Overview

overview

10

Static

static

88d7e4d976...82.exe

windows7_x64

10

88d7e4d976...82.exe

windows10_x64

10

Analysis

  • max time kernel
    166s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29/08/2021, 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88d7e4d97668f06068ec238fabc59d82.exe

  • Size

    142KB

  • MD5

    88d7e4d97668f06068ec238fabc59d82

  • SHA1

    c5ded1e34d8b1aaa62d8fcc45f245ebe3922baed

  • SHA256

    b54c24558cf6e2625c473b5703aa2fe21887b7434377fe1d868966a57c5bc483

  • SHA512

    0629a9226af34f4f0c573a92cf567952c46acd6b707e0c576189ac96999d7ca24c00e0d19e428672566aa4dc72778c1d39053b296d6441946db4c646d6728f68

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88d7e4d97668f06068ec238fabc59d82.exe
    "C:\Users\Admin\AppData\Local\Temp\88d7e4d97668f06068ec238fabc59d82.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Users\Admin\AppData\Local\Temp\88d7e4d97668f06068ec238fabc59d82.exe
      "C:\Users\Admin\AppData\Local\Temp\88d7e4d97668f06068ec238fabc59d82.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:68
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:3700
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:2816
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:492
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          1⤵
            PID:364
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:2196
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:4072
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:2212
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:3692
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:2824
                    • C:\Users\Admin\AppData\Roaming\rwtdiub
                      C:\Users\Admin\AppData\Roaming\rwtdiub
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:3844
                      • C:\Users\Admin\AppData\Roaming\rwtdiub
                        C:\Users\Admin\AppData\Roaming\rwtdiub
                        2⤵
                        • Executes dropped EXE
                        • Checks SCSI registry key(s)
                        PID:3180

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/68-114-0x0000000000400000-0x0000000000409000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/364-128-0x00000000003D0000-0x00000000003D9000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/364-129-0x00000000003C0000-0x00000000003CF000-memory.dmp

                      Filesize

                      60KB

                      Download

                    • memory/492-126-0x0000000002C00000-0x0000000002C0B000-memory.dmp

                      Filesize

                      44KB

                      Download

                    • memory/492-125-0x0000000002C10000-0x0000000002C17000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/764-116-0x0000000001D80000-0x0000000001E2E000-memory.dmp

                      Filesize

                      696KB

                      Download

                    • memory/2196-132-0x0000000002A90000-0x0000000002A99000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/2196-131-0x0000000002AA0000-0x0000000002AA5000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/2212-137-0x0000000002DA0000-0x0000000002DA4000-memory.dmp

                      Filesize

                      16KB

                      Download

                    • memory/2212-138-0x0000000002D90000-0x0000000002D99000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/2536-117-0x0000000000870000-0x0000000000886000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/2816-123-0x00000000004A0000-0x00000000004AC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2816-122-0x00000000004B0000-0x00000000004B7000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/2824-144-0x0000000002CC0000-0x0000000002CC9000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/2824-143-0x0000000002CD0000-0x0000000002CD5000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/3692-141-0x0000000000720000-0x0000000000729000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/3692-140-0x0000000000730000-0x0000000000735000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/3700-120-0x0000000002760000-0x00000000027D4000-memory.dmp

                      Filesize

                      464KB

                      Download

                    • memory/3700-121-0x00000000026F0000-0x000000000275B000-memory.dmp

                      Filesize

                      428KB

                      Download

                    • memory/3844-150-0x0000000001E90000-0x0000000001E9A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/4072-135-0x0000000000E90000-0x0000000000E9C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/4072-134-0x0000000000EA0000-0x0000000000EA6000-memory.dmp

                      Filesize

                      24KB

                      Download