Analysis
-
max time kernel
106s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
21-05-2024 15:06
General
-
Target
784e3a535f623d7c59209e39bbdbd9ffabcc07157efbcaf12a8143190c08ed44.exe
-
Size
209KB
-
MD5
487c5ef864db010745ea26e6c27cdf10
-
SHA1
b285aecebee79d70f684832a2bb09467c6db6cfb
-
SHA256
784e3a535f623d7c59209e39bbdbd9ffabcc07157efbcaf12a8143190c08ed44
-
SHA512
8dfd0185117d909fca007e9bd53dcc90da54d8b2bccac265f8a963f46a5b05c0d38ef981531b441ae5b762632f28ec4a7b45293cb4d2d99235ec61c1add98a4c
-
SSDEEP
1536:n3o311bC7Xu1LpopPim+PvDOmdVFnb0MLrR2mbU9EFJ0NxgVO1MGyF59vXMziEV0:4/MePP7rrRHbU9EFJ0YVj5GZH
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 39 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 10 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\784e3a535f623d7c59209e39bbdbd9ffabcc07157efbcaf12a8143190c08ed44.exe"C:\Users\Admin\AppData\Local\Temp\784e3a535f623d7c59209e39bbdbd9ffabcc07157efbcaf12a8143190c08ed44.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\54A3.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6628.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5cf94c140b8e861d5b8a579457f8e4c26
SHA1972614473d6a8399f72403c6090ed50bcee1e56b
SHA2562307783397917148817da0e40ad8afc4256a3a42230085eaebe512d815ced1fc
SHA512696239223616e16d17775660d2e1ef97e4b536741a2cb406510d9de8e4090f6653c0e2fc8196bde76be527b02f2e362bad3b73ad37ac9b0168efaa3c80d90c05
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD568b91aa56420a00a88bbc23d43fb4277
SHA1b9c3f3fd5fe3861c9494a488e12e23e7cbf3b78f
SHA256b1f6988e1c459a87367887f59e1810f36a2787655caab9cba6a4875a903668de
SHA5125bda4169b49c541f2846e023d1f2b4e414e6340341d878bceee3b4e5652d93d9dd48c5e707c48505318a9a0c5720e7f9d351f901ab080b8eb92bd9c5f674a61f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD5e7d8fa6976c678040856c66be93113a7
SHA17444efb6ea604cb018ae195cfee66ed1ecdd91ce
SHA25637267c482adce0fc6e14bfd07a6a97f4cc462cbce275808d420704b2d73d33bb
SHA5125af9f0a3b45a1cb6d646ac87e833036abb4817ef9b67b6912e1febd15942e222ca16e9ec99be8dfab46b781afa21964fc6b5da387ea038ed00e3cdc9234e7a36
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xmlFilesize
96B
MD584209e171da10686915fe7efcd51552d
SHA16bf96e86a533a68eba4d703833de374e18ce6113
SHA25604d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b
SHA51248d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd
-
C:\Users\Admin\AppData\Local\Temp\54A3.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
memory/372-177-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/1972-1-0x00000000023E0000-0x00000000024E0000-memory.dmpFilesize
1024KB
-
memory/1972-3-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1972-2-0x0000000003F60000-0x0000000003F6B000-memory.dmpFilesize
44KB
-
memory/1972-9-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/1972-8-0x0000000003F60000-0x0000000003F6B000-memory.dmpFilesize
44KB
-
memory/1972-7-0x0000000000400000-0x0000000002351000-memory.dmpFilesize
31.3MB
-
memory/2756-339-0x0000019DC5190000-0x0000019DC51B0000-memory.dmpFilesize
128KB
-
memory/2756-327-0x0000019DC51D0000-0x0000019DC51F0000-memory.dmpFilesize
128KB
-
memory/2756-321-0x0000019DC4300000-0x0000019DC4400000-memory.dmpFilesize
1024KB
-
memory/2756-340-0x0000019DC5830000-0x0000019DC5850000-memory.dmpFilesize
128KB
-
memory/3120-319-0x0000000004800000-0x0000000004801000-memory.dmpFilesize
4KB
-
memory/3360-24-0x0000000002B90000-0x0000000002B91000-memory.dmpFilesize
4KB
-
memory/3360-4-0x0000000002BD0000-0x0000000002BE6000-memory.dmpFilesize
88KB
-
memory/3912-213-0x0000014E3C7D0000-0x0000014E3C7F0000-memory.dmpFilesize
128KB
-
memory/3912-184-0x0000014E3CC20000-0x0000014E3CC40000-memory.dmpFilesize
128KB
-
memory/3912-180-0x000001463A900000-0x000001463AA00000-memory.dmpFilesize
1024KB
-
memory/3912-216-0x0000014E3CFE0000-0x0000014E3D000000-memory.dmpFilesize
128KB
-
memory/3912-179-0x000001463A900000-0x000001463AA00000-memory.dmpFilesize
1024KB
-
memory/3968-33-0x00000000040D0000-0x00000000040D1000-memory.dmpFilesize
4KB
-
memory/4268-55-0x0000011152130000-0x0000011152150000-memory.dmpFilesize
128KB
-
memory/4268-70-0x00000111527D0000-0x00000111527F0000-memory.dmpFilesize
128KB
-
memory/4268-34-0x0000011151220000-0x0000011151320000-memory.dmpFilesize
1024KB
-
memory/4268-39-0x0000011152170000-0x0000011152190000-memory.dmpFilesize
128KB