Overview

overview

10

Static

static

pub1.exe

windows7_x64

10

pub1.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-04-2022 04:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pub1.exe

  • Size

    2.2MB

  • MD5

    c8e46fca61b2d62c65dee70726a3b3fc

  • SHA1

    c9dcb284c07d234955bad32c763d517a45ce7be1

  • SHA256

    e61172cff1b99c47459423990313f06169c2e25c2273036c54780fb8068a7f57

  • SHA512

    93c08ac468b9feb2f672ca409b6b7fa2ee9b459e21133fdd96abcfb567a49f9eaf609cf339a68b81f9c260d9bbdaffc6e23f10ab639ab00e91238e4971ce74aa

Score
10/10
smokeloaderbackdoorevasiontrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://hydroxychl0roquine.xyz/

https://hydroxychl0roquine.xyz/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pub1.exe
    "C:\Users\Admin\AppData\Local\Temp\pub1.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1312-65-0x00000000026B0000-0x00000000026C6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1692-54-0x0000000075951000-0x0000000075953000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1692-55-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

    Download
  • memory/1692-56-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

    Download
  • memory/1692-57-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

    Download
  • memory/1692-58-0x0000000000190000-0x00000000001D3000-memory.dmp
    Filesize

    268KB

    Download
  • memory/1692-59-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

    Download
  • memory/1692-60-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

    Download
  • memory/1692-61-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

    Download
  • memory/1692-62-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

    Download
  • memory/1692-63-0x00000000779E0000-0x0000000077B60000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1692-64-0x0000000000400000-0x00000000009C4000-memory.dmp
    Filesize

    5.8MB

    Download