Overview

overview

10

Static

static

425b9cd4f2...27.exe

windows7_x64

10

425b9cd4f2...27.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-07-2022 02:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe

  • Size

    210KB

  • MD5

    4a664f5bfd63570f209fa6cf42467eaf

  • SHA1

    bd61a99af933bde5d4c341520e30b62034139c7c

  • SHA256

    425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27

  • SHA512

    62c17b99f91ede151fbd328ff7203efdc4cee1f11207f029b85065bacc426c9c585a4f7fd3fb970d1ff679367852cedff8fe2f7641873bf9ed43d9144a95b232

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://proxy-exe.bit/2/

http://kiyanka.club/2/

http://d3s1.me/2/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe
    "C:\Users\Admin\AppData\Local\Temp\425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe"
    1⤵
    • Maps connected drives based on registry
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:556

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/388-55-0x0000000076C81000-0x0000000076C83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/388-56-0x00000000002F0000-0x00000000002F9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/388-57-0x0000000000400000-0x000000000043B000-memory.dmp
      Filesize

      236KB

      Download
    • memory/556-54-0x0000000000000000-mapping.dmp
      Download
    • memory/1272-58-0x00000000021A0000-0x00000000021B5000-memory.dmp
      Filesize

      84KB

      Download