Overview
overview
10Static
static
3072894a720...70.exe
windows10-2004-x64
10075e0048e6...e5.exe
windows10-2004-x64
10131b78a330...7b.exe
windows10-2004-x64
1056b0ed98e3...54.exe
windows10-2004-x64
10807255749f...62.exe
windows7-x64
10807255749f...62.exe
windows10-2004-x64
108a8433aeba...ed.exe
windows10-2004-x64
108cae2c42df...9a.exe
windows7-x64
108cae2c42df...9a.exe
windows10-2004-x64
10d730c48963...34.exe
windows10-2004-x64
10e98954290c...65.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 18:18
Static task
static1
Behavioral task
behavioral1
Sample
072894a7206e62128b078f8cf245defd279d28624f577f7859cb03be552fdb70.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
075e0048e616f67de702a289e630f2df2651249474b3366d424d5bfefc2071e5.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
131b78a330f033599e72f43b4c44a4ce16181a4de774a7e0ebc96fe998dea67b.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
56b0ed98e3472c3ed4c501f9630c8e00fd98a17a99687541889c257dffc5d254.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
807255749f8cbfc2228481c6cd8cbe37517093850c1a0f3d0ed61f607efcae62.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
8a8433aebabfcb2900d5e032245cc3101e94cfdca88d10eea3b26330a0a334ed.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral9
Sample
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
d730c48963f262ecbad13e78511797a739e647356a733f1239b17e16fc51cc34.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
e98954290c7c1115f81a9b91ee8f444cad7f016d85fb2d9b70793e27c9384365.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe
-
Size
254KB
-
MD5
6c76dfb25714e5941d70f7a275e75e5d
-
SHA1
5ed48c3c57d1abeece0b35d7bb85a6bf71ab385b
-
SHA256
8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a
-
SHA512
2aff7b21be560dcfeeafc9f7ed1ab0a1e10ebc2a0363a656e880d05e0c7f20030a8d44926ad72f395632ecd8bf441fe71538c81e7520d73bacf85017ab0f0d97
-
SSDEEP
3072:gHvq+7xq+eNvu2U1GA0B+t+ieyOR/VCY0rJ25o3BcJTcVVeosbVFlb9eAg0FujDL:gTD2Lr/V90d2WxjV/hAOIKVg/oPGCV
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
pid Process 2788 utgcsjd -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1148 set thread context of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 -
Program crash 1 IoCs
pid pid_target Process procid_target 1524 1148 WerFault.exe 27 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3020 AppLaunch.exe 3020 AppLaunch.exe 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3020 AppLaunch.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1248 Process not Found 1248 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1248 Process not Found 1248 Process not Found -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1148 wrote to memory of 2980 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 1148 wrote to memory of 2980 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 1148 wrote to memory of 2980 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 1148 wrote to memory of 2980 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 1148 wrote to memory of 2980 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 1148 wrote to memory of 2980 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 1148 wrote to memory of 2980 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 28 PID 1148 wrote to memory of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 1148 wrote to memory of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 1148 wrote to memory of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 1148 wrote to memory of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 1148 wrote to memory of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 1148 wrote to memory of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 1148 wrote to memory of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 1148 wrote to memory of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 1148 wrote to memory of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 1148 wrote to memory of 3020 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 29 PID 1148 wrote to memory of 1524 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 30 PID 1148 wrote to memory of 1524 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 30 PID 1148 wrote to memory of 1524 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 30 PID 1148 wrote to memory of 1524 1148 8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe 30 PID 1992 wrote to memory of 2788 1992 taskeng.exe 34 PID 1992 wrote to memory of 2788 1992 taskeng.exe 34 PID 1992 wrote to memory of 2788 1992 taskeng.exe 34 PID 1992 wrote to memory of 2788 1992 taskeng.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe"C:\Users\Admin\AppData\Local\Temp\8cae2c42df2dcc0b08b46e91d7ffbdd38e6e53724f0873f0cc05747f396b759a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1002⤵
- Program crash
PID:1524
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {0F5992A8-07DF-47D0-BF4A-4CF9B0B8F77E} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Roaming\utgcsjdC:\Users\Admin\AppData\Roaming\utgcsjd2⤵
- Executes dropped EXE
PID:2788
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD57825cad99621dd288da81d8d8ae13cf5
SHA1f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA5122e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4