Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 12:29
Static task
static1
Behavioral task
behavioral1
Sample
b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe
Resource
win11-20240508-en
General
-
Target
b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe
-
Size
222KB
-
MD5
b2a74324e7570bdd7a2eaa9d165bfda3
-
SHA1
b3fdbdcd8da293f0feaa2df0a7bb2d8fa48e5701
-
SHA256
b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c
-
SHA512
adb707b5aa4ce306f302a4b390d5e40667c3568d3814753a95ef96f387d3fe4cbc4bd3f367c893ef775f24a844c6f45543c5416d153d20ff534ae7b16677ea5c
-
SSDEEP
6144:t6xCNsCaRUy72ELsa5X0eOBJpHJXkMcD:MxSsCaRUy72EdXR4VCD
Malware Config
Extracted
smokeloader
pub2
Extracted
smokeloader
2022
http://evilos.cc/tmp/index.php
http://gebeus.ru/tmp/index.php
http://office-techs.biz/tmp/index.php
http://cx5519.com/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3300 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exepid process 4656 b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe 4656 b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 3300 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exepid process 4656 b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe"C:\Users\Admin\AppData\Local\Temp\b173e617fe7cf822915a6d95bbba7935ad0f16fa5e334be6c7b85290b9b8ab2c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3300-5-0x0000000003020000-0x0000000003036000-memory.dmpFilesize
88KB
-
memory/4656-1-0x0000000002EF0000-0x0000000002FF0000-memory.dmpFilesize
1024KB
-
memory/4656-2-0x0000000002E90000-0x0000000002E9B000-memory.dmpFilesize
44KB
-
memory/4656-4-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4656-3-0x0000000000400000-0x0000000002BF0000-memory.dmpFilesize
39.9MB
-
memory/4656-10-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/4656-9-0x0000000002E90000-0x0000000002E9B000-memory.dmpFilesize
44KB
-
memory/4656-6-0x0000000000400000-0x0000000002BF0000-memory.dmpFilesize
39.9MB