Overview

overview

10

Static

static

c10ebeb0d2...12.exe

windows7_x64

10

c10ebeb0d2...12.exe

windows10_x64

10

Resubmissions

24-01-2022 15:55

220124-tcsn7afch2 10

11-10-2021 17:18

211011-vvdteshga6 10

Analysis

  • max time kernel
    102s
  • max time network
    96s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-01-2022 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c10ebeb0d29119a2a7177f857318d012.exe

  • Size

    337KB

  • MD5

    c10ebeb0d29119a2a7177f857318d012

  • SHA1

    687672a6b2001376c192991c1b5237cf6467f393

  • SHA256

    4eb02a90be27af84c49a2f62da8e179e5117d82db4e25c7a2c80e2954583bdb3

  • SHA512

    447e1010864262bc642613b1f597507689d92353930a398bd85a24e2728ea7eb6ad75c413943966a5828422b380de2eff69725c0e5468125e2d9fa35a16df292

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 13 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c10ebeb0d29119a2a7177f857318d012.exe
    "C:\Users\Admin\AppData\Local\Temp\c10ebeb0d29119a2a7177f857318d012.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Users\Admin\AppData\Local\Temp\c10ebeb0d29119a2a7177f857318d012.exe
      "C:\Users\Admin\AppData\Local\Temp\c10ebeb0d29119a2a7177f857318d012.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3308
  • C:\Windows\ImmersiveControlPanel\SystemSettings.exe
    "C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1952
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2648
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1136

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\1361672858.pri
    MD5

    050f862ebe4280881ec261b7de17a5eb

    SHA1

    f88837dcc7727abd92298f2868a4e603e36dd4ae

    SHA256

    5a9ee4039e88417093c55cfb4c7b7aea8c5f09695a111fd1c2a78b170536afb4

    SHA512

    b77852e2179808744c1d0234d93f6a11dc7c1b74f2f2951af6b21bce10a0fba95b643af159c64ab3168074855cd26aa30aa625a8363f69b1dd98ca49c90b14b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\97717462.pri
    MD5

    b6001b9e5fc5c3d537375f572212762b

    SHA1

    f03b0351d2730994e847d9afcf118395c331e400

    SHA256

    0ee6fb6ae927f06a3f74721d0a2be1d7b2158e171e9d32b68747121054e7f910

    SHA512

    918db362fd4f49d8720c34299dcc1f119bc7a0981f48d9939fcad29e14c58262daab23a131cd386437587bf8084a1dce43a58218dec757074e0004794db1129b

    Download Submit

  • memory/3036-122-0x0000000000A20000-0x0000000000A36000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3308-119-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3308-121-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3536-118-0x0000000001970000-0x0000000001998000-memory.dmp

    Filesize

    160KB

    Download

  • memory/3536-120-0x00000000017F0000-0x00000000017F9000-memory.dmp

    Filesize

    36KB

    Download