Overview

overview

10

Static

static

37cec47f7e...51.exe

windows7_x64

10

37cec47f7e...51.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 22:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37cec47f7e010eb81cdbacbe8ad5b9f46999f0f90f8bed4d2c440e358e224c51.exe

  • Size

    235KB

  • MD5

    190b6674a4b8403b85ed63c57223e601

  • SHA1

    278552a9deb9fe4c449b459b93f7bcb64b5db793

  • SHA256

    37cec47f7e010eb81cdbacbe8ad5b9f46999f0f90f8bed4d2c440e358e224c51

  • SHA512

    991a6793a1d017aa415efaf3bfb1818707750f17bc3b6b84f74695511e4dcd72bc588af8aeb687bb9d441a5a5cc69da866bf3dee19964baf7212661b52809488

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://ghjuytr33r.net/

http://selebtiti.net/

http://justinbiberpiror.net/

http://rebnunino.net/

http://indamixtuy.net/

http://iluiloinu.net/

http://gretianopelletua.top/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookAW 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37cec47f7e010eb81cdbacbe8ad5b9f46999f0f90f8bed4d2c440e358e224c51.exe
    "C:\Users\Admin\AppData\Local\Temp\37cec47f7e010eb81cdbacbe8ad5b9f46999f0f90f8bed4d2c440e358e224c51.exe"
    1⤵
    • Maps connected drives based on registry
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookAW
    PID:4644
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3052-132-0x0000000002F30000-0x0000000002F45000-memory.dmp
    Filesize

    84KB

    Download
  • memory/4644-130-0x00000000004C0000-0x00000000004C9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/4644-131-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/4644-133-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download