Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    186KB

  • MD5

    6e0a25e8780cfc36b80a860073b5414b

  • SHA1

    88040417696654eee720434875c2e345df000ebb

  • SHA256

    aa286a4deb0d5818cc07b59fc11d63c4cb530ed1c44480c7ff9a6e23524b9c2e

  • SHA512

    d1565576257d7d0db399804e117f03e07760bf2fa13a4aee1811190c216eef5b6664243a366c1cf82e26445e76e649a29b04b2652ec0dd8d5f1404a4d8af54ac

  • SSDEEP

    3072:XBkAtbkmeqUVbLwytWIiD5ssA+E3hV5j1HyhTQCsQIVYG+:OAhMLwyt7DsbARR0TWf

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 21 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2016
  • C:\Users\Admin\AppData\Local\Temp\2839.exe
    C:\Users\Admin\AppData\Local\Temp\2839.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14218
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 520
      2⤵
      • Program crash
      PID:2792
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4032 -ip 4032
    1⤵
      PID:620
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5080

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\2839.exe
        Filesize

        1.0MB

        MD5

        06eb56951a589d42acf83aa7f03f42eb

        SHA1

        2919c57b6ed1aedb5af94183c61cf1b73c073462

        SHA256

        707ff527e6415a6da0bd08c3c1af3af7e2732e29ef994490cc77eee9b4b4eebd

        SHA512

        de8dc09da4b584422bdbc33b8a957f917382adf5206f178c0f976de7c4ef2d21dce886f438be1a8ec0be3f7cc9d0def0484a23c006e2661d5b2c6c953351a180

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\2839.exe
        Filesize

        1.0MB

        MD5

        06eb56951a589d42acf83aa7f03f42eb

        SHA1

        2919c57b6ed1aedb5af94183c61cf1b73c073462

        SHA256

        707ff527e6415a6da0bd08c3c1af3af7e2732e29ef994490cc77eee9b4b4eebd

        SHA512

        de8dc09da4b584422bdbc33b8a957f917382adf5206f178c0f976de7c4ef2d21dce886f438be1a8ec0be3f7cc9d0def0484a23c006e2661d5b2c6c953351a180

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp
        Filesize

        774KB

        MD5

        d5e88f35e214f2dff51a7d494316bac2

        SHA1

        6306dfa71c4e32dede210631cf90732693c0afcf

        SHA256

        f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

        SHA512

        ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp
        Filesize

        774KB

        MD5

        d5e88f35e214f2dff51a7d494316bac2

        SHA1

        6306dfa71c4e32dede210631cf90732693c0afcf

        SHA256

        f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

        SHA512

        ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

        Download Submit

      • memory/2016-133-0x00000000027F0000-0x00000000027F9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2016-134-0x0000000000400000-0x00000000027E8000-memory.dmp

        Filesize

        35.9MB

        Download

      • memory/2016-135-0x0000000000400000-0x00000000027E8000-memory.dmp

        Filesize

        35.9MB

        Download

      • memory/2016-132-0x000000000282D000-0x000000000283E000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2172-145-0x00000000050E0000-0x0000000005C41000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/2172-149-0x0000000004830000-0x0000000004970000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2172-139-0x0000000000000000-mapping.dmp

        Download

      • memory/2172-159-0x00000000050E0000-0x0000000005C41000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/2172-156-0x00000000048A9000-0x00000000048AB000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2172-146-0x00000000050E0000-0x0000000005C41000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/2172-152-0x0000000004830000-0x0000000004970000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2172-147-0x0000000004830000-0x0000000004970000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2172-148-0x0000000004830000-0x0000000004970000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2172-151-0x0000000004830000-0x0000000004970000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2172-150-0x0000000004830000-0x0000000004970000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3540-153-0x00007FF647D16890-mapping.dmp

        Download

      • memory/3540-154-0x000002816C1B0000-0x000002816C2F0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3540-155-0x000002816C1B0000-0x000002816C2F0000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3540-157-0x0000000000450000-0x00000000006E2000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/3540-158-0x000002816A760000-0x000002816AA04000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/4032-141-0x000000000451F000-0x0000000004601000-memory.dmp

        Filesize

        904KB

        Download

      • memory/4032-136-0x0000000000000000-mapping.dmp

        Download

      • memory/4032-144-0x0000000000400000-0x00000000028BA000-memory.dmp

        Filesize

        36.7MB

        Download

      • memory/4032-143-0x0000000004610000-0x0000000004735000-memory.dmp

        Filesize

        1.1MB

        Download