Overview
overview
10Static
static
3072894a720...70.exe
windows10-2004-x64
10075e0048e6...e5.exe
windows10-2004-x64
10131b78a330...7b.exe
windows10-2004-x64
1056b0ed98e3...54.exe
windows10-2004-x64
10807255749f...62.exe
windows7-x64
10807255749f...62.exe
windows10-2004-x64
108a8433aeba...ed.exe
windows10-2004-x64
108cae2c42df...9a.exe
windows7-x64
108cae2c42df...9a.exe
windows10-2004-x64
10d730c48963...34.exe
windows10-2004-x64
10e98954290c...65.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 18:33
Static task
static1
Behavioral task
behavioral1
Sample
072894a7206e62128b078f8cf245defd279d28624f577f7859cb03be552fdb70.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral9
Sample
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
General
-
Target
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe
-
Size
254KB
-
MD5
6c76dfb25714e5941d70f7a275e75e5d
-
SHA1
5ed48c3c57d1abeece0b35d7bb85a6bf71ab385b
-
SHA256
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a
-
SHA512
2aff7b21be560dcfeeafc9f7ed1ab0a1e10ebc2a0363a656e880d05e0c7f20030a8d44926ad72f395632ecd8bf441fe71538c81e7520d73bacf85017ab0f0d97
-
SSDEEP
3072:gHvq+7xq+eNvu2U1GA0B+t+ieyOR/VCY0rJ25o3BcJTcVVeosbVFlb9eAg0FujDL:gTD2Lr/V90d2WxjV/hAOIKVg/oPGCV
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2192 set thread context of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 -
Program crash 1 IoCs
pid pid_target Process procid_target 2484 2192 WerFault.exe 27 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2144 AppLaunch.exe 2144 AppLaunch.exe 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found 1232 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2144 AppLaunch.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2192 wrote to memory of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 2192 wrote to memory of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 2192 wrote to memory of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 2192 wrote to memory of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 2192 wrote to memory of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 2192 wrote to memory of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 2192 wrote to memory of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 2192 wrote to memory of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 2192 wrote to memory of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 2192 wrote to memory of 2144 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 2192 wrote to memory of 2484 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 2192 wrote to memory of 2484 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 2192 wrote to memory of 2484 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 2192 wrote to memory of 2484 2192 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe"C:\Users\Admin\AppData\Local\Temp\8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2144
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 922⤵
- Program crash
PID:2484
-