fa3a0d5

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Informative

              Filesize

              27KB

              MD5

              b8d8c3181d9eb0bb0429b617ecfb2806

              SHA1

              9dc43621c075edcce52663f6d77a50619572d470

              SHA256

              82c7466a773798ef1322b9ae61ba3a2b880c4db0ed91686d07c90b8847cafbbf

              SHA512

              a2ce4b2ce4551c2d15798b5f132ee94bb124c2af881c1de5de8fe052cea6df07f2ab724a5859e6b55897145f5a8c69bdbc45afaba197604af25bdf1d9b5d913f

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jordan

              Filesize

              1KB

              MD5

              950d022983db024390b7ddb5cf97eabd

              SHA1

              ba3c140080df6b008f513eea966fc1116e00edc2

              SHA256

              2803bb61e960a974c013c323aab25d09b6b79acbee52b982ef9d20792b45877f

              SHA512

              8d7a887189b3f0800e4ad9d57df1bdb04963c6ee88ee35b68433cfe64645bb8c40422793c2d55a9e20dba151af6dd5e47203454acc2e9befee6aa64cf21c8447

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jun

              Filesize

              64KB

              MD5

              df464269ddaeef194086bc43e3c3e606

              SHA1

              619b94549dd0169ca309a2c89e4d44f650c9db80

              SHA256

              08223e340ff0db94afeeb9af62ce2d141b23fd8ed9d3352578229085ac4ee06c

              SHA512

              4fe38592a3fca6f58dd9e45c68243cdf2ce713da6b5faa5b713b8b06d9de3e28ea24b6187e3ef3e829bfd8e09d0ce038965b174b425fdbb75a00479f05aef8f4

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Monday

              Filesize

              150B

              MD5

              1c43aaf675641df784a3a61bc0493630

              SHA1

              dad53115c3f7ffdfadd7bee6c2bad81a78c0c016

              SHA256

              3decfd086764a3e93de8b73a4fa2676227da519a8c01fcaefb8a7d02c18874d2

              SHA512

              384d09660abcd5931d5d4fd4a62d13f78983429c9ff1651b8291fdde5268768b9c2782285c167c83987389a3a6f6f15f11f5c648c8abb5c791336dc3823feec7

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Organisms

              Filesize

              41KB

              MD5

              2fc9ac6ea16cd66922bcc012d8003006

              SHA1

              f266d50b8ee81cdb67f917a17cd8fe6064d7df4f

              SHA256

              a2cd8560c25a841d1109e987b53b445a0247b6f0678dc49f4151f9da4c9c3973

              SHA512

              c6eaa40b69e91da20d6e115d8c17fc9b0467d7c4799ba67bc17c219af7aca5eb1590c18bfc831d487fcd279ba9c06f78e7c0fd033bda553610e9a149fcb0a252

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Packing

              Filesize

              9KB

              MD5

              0d42c76eaf7b0f202a4d3c89c78883ca

              SHA1

              b36f12493979ac8a54fd7c36f83f1768f27b3b33

              SHA256

              687d994dcd546c6f6324670c4bb43f1643e115b7787ea47c13c18ade590c5101

              SHA512

              d17877b24f2a1eb9a9524603a5b4e0207fdc57f70b8e2fc08d2e9a6ae7ba3e88475d13c2d23651112be226e7ae8def141b3ae8f3a99ca24bd5f590da92b9b403

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Pop

              Filesize

              33KB

              MD5

              f16c73deecc8eabb9125ea1a63f7abe3

              SHA1

              e3994767e369779e3f63203c6e8b800e7c22b4b1

              SHA256

              eb7911709e32aee8231c3332ffe78b74b5db1f9f8f759f470ab46bc456bd421f

              SHA512

              6f422cda9ea8f35fb63f484e75e2261cd875b2f5745263dc8af355659c95ce51716b7174c7d1a7c0c1cf7d4bbf151af417115335fe32619a7190be3686c90166

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Propose

              Filesize

              43KB

              MD5

              c83e3a1b82802c10abfa87d58bb1004a

              SHA1

              276acc776adcc84627ac4dae34388d468ccc1b1c

              SHA256

              5984cd590e0335f4fb062baf81938446e07746ae12da59f0ca7e4d8d66000c65

              SHA512

              24383ad33a643b73d2964086a73ab784077fcfb7730946394bb542ce9935bfd1b5c730be79610192e43798047eeabf144a4a4499fda47469610f03417d0ab1bf

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Publication

              Filesize

              67KB

              MD5

              fcdb136c1574b531233d44977edf781f

              SHA1

              6e7c3385e6471cb2f5728e320b7c2641a7e73022

              SHA256

              edae833286f8aa220d3142aa996f822e0589d07b9a52b0a0fd6570f9478be3ae

              SHA512

              60bd17e505022bb6ccd3fe9f47a72cb29c1a1c439b3b5e5340220b0d83c99b89edd52a95cbcb89d8cf463d049876241b64c99919f92c1cc75077811637b3b43f

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rca

              Filesize

              22KB

              MD5

              a3e9d78be5ef6d43de64869c0e5fde88

              SHA1

              d0a0ee7792b5a0d660311c09b55c80e4171cfefa

              SHA256

              741ebedf4be5fe0b48a324b270a29c476b9cff501203a4a22f24319e4e295ed8

              SHA512

              bca391c7aff4879467dc9f6582f3e76e2fcec429fe0d3fb33619ffb15dc67cf235d39bd5b02289b6bd4797118433e58e730711b007fa0cade0aedb852478280a

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Slip

              Filesize

              14KB

              MD5

              edc7ac89b12e048e07070721a98765b2

              SHA1

              97329837ac40a9978408ec6c887cf7a841d10cd4

              SHA256

              902094343dd2bb3991fbc2af968a2283d3bf09fa7901e19990f677652759741f

              SHA512

              b2303fef6128f165e33094620c27bdd6b70c9de1299c930b809e5ac43b639e5a88ca44e34035321199b70c87058892ba383f82e94836a3f88191dd486b31bb56

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Southwest

              Filesize

              33KB

              MD5

              68db3d58f407937912efca961f5abf43

              SHA1

              3ffd91823a8bd9b685a0d4a4588f721d5c1b0e5a

              SHA256

              97f1dc8235c1b2845fbcfcab1c16707339f83de724fcaafb86284e131beadb3d

              SHA512

              5d6d6a0299299ec98354723f5150c77c42766beebf9d66b0a08c8d0f39faed44a50431c89f66c2dfbfb6faa28abad8d57913dbc29da59cd9080711602fe6964b

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Theology

              Filesize

              40KB

              MD5

              f3ba25324a08cc11ff30387cf96885cb

              SHA1

              e52363963886ddb8e6a639c10a7789b17c49af7f

              SHA256

              ea0694cae553d3c4263661831a77818c3123b6ae0a33e8a061c8ecfc7e868427

              SHA512

              a96369e7dbf006c650a57e28522fcce511b6a3021c418386bbdffe87ef7c5d492b669fd6b21368e68f105b6f1219e9c1961bcbaaf6f2ad2804019a1a2a0f43ab

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Throwing

              Filesize

              36KB

              MD5

              0fdcb2addbcd410520948bfe1480a2e3

              SHA1

              84d7844fc433c0f4d470d7ac914f51d12ed857f0

              SHA256

              afb462577b3b5761ec0848428f85842c792e3c765ff3a8a9c935e757f6e083b4

              SHA512

              5b83e94e8fdd6487dc90cb4747c6aa2ceeb73663265c2d1d3523e9c4c4731f5c5c56027dde9c0d4b35fccb5d632a4efff29965f54619f681b2aeebe8ae63bd60

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vertex

              Filesize

              38KB

              MD5

              b49d85c9ae03540062ca77a838948022

              SHA1

              ed064acfa92ce28cb2497da0ac2727ec99b73c7f

              SHA256

              4e3463b83fd22d3d603a6a0618cadc9888cae10484e7beeb7a458401599b094f

              SHA512

              b2b0b58fec1f02cac6cc9b9b0e900eaa67d192d0df25e38f0178bca80e6e5aa6d249110ef3e1bdb787e241b4d1ce8d0b05ea7ea917057d4a40f4a5eb4ccda7ee

            • memory/1192-83-0x00000000025C0000-0x00000000025D6000-memory.dmp

              Filesize

              88KB

            • memory/1452-92-0x0000000004CC0000-0x0000000004CC2000-memory.dmp

              Filesize

              8KB