Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2024 14:32

General

  • Target

    file.exe

  • Size

    749KB

  • MD5

    cc76fdff627601783cd30fa4b3bc9b01

  • SHA1

    955e4ae2f716628423b5c3388597a4ca4bebcf61

  • SHA256

    7cb10c0efe7d47b7a44a5424e197d5a24a67f53fc7e1ed0c1f9923f797e10cfd

  • SHA512

    79f2942c8b17fe8ad1d79895a8f6ae7e7837bd955855ebf51d70adc1fd0111a1e225f582b5ec6f3f84129792a3b2808ed22d14d0246c7f616649e2c70597396a

  • SSDEEP

    12288:MMwQNweRcciNpQdxqnJmuTkhvJoRfzWzCj/XKAbDVFEn1mOU+tvlS2jbKRwMuhyQ:MMwQNwhDOqDTkhvSzxPzbXQmStSkWRwx

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3508
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "C:\Users\Admin\AppData\Local\Temp\file.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3704
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move App App.cmd & App.cmd & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1044
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:4216
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:2156
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2304
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:3164
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 1171
                4⤵
                  PID:4376
                • C:\Windows\SysWOW64\findstr.exe
                  findstr /V "ENTREPRENEURFITTINGWIVESINTEGER" Customize
                  4⤵
                    PID:876
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Lover + Hyundai + Bat 1171\r
                    4⤵
                      PID:1812
                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1171\Gay.pif
                      1171\Gay.pif 1171\r
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:640
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:3200
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1171\Gay.pif
                  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1171\Gay.pif
                  2⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s)
                  PID:4852

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1171\Gay.pif

                Filesize

                925KB

                MD5

                62d09f076e6e0240548c2f837536a46a

                SHA1

                26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

                SHA256

                1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

                SHA512

                32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\1171\r

                Filesize

                230KB

                MD5

                f0a5a963ca355a1ebe2bad008f74d0cf

                SHA1

                22962a8515a823c3c5c4f1fba0202d3311c42f2c

                SHA256

                bf157ecc83b7a59569d5a97af600e5cb113d540c69553bb475123355d14f4113

                SHA512

                2a72cd83a21e3f656f66e202111b8f56380b55a665f17407077f0e4fc6edef3e0672ca04c3996a526c93c99eee5bd7dc6b04653de70fceb9571af928538b0b42

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Andreas

                Filesize

                49KB

                MD5

                fba51518bf6ee6f873e472c9382cfcdb

                SHA1

                96eb2c38882947508a12214880ddc62e204028df

                SHA256

                ad2a09ca2451f37efcfc318cd3edb290cfa0866157f65303b475689dd246f2a7

                SHA512

                073868f57ae83c190dba758745b30825fc673f00932074fac0362245d5b629a04d81590b65801a6542cf1e196c221d3e8be0e62eeb6077305ab5aa22ca4c8e66

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\App

                Filesize

                20KB

                MD5

                1da5f1f297db86154e3a72a7a4cb5682

                SHA1

                510af7fc8fca4cf711f8f6d29e886a7aeb66a4af

                SHA256

                a6870e58347019c65a9867537509be864caf850d067c5626b2cbe4aa56fcfd5b

                SHA512

                d0e1f981d91678cf67ecc44066429bd620da57eaba9929d0fb3155dc0ba8042b7319ca80aab777e2ff5e335db20fea14936ea8e791bdd648476abd205c296c78

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Athletes

                Filesize

                69KB

                MD5

                5296a7fc18f1cad39585dbd9ef57eb56

                SHA1

                feaf4953c57064a538880caca5326508ddf82c0e

                SHA256

                27508416ae10a44c6e2c2e8c30a86190690a36e171811a9088ffc1e408fd2b83

                SHA512

                02750a506c0f4cc7440e7fd0d44aec8a972e73c6ac5b5fc55b7c433546fdb1943e09afb93880824e37f98371eee37d0522cf9cdf59a8ed657c258747d5dd1aed

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bat

                Filesize

                29KB

                MD5

                60cacbfb2fa819d02fd19854ab81082c

                SHA1

                05fe51643758fc5c9abbd42dafebec72cf0f351d

                SHA256

                1d19249c9e6bb183bfe12d415cdac8f3c7a481a24c8ac3864a2d234561b93574

                SHA512

                f5b9fad91553eb634c3936e2348d3306a2d1d65f8905f457e704aede0abf2debc2ee4dd3e744346fed362445eaf82fc3bd49cb91199a39989324721bdb8b6fe5

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Brooklyn

                Filesize

                63KB

                MD5

                9d2d77b274aa1425fd0a64d246063282

                SHA1

                98e6579e082756bfce23f70919bd7eee1704a5b4

                SHA256

                e9a1ce3370fe51a2a0c5c965f8fd31d9daf4d95c37280ed23090347adfc0b634

                SHA512

                c3fcb42c5262a3f4d7f23d00b6eef9cb4ea48cca1c5921a77b43fa7f4df259f640a497d62739c375f418216648f273e382e34d3451dcd2ae98fbdae3a0c9ee8a

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cancer

                Filesize

                63KB

                MD5

                834ba75a5114301c58aaef309820233c

                SHA1

                d9276ad5263827bd2adfe1c41e0a78bb831276aa

                SHA256

                10dfd53167c59b307f49aa97fe7438f0ef222a9f390b0f99b15a2b50368dbf94

                SHA512

                1630c08fc64b79f0cfae5bc691f4b80c4fb58bce1bfab68486d9c5cb99133b769b2d784d070c5eb6e712c51f588ac5881be479eeeec8d5820efd4015a008fc51

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Chapter

                Filesize

                65KB

                MD5

                fe9aec69a615bd6a8632b7fcd076dded

                SHA1

                9ee6318a15489e6a8abb9edac89cb7b9a0bcc2f4

                SHA256

                e4883490cc49b632b52fc817043ace96ad6c179a5c60cef86d9ed69d37388b0e

                SHA512

                1d532d18c8d62c2efa99647335416e38e0e4e1c7924b854bc7d8599c23ac925a78c35b1a849ebeb832af1803d06df07037c73495dcb45b1ac9e83238e44b2d66

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Complaint

                Filesize

                53KB

                MD5

                66a6ab7ca23999d89fdfc6c934e0d596

                SHA1

                408dabe03e172e393165a4ee8897149de69ca279

                SHA256

                cc22d1a0b17ad6d339dc8d41e55df4fa1c0f524fb8ad8e7c34e110c769a96615

                SHA512

                9b5bd51f9077851556a9d8556c3b231b7c7428d2d6ae79c8b52b8b885d943120048269ef3f4c4672130fe478676d5f972da3be9f92ee19e48abf28f7a7b98cfd

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Customize

                Filesize

                83B

                MD5

                005594caabd5567ad67dbed7091aa05b

                SHA1

                1de52e2ae52a57f6c86c6717cd6293b7e50398f4

                SHA256

                ac73ce9506595bcddf99afce61986f73f64a71cd24b36dba35b8a346478ab194

                SHA512

                1c8c4e2163be8ff8d50a6ba04c442002363fe782562b0f44ae66a0c239673394ed3c763eb31b74efed51031827eeb5623af61943149cc2285dfd2a6da0fe03c4

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Expires

                Filesize

                65KB

                MD5

                0f577a91a6ff4c01fe96101535c5fd11

                SHA1

                1c192cf19c6f3045f91ab9168f4b5c3d7056a97a

                SHA256

                37cdab77ce28b3a88af622f9fc743751a718cc4ad06728da64b369ddc68e7c4e

                SHA512

                6b9bd288d1f4288785aec666f17fe201ad8cae497c7b5cc2f3973564363ae89f0c74ddd925f0b9e556c606c2d9114a6d1ae098c9329ef401bfd60bc6abda0263

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fragrances

                Filesize

                33KB

                MD5

                5ef5fcbd37d4a4c68a5a5b7fc9fe16cd

                SHA1

                7f2f6a133ae0ed481e5da84ef0b807bd25337ba9

                SHA256

                e0b0f766494a79d03d16950e209a825c4074318d8dceb4b3b6161853690f4082

                SHA512

                b437a74898bf7b1d98509e827ead5413f8d80d109da3678c4484f9c481bb8d7997530e956ee69e2c9f6cb406cd84d679dab24b43cff6cf0837efc06942dade24

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Holes

                Filesize

                41KB

                MD5

                a18e847991b1a371895c591951e75821

                SHA1

                d164653cdf97f3fd4247c6c3a9448e92eba58c6f

                SHA256

                b73165f75994e2e036183f7bf0cb29eedeb58e902d3c66de43b4793c817cdc55

                SHA512

                f4ac58d9092e778c019577d389b80486b1b938b083644c7294da984e39ae910b0870e15d1b113aacdcd42e8228de7a1bdd7de1cd4c14a7376995aa6b391814e2

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hyundai

                Filesize

                103KB

                MD5

                ee99958b32e630c2d9720cb2388bc052

                SHA1

                3c7fda691f36747eda186a4f13ebba563c25f9ca

                SHA256

                df43d471314ab0d2318c0b650682b178fbdad6b5c887cb707f1eab550b8cf020

                SHA512

                b98110cffb71b34995289869eb5e03c62ce94fe009fc7da57fe9b81a2d26486c054c7294c03d3ae4b163bbe88a31a5918bf9a8da1652f12b0e9092b6a40bd915

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kidney

                Filesize

                14KB

                MD5

                07b5d2b9b5fd4ee93787841d609d160c

                SHA1

                7818f5d54659653fe39773835e08cd9c75ff0327

                SHA256

                e0477d04578df6245e0c0e7c4f456b1b8b23cc08f7e8a5f9f4e55c3f4567b498

                SHA512

                72681c0be07ab095492456a40d573726c226dd044ffacb7ba3ecac92c66edeb1aeca949dc8e6a1bbb3a30d715fbe8b44fde4db10e9196ec53a5f0c062ce13b14

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Likelihood

                Filesize

                54KB

                MD5

                90eb580030af65c45961c8c39d83d4d9

                SHA1

                681678152bd1f46845af3229b612dcc47af477ea

                SHA256

                d504dd4e8025efd932ab5a28eec09a17e1e73ec454902da52deec53a8426d5dc

                SHA512

                953f06a6c1fff9d50390c597ba4df675f05f75bfa1e113f06cbe734b65d96acb3a0efcc7e4627a653dae591a230d192f9534b8313dfe16325aa80bbff41386bc

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lover

                Filesize

                98KB

                MD5

                265efb2f4eb5fc3bd23952753de311ca

                SHA1

                487ffbe701fa9db51fe3d00f8674fe479462cdbe

                SHA256

                93e5fc6aad5d6aa03c0e5b3e998b79265551cd7f967c4036de0269f9b8ff4e69

                SHA512

                9f2868351a2136011da9d5f2838da1a182798e3ff24cf2f090ea70959902a89899c483bfbe9a3853a92d930cb827f83dae678ada9a4a86c429871904da096f55

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Mainstream

                Filesize

                69KB

                MD5

                ee4f975e91ca0d7a9b90eacd7a7f6826

                SHA1

                bf74c18cf421c3317efdecf99cbdfa2fe9d2ec41

                SHA256

                d7bf3555a1d3ebfad0e99d47cad688a8ae9c37eea651c7db33e1f651c4d55b44

                SHA512

                974b416df1678035792b5d84811adf27f55e262381d7d37aebf268a1cf094d680f2170dc73cd6a864a6a5f7bab304888acbf0ffa17b4e33081c53a59193522cb

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Matches

                Filesize

                45KB

                MD5

                9bc7e3e9d32a2a2ce81a579d759e38fe

                SHA1

                020fc0b5f3085832a5068405c57240618245016c

                SHA256

                26dfcf45489db4e2304e950928dfff826e2b2622032ae8be94a997aa9655c69a

                SHA512

                dc18c85017d8c7e3f75f14f1c7a2b807558529d334b9b81ac9bd4bc02bd04b8930dd375080f331dc36777f8eb46d60eb17291aaaa67cc2f2279630b306052ff1

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Robert

                Filesize

                59KB

                MD5

                cadacf7a1afa5bbcc69880e0f2210a5d

                SHA1

                e0982a262ad213d7e793664d8f749327284941de

                SHA256

                2829524194cf92693b302b986f24f8ed6cd5be8648e4a90d3e2585c4f4b40065

                SHA512

                7c7985a9e20b364a849454c12f381e6da78132a0fb3a9324778295aa69a3e3f2ebd255e7d8d4e767f784b1bda964648dfe93600653a7431b800f540d1f4e9558

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Systematic

                Filesize

                51KB

                MD5

                09d230d6b62e502b9e1296731b4d2a56

                SHA1

                18623a9260ccd8c962073b1e060c218d29330e18

                SHA256

                6c08d2f673f5aed8fa67a664174e05f234aa8c5a373709565515267937bfc413

                SHA512

                a49b0ff37aa8d4cfe36f51dc9012b91096d0551f4bf21a70405e9c0231e9f25ac7d4f0fbac463dcfcb2baf3789d692ba66cd9138ddf91b8b6ca1e97f2d94b0b0

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Typical

                Filesize

                44KB

                MD5

                3f1603e6f75e6d6e4a6cee07823d346b

                SHA1

                c2256343468f0feb8191d7e8090e4fdd4ead8496

                SHA256

                e7658f4218045a09c7373683d2dec092bd19a814eb12191a6d0a87c3371c4ba1

                SHA512

                adb795d9543906d3e894b347bd4ced151865b92d04572abcdda9641c3efbe6da2420334782ce42e96fa81eff120f0b154202b242aff02899498e472fd1e14b96

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Watches

                Filesize

                31KB

                MD5

                14643bb55741dc8e29f183dff40b92af

                SHA1

                1a4f5a6f59a2dcbc98029d17666869d673f7c1f2

                SHA256

                b3015ad522a3aaa33c45b40a68c4270f3e7d18c48d6a504b75b4d18467a6ea93

                SHA512

                762f767a59885abe3d620dde38f49f65aad845e7e3cd132d9a8490f6fce14328be8dc4eea7e8ba3bdf16bb5132073ac83fe34e2eddef5200272686e9ac8c4859

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Www

                Filesize

                57KB

                MD5

                092d31205c5c9c7b30594e21e3263af0

                SHA1

                8e3b6062e6437ba999e7ce9bfc41d0ffe328feca

                SHA256

                3cafc335bfd08c6b7c7caf636de0568928bbada325a17c46845e4f2f0e0d04c0

                SHA512

                e9fc0f99c7488afc523c08952f0bd252dc05240f69d463fa787388a7f9a0d695cf9001d3758ca0f86ca4cc5a635e91a0645228d4d27dd5df02f6d3494ec66989

              • memory/4852-54-0x0000000000400000-0x000000000040B000-memory.dmp

                Filesize

                44KB

              • memory/4852-55-0x0000000000400000-0x000000000040B000-memory.dmp

                Filesize

                44KB