Resubmissions
13-11-2024 23:34
241113-3kmbta1eqc 1013-11-2024 22:28
241113-2dpb6azme1 1011-11-2024 05:34
241111-f9w6zstjbz 1011-11-2024 03:05
241111-dlmlja1jbx 1011-11-2024 03:00
241111-dhk9aszrdz 1008-11-2024 08:59
241108-kx2cdssjdk 1008-11-2024 08:55
241108-kvvf3aymdw 10Analysis
-
max time kernel
1048s -
max time network
1053s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 03:05
Static task
static1
Behavioral task
behavioral1
Sample
241105-dtxrgatbpg_pw_infected.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
241105-dtxrgatbpg_pw_infected.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
201106-9sxjh7tvxj_pw_infected.zip
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
201106-9sxjh7tvxj_pw_infected.zip
Resource
win10v2004-20241007-en
General
-
Target
241105-dtxrgatbpg_pw_infected.zip
-
Size
132.7MB
-
MD5
136b5aad00be845ec166ae8f6343b335
-
SHA1
e51860dfb734c9715b6c9b74d9c582abe03ca90c
-
SHA256
38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
-
SHA512
ed56b1afa85e304d6973d69e289631f15955d1619c6943a376d7d319018057d1a6fa0aa340ea6d43037ee17014f13e74e5ebddaf3aec62bf8e2da6b20b14ce42
-
SSDEEP
3145728:m2t5SZQXkJuAwd3u5d5VO4Z9WSXL5qgP47khuJWCvcICllCCrE/z:m6ClwdeyqWSXVqeU5J7CvCCrgz
Malware Config
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Executes dropped EXE 4 IoCs
pid Process 2792 0di3x.exe 2776 f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe 1540 f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe 812 f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe -
Loads dropped DLL 1 IoCs
pid Process 2792 0di3x.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\notepad.exe f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe File opened for modification C:\Windows\notepad.exe f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe File opened for modification C:\Windows\notepad.exe f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4044 2792 WerFault.exe 97 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0di3x.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0di3x.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0di3x.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0di3x.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings 7zFM.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1716 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 1716 7zFM.exe Token: 35 1716 7zFM.exe Token: SeSecurityPrivilege 1716 7zFM.exe Token: SeSecurityPrivilege 1716 7zFM.exe Token: SeSecurityPrivilege 1716 7zFM.exe Token: SeSecurityPrivilege 1716 7zFM.exe Token: SeSecurityPrivilege 1716 7zFM.exe Token: SeSecurityPrivilege 1716 7zFM.exe Token: SeSecurityPrivilege 1716 7zFM.exe Token: SeSecurityPrivilege 1716 7zFM.exe Token: SeSecurityPrivilege 1716 7zFM.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe 1716 7zFM.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2776 f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe 1540 f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe 812 f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2792 1716 7zFM.exe 97 PID 1716 wrote to memory of 2792 1716 7zFM.exe 97 PID 1716 wrote to memory of 2792 1716 7zFM.exe 97 PID 1716 wrote to memory of 1400 1716 7zFM.exe 102 PID 1716 wrote to memory of 1400 1716 7zFM.exe 102 PID 1716 wrote to memory of 2776 1716 7zFM.exe 104 PID 1716 wrote to memory of 2776 1716 7zFM.exe 104 PID 1716 wrote to memory of 2776 1716 7zFM.exe 104 PID 1716 wrote to memory of 1540 1716 7zFM.exe 105 PID 1716 wrote to memory of 1540 1716 7zFM.exe 105 PID 1716 wrote to memory of 1540 1716 7zFM.exe 105 PID 1716 wrote to memory of 812 1716 7zFM.exe 106 PID 1716 wrote to memory of 812 1716 7zFM.exe 106 PID 1716 wrote to memory of 812 1716 7zFM.exe 106
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\241105-dtxrgatbpg_pw_infected.zip"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\7zO4B6FB5CA\0di3x.exe"C:\Users\Admin\AppData\Local\Temp\7zO4B6FB5CA\0di3x.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
PID:2792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 3923⤵
- Program crash
PID:4044
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zO4B6567EA\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js"2⤵PID:1400
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4B697C0B\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"C:\Users\Admin\AppData\Local\Temp\7zO4B697C0B\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4B6FA83B\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"C:\Users\Admin\AppData\Local\Temp\7zO4B6FA83B\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1540
-
-
C:\Users\Admin\AppData\Local\Temp\7zO4B68B0AC\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"C:\Users\Admin\AppData\Local\Temp\7zO4B68B0AC\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2792 -ip 27921⤵PID:3304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\7zO4B6567EA\efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Filesize920KB
MD54339e3b6d6cf2603cc780e8e032e82f6
SHA1195c244a037815ec13d469e3b28e62a0e10bed56
SHA256efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4
SHA512a87c47c998f667eb8ac280f4e6dc3df182d721c44267c68ee042c17e8168115e38f2e1d59c6928ca595bb93b3bfd112cbd7bffb0ee6ff8ca81f469056f26ff87
-
C:\Users\Admin\AppData\Local\Temp\7zO4B697C0B\f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a.exe
Filesize248KB
MD58b273f919ea075cff8c652c51a301bbb
SHA1917baa65532900d1dbd0a3925a898ecf0b4cd569
SHA256f28e02bd1e9cc701437328dc7bec07b439b5b97277a7983e9ca302fbc550e48a
SHA512b71c4aa7259535889126742045c820f703a5a9caa49b8496620d4566da22f65706e7e617d34ac08e741d96da0f98e617daac2ca02882ab887a4f98fe432d699e
-
Filesize
111KB
MD5bd97f762750d0e38e38d5e8f7363f66a
SHA19ae3d7053246289ff908758f9d60d79586f7fc9f
SHA256d4b767b57f453d599559532d7351feeecd4027b89b0b117552b7a3432ed4a158
SHA512d0f00c07563aab832b181a7ab93413a93f913f813c83d63c25f4473b7fa2003b4b2a83c97bd9766f9f45a7f2de9e922139a010612f21b15407c9f2bb58a53e39