Analysis
-
max time kernel
152s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
05-10-2022 21:48
General
-
Target
http://guluiiiimnstrannaer.net/dl/6523.exe
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://guluiiiimnstrannaer.net/dl/6523.exe1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:560 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\6523.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\6523.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\6523.exeFilesize
271KB
MD50b28c768b2688d0b845c6cc8fd1c0c0d
SHA19c90b3b6675075e7e36199f9ece3fd4d8231b810
SHA25666d05cd109af6833d21e53732782d29a1b4f2f24b4431fc65c3c39da708e6c59
SHA5124d6d255afa82b82a903f5d40c31c286ae8f8945d01a255657e8ce00e523418138ef4c47d3a4d6e5b76812fd5d80efd1afea622972eb424972852a92c54229d11
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I9NA5QYV\6523.exe.bylc3gf.partialFilesize
271KB
MD50b28c768b2688d0b845c6cc8fd1c0c0d
SHA19c90b3b6675075e7e36199f9ece3fd4d8231b810
SHA25666d05cd109af6833d21e53732782d29a1b4f2f24b4431fc65c3c39da708e6c59
SHA5124d6d255afa82b82a903f5d40c31c286ae8f8945d01a255657e8ce00e523418138ef4c47d3a4d6e5b76812fd5d80efd1afea622972eb424972852a92c54229d11
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HQ50HXDD.txtFilesize
603B
MD5b025a2a8a43a2645c9acfe119af86cf9
SHA104d328cf54e7eeddea2e6c6824231c4f5a5db8a5
SHA2562f1802781a4c5bbdddfcca3ba7b32cc04f42ea2324274b9605dbbe32ebd7ccb2
SHA512e2002ef931877f88a7ea8aa4a9cde2a5ec15f31b032da08da680d9d70bfa133df487da314225ca6241e4cdca7e90f68655c30ee09020800f860d9b033be78e6a
-
memory/1776-55-0x0000000000000000-mapping.dmp
-
memory/1776-58-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/1776-59-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/1776-60-0x00000000003A0000-0x00000000003A9000-memory.dmpFilesize
36KB
-
memory/1776-61-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1776-62-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB