Analysis
-
max time kernel
300s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 23:08
Static task
static1
Behavioral task
behavioral1
Sample
9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe
Resource
win10-20240404-en
General
-
Target
9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe
-
Size
310KB
-
MD5
4141910717b182a0cbe6e32c527e325f
-
SHA1
f247bc2dc5c671c74aef338be6f848bbf54e0d44
-
SHA256
9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9
-
SHA512
ae39c610cfe0a548627a7817cef6d87945f03fc559b3fd52a8f843e0499c8d04536880aabb7da90bfbeca6731a69a0763fa989b9f7f18237534798488f5dec2c
-
SSDEEP
3072:bB2ggCALXBkKgZc5TO4wePyVlv9vZbcx+dxg5bUkBaXa60P:bQgg7LxkKcM/3PyVl9hbndxCUkBs
Malware Config
Extracted
smokeloader
2022
http://movlat.com/tmp/
http://llcbc.org/tmp/
http://lindex24.ru/tmp/
http://qeqei.xyz/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1196 -
Executes dropped EXE 1 IoCs
Processes:
tcgejuapid process 2248 tcgejua -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exetcgejuadescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tcgejua Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tcgejua Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tcgejua -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exepid process 2760 9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe 2760 9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exetcgejuapid process 2760 9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe 2248 tcgejua -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1196 -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 2268 wrote to memory of 2248 2268 taskeng.exe tcgejua PID 2268 wrote to memory of 2248 2268 taskeng.exe tcgejua PID 2268 wrote to memory of 2248 2268 taskeng.exe tcgejua PID 2268 wrote to memory of 2248 2268 taskeng.exe tcgejua
Processes
-
C:\Users\Admin\AppData\Local\Temp\9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe"C:\Users\Admin\AppData\Local\Temp\9af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {4A8AF64D-F4D5-4280-B493-ACBE5A957DE5} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\tcgejuaC:\Users\Admin\AppData\Roaming\tcgejua2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\tcgejuaFilesize
310KB
MD54141910717b182a0cbe6e32c527e325f
SHA1f247bc2dc5c671c74aef338be6f848bbf54e0d44
SHA2569af00dbe2aecfe5f8cd76a466ee05b9a2d8ec64bc4000d79e21a3a315bcc03c9
SHA512ae39c610cfe0a548627a7817cef6d87945f03fc559b3fd52a8f843e0499c8d04536880aabb7da90bfbeca6731a69a0763fa989b9f7f18237534798488f5dec2c
-
memory/1196-3-0x0000000002E10000-0x0000000002E26000-memory.dmpFilesize
88KB
-
memory/1196-14-0x0000000002E30000-0x0000000002E46000-memory.dmpFilesize
88KB
-
memory/2248-13-0x0000000000400000-0x000000000273B000-memory.dmpFilesize
35.2MB
-
memory/2248-15-0x0000000000400000-0x000000000273B000-memory.dmpFilesize
35.2MB
-
memory/2760-1-0x0000000000400000-0x000000000273B000-memory.dmpFilesize
35.2MB
-
memory/2760-2-0x0000000000400000-0x000000000273B000-memory.dmpFilesize
35.2MB
-
memory/2760-4-0x0000000000400000-0x000000000273B000-memory.dmpFilesize
35.2MB