Overview

overview

10

Static

static

4ace520674...85.exe

windows7_x64

10

4ace520674...85.exe

windows10_x64

10

Analysis

  • max time kernel
    159s
  • max time network
    79s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    29/08/2021, 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ace52067451935ebab5e0826ae22a85.exe

  • Size

    142KB

  • MD5

    4ace52067451935ebab5e0826ae22a85

  • SHA1

    f562290eb3c56f0c04fe65965174717b3d072aa2

  • SHA256

    3d59ac598ad756cfa7d56ea28d85071266ccfbcec2bc952600ff82fec99d633c

  • SHA512

    934fef4d12c30181b2d54390ed72b78086445f149c64a0ee9f5fe3aa15a397c20ac606fc7f6cacf814da7db88f0b4c5340a5a54e351ee7402ebba2698e560155

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ace52067451935ebab5e0826ae22a85.exe
    "C:\Users\Admin\AppData\Local\Temp\4ace52067451935ebab5e0826ae22a85.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Users\Admin\AppData\Local\Temp\4ace52067451935ebab5e0826ae22a85.exe
      "C:\Users\Admin\AppData\Local\Temp\4ace52067451935ebab5e0826ae22a85.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3080
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:2236
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:596
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:1508
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          1⤵
            PID:3744
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:2164
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:3968
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:4076
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:928
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:2196
                    • C:\Users\Admin\AppData\Roaming\defehsj
                      C:\Users\Admin\AppData\Roaming\defehsj
                      1⤵
                      • Executes dropped EXE
                      PID:1556

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/596-122-0x0000000001230000-0x0000000001237000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/596-123-0x0000000001220000-0x000000000122C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/652-114-0x0000000001E60000-0x0000000001E6A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/928-140-0x00000000004A0000-0x00000000004A5000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/928-141-0x0000000000490000-0x0000000000499000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/1508-125-0x0000000000B80000-0x0000000000B87000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/1508-126-0x0000000000B70000-0x0000000000B7B000-memory.dmp

                      Filesize

                      44KB

                      Download

                    • memory/2164-132-0x0000000000BA0000-0x0000000000BA9000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/2164-131-0x0000000000BB0000-0x0000000000BB5000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/2196-144-0x0000000003450000-0x0000000003459000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/2196-143-0x0000000003460000-0x0000000003465000-memory.dmp

                      Filesize

                      20KB

                      Download

                    • memory/2236-120-0x0000000000A00000-0x0000000000A74000-memory.dmp

                      Filesize

                      464KB

                      Download

                    • memory/2236-121-0x0000000000740000-0x00000000007AB000-memory.dmp

                      Filesize

                      428KB

                      Download

                    • memory/3020-117-0x00000000005B0000-0x00000000005C6000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/3080-115-0x0000000000400000-0x0000000000409000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/3744-128-0x0000000000C20000-0x0000000000C29000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/3744-129-0x0000000000C10000-0x0000000000C1F000-memory.dmp

                      Filesize

                      60KB

                      Download

                    • memory/3968-135-0x0000000000720000-0x000000000072C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3968-134-0x0000000000730000-0x0000000000736000-memory.dmp

                      Filesize

                      24KB

                      Download

                    • memory/4076-137-0x00000000007F0000-0x00000000007F4000-memory.dmp

                      Filesize

                      16KB

                      Download

                    • memory/4076-138-0x00000000007E0000-0x00000000007E9000-memory.dmp

                      Filesize

                      36KB

                      Download