Overview

overview

10

Static

static

3921ed60cb...4a.exe

windows7_x64

10

3921ed60cb...4a.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 17:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3921ed60cb4c8f6f4f958de1c1c5c9461838f6bcb9f410bf8b5065723bd4144a.exe

  • Size

    1.5MB

  • MD5

    e7418166327850a7fa1b63e83e608115

  • SHA1

    ef5697e60c83b41953bb6f9f04cb3a0d3a71fc2e

  • SHA256

    3921ed60cb4c8f6f4f958de1c1c5c9461838f6bcb9f410bf8b5065723bd4144a

  • SHA512

    c8b07a467ae66635b57b915b65b0a97d930183c0c3857f2e3b020079221b5ede1dd51f4f9b8ede661fc4dad8d4c5146870bc1480f64a1971c28cf70d4ffff3eb

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2017

C2

http://dogewareservice.ru/

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Drops desktop.ini file(s) 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3921ed60cb4c8f6f4f958de1c1c5c9461838f6bcb9f410bf8b5065723bd4144a.exe
    "C:\Users\Admin\AppData\Local\Temp\3921ed60cb4c8f6f4f958de1c1c5c9461838f6bcb9f410bf8b5065723bd4144a.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Users\Admin\AppData\Local\Temp\3921ed60cb4c8f6f4f958de1c1c5c9461838f6bcb9f410bf8b5065723bd4144a.exe
      "C:\Users\Admin\AppData\Local\Temp\3921ed60cb4c8f6f4f958de1c1c5c9461838f6bcb9f410bf8b5065723bd4144a.exe"
      2⤵
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2632
      • C:\Windows\SysWOW64\explorer.exe
        explorer.exe
        3⤵
          PID:2432
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 1116
            4⤵
            • Program crash
            PID:4592
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2432 -ip 2432
      1⤵
        PID:4516

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/552-130-0x0000000074A00000-0x0000000074FB1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/552-135-0x0000000074A00000-0x0000000074FB1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/552-137-0x0000000074A00000-0x0000000074FB1000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2432-136-0x0000000000000000-mapping.dmp
        Download
      • memory/2432-138-0x00000000009B0000-0x0000000000DE3000-memory.dmp
        Filesize

        4.2MB

        Download
      • memory/2432-139-0x0000000000700000-0x000000000070A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2432-141-0x0000000000700000-0x000000000070A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2632-132-0x0000000000400000-0x0000000000405000-memory.dmp
        Filesize

        20KB

        Download
      • memory/2632-131-0x0000000000000000-mapping.dmp
        Download
      • memory/2632-133-0x0000000000400000-0x0000000000405000-memory.dmp
        Filesize

        20KB

        Download
      • memory/2632-134-0x0000000000B70000-0x0000000000B7A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/2632-140-0x0000000000B70000-0x0000000000B7A000-memory.dmp
        Filesize

        40KB

        Download