Analysis
-
max time kernel
300s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 23:14
Static task
static1
Behavioral task
behavioral1
Sample
906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe
Resource
win10-20240404-en
General
-
Target
906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe
-
Size
262KB
-
MD5
08c5ed62a9f70d92e2aa9c5784c98d2b
-
SHA1
21861685a275d8aa9aac3002d8be87ea2ca437fe
-
SHA256
906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147
-
SHA512
fe60707f90845c7456e68b7e3dedc284951cfaab7a39368415b2fded1d98cb662eb78b143c04da63b4fedefa875050f5380f0be12e7d46fe02d596e8d352a978
-
SSDEEP
1536:R9Js4zOyRr4FmUvBtlCWsnWOKJ//l0dR989Sqp4J4lUYHwf5WicloDKlX+w01lNf:PJ5afJ2WfJ//Kz93N4jk5WSNumh
Malware Config
Extracted
smokeloader
2022
http://buildnotbud.com/index.php
http://build-not-bud.com/index.php
http://build-not-bud.org/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1208 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exepid process 2204 906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe 2204 906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exepid process 2204 906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1208
Processes
-
C:\Users\Admin\AppData\Local\Temp\906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe"C:\Users\Admin\AppData\Local\Temp\906c789b8e6257a610c394aaf00418dc5c77cbde2c53cc080fdc45fb0b8d5147.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection