Analysis
-
max time kernel
131s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240226-en
General
-
Target
file.exe
-
Size
213KB
-
MD5
29c2d7eec8802f3967aafcd0d16628b1
-
SHA1
efe099762635d1d6284afb88225029bf89adec5d
-
SHA256
843ad82984513d049fcbf1258c0a2cf71fd519ad98a272e54ea95d42422a24bb
-
SHA512
755316646a0fcf8fef69832e33e8c611eb02e9e88e6416f7a19c499acab82f9a0e15d49fa92de70aaa5085f05a591e33456f8df61af5534cdb43c3f652e1502a
-
SSDEEP
3072:XG6IE/WIaxT8XyWiTmZTb05a+f4IOCX9:N/0oXyWiTQh+fN
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
Processes:
pid process 3300 -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Modifies registry class 9 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{A7C5D543-400C-4464-A2A2-A47115DA1248} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid process 3248 file.exe 3248 file.exe 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file.exepid process 3248 file.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 3300 Token: SeCreatePagefilePrivilege 3300 Token: SeShutdownPrivilege 3300 Token: SeCreatePagefilePrivilege 3300 Token: SeShutdownPrivilege 3328 explorer.exe Token: SeCreatePagefilePrivilege 3328 explorer.exe Token: SeShutdownPrivilege 3328 explorer.exe Token: SeCreatePagefilePrivilege 3328 explorer.exe Token: SeShutdownPrivilege 3328 explorer.exe Token: SeCreatePagefilePrivilege 3328 explorer.exe Token: SeShutdownPrivilege 3328 explorer.exe Token: SeCreatePagefilePrivilege 3328 explorer.exe Token: SeShutdownPrivilege 3328 explorer.exe Token: SeCreatePagefilePrivilege 3328 explorer.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
explorer.exepid process 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
explorer.exepid process 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe 3328 explorer.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 3300 wrote to memory of 2416 3300 cmd.exe PID 3300 wrote to memory of 2416 3300 cmd.exe PID 2416 wrote to memory of 3464 2416 cmd.exe reg.exe PID 2416 wrote to memory of 3464 2416 cmd.exe reg.exe PID 3300 wrote to memory of 3052 3300 cmd.exe PID 3300 wrote to memory of 3052 3300 cmd.exe PID 3052 wrote to memory of 3668 3052 cmd.exe reg.exe PID 3052 wrote to memory of 3668 3052 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BBC9.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CC06.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5a962cde9b0ca0bd1ced7036af84b2cfe
SHA13514554251d09117f198a799f2068e66978a3f6d
SHA25697afb92afdfc3920dc8f36ccfd75fc13e6ec4161e3c9704c450da4f1cb0937f9
SHA51216e5eef5bcc499e0e4d471a37df8aa3b701be4f4dee45f3f9181906943394df217c06b399e3451e73e9a996fead5d0cf1420902611ee7954da0def7721710df6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5646d7252baa43e7c32957178f2d667e5
SHA11d313c98d27b55ff03e1a010441c12ac2f939a88
SHA256d1a342334ba4821a163a55fd328ad6cf8ff85a87ad3ef0628a5e66a4c1a44a80
SHA5122c543a2716f8a99ec995a8d02e60db19a043c73b45bf7df008d543409e50ef01d97e7ad8794a3ff65942fe65a77c3c1711648f03097fa2657872ddb466a65971
-
C:\Users\Admin\AppData\Local\Temp\BBC9.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
memory/2640-35-0x000001B193F00000-0x000001B194000000-memory.dmpFilesize
1024KB
-
memory/2640-65-0x000001B194FB0000-0x000001B194FD0000-memory.dmpFilesize
128KB
-
memory/2640-40-0x000001B194FF0000-0x000001B195010000-memory.dmpFilesize
128KB
-
memory/2640-71-0x000001B1953C0000-0x000001B1953E0000-memory.dmpFilesize
128KB
-
memory/3248-4-0x0000000000400000-0x0000000002722000-memory.dmpFilesize
35.1MB
-
memory/3248-6-0x0000000000400000-0x0000000002722000-memory.dmpFilesize
35.1MB
-
memory/3248-9-0x0000000002880000-0x000000000288B000-memory.dmpFilesize
44KB
-
memory/3248-10-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3248-1-0x0000000002A80000-0x0000000002B80000-memory.dmpFilesize
1024KB
-
memory/3248-3-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3248-2-0x0000000002880000-0x000000000288B000-memory.dmpFilesize
44KB
-
memory/3300-5-0x0000000002FC0000-0x0000000002FD6000-memory.dmpFilesize
88KB
-
memory/3300-23-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/3536-33-0x00000000046B0000-0x00000000046B1000-memory.dmpFilesize
4KB