Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/09/2022, 15:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    284KB

  • MD5

    843002e5912c43e3c12ba581bb36392e

  • SHA1

    0fa3cb130e264ee4d875ae10470724671499956d

  • SHA256

    40adc6e92ca2f30ce02d7a45181bbda2bd30155d1496c12e92860fbf72572e12

  • SHA512

    a90123227356bc6cd02489e480e0a0c5be06607aa3c5091e1f8ca4be3f9154d7345a214d3f8de5a641207dd0b2436f696e9c34b57c08201be9afce24f968baa0

  • SSDEEP

    6144:z+9BctZBeshJmsOTkuIfuzbgwuO0WfwVfg+L:z5tveshJmNTkuIunnwI+

Score
10/10
smokeloaderbackdoorbootkitpersistencetrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3448
  • C:\Users\Admin\AppData\Local\Temp\350A.exe
    C:\Users\Admin\AppData\Local\Temp\350A.exe
    1⤵
    • Executes dropped EXE
    • Writes to the Master Boot Record (MBR)
    PID:216

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\350A.exe
    Filesize

    606KB

    MD5

    bbcb39371a9c50d38dcca013773bb119

    SHA1

    595bd43fbe68c2628d7cb335195d1d52c9256d83

    SHA256

    2a189bee6efa3494d238444e14e1a709cef9ad3b32093518a5bb06d7196516e0

    SHA512

    314c4318a818eebbf2bfda93d2c199d2a7a3538cc32b967ef5edfe88d7dd3b7575da8a4814c0cb3d3554c077e56685f32db3d4ce838239b9ecf3f67ec1a4ae13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\350A.exe
    Filesize

    606KB

    MD5

    bbcb39371a9c50d38dcca013773bb119

    SHA1

    595bd43fbe68c2628d7cb335195d1d52c9256d83

    SHA256

    2a189bee6efa3494d238444e14e1a709cef9ad3b32093518a5bb06d7196516e0

    SHA512

    314c4318a818eebbf2bfda93d2c199d2a7a3538cc32b967ef5edfe88d7dd3b7575da8a4814c0cb3d3554c077e56685f32db3d4ce838239b9ecf3f67ec1a4ae13

    Download Submit

  • memory/216-140-0x000000000061E000-0x000000000067E000-memory.dmp

    Filesize

    384KB

    Download

  • memory/216-139-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/216-141-0x0000000000570000-0x00000000005DB000-memory.dmp

    Filesize

    428KB

    Download

  • memory/216-142-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/216-143-0x000000000061E000-0x000000000067E000-memory.dmp

    Filesize

    384KB

    Download

  • memory/216-144-0x0000000000400000-0x000000000049D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/3448-135-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3448-134-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3448-133-0x00000000004D0000-0x00000000004D9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3448-132-0x000000000050E000-0x000000000051F000-memory.dmp

    Filesize

    68KB

    Download