Overview

overview

10

Static

static

db79d6a667...50.exe

windows10-1703-x64

10

Resubmissions

19-11-2022 21:40

221119-1jgzlacd49 8

19-11-2022 13:48

221119-q4ed4adg34 10

19-11-2022 06:26

221119-g7aqmscg91 10

19-11-2022 05:30

221119-f67hjsbc8t 10

15-11-2022 20:50

221115-zm3j2abf6y 10

15-11-2022 20:50

221115-zmpm6sfh23 10

15-11-2022 20:49

221115-zl6kasfg98 10

15-11-2022 20:19

221115-y4ct9sff87 10

14-11-2022 19:39

221114-yc4tnsdb92 10

14-11-2022 19:34

221114-yakb9adb83 10

Analysis

  • max time kernel
    27s
  • max time network
    21s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-11-2022 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe

  • Size

    307KB

  • MD5

    0abe50c1509136bf62d2184ab439e7a5

  • SHA1

    722a7e2a0dd66f506ba93d24946b8bf504b100c0

  • SHA256

    db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50

  • SHA512

    0c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5

  • SSDEEP

    6144:Gu0FGLnBOUaLPP7S9dW8dsgMF24raEn2E1a:Gu0wTBOU2Pj6EisgM/uUv

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Drops file in Windows directory 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 56 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
    "C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3884
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4088
    • C:\Windows\system32\net.exe
      net user /add shit shit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 user /add shit shit
        3⤵
          PID:4976
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3ae0055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4732

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3884-115-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-116-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-117-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-118-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-119-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-120-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-121-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-123-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-124-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-125-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-126-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-127-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-128-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-129-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-130-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-131-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-132-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-133-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-134-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-135-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-136-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-137-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-138-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-139-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-140-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-141-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-143-0x00000000009A0000-0x0000000000AEA000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3884-142-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-144-0x0000000000970000-0x0000000000979000-memory.dmp
      Filesize

      36KB

      Download
    • memory/3884-145-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-146-0x0000000000400000-0x0000000000850000-memory.dmp
      Filesize

      4.3MB

      Download
    • memory/3884-147-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-148-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-149-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-150-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-151-0x0000000076EC0000-0x000000007704E000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3884-152-0x0000000000400000-0x0000000000850000-memory.dmp
      Filesize

      4.3MB

      Download
    • memory/4208-153-0x0000000000000000-mapping.dmp
      Download
    • memory/4976-154-0x0000000000000000-mapping.dmp
      Download