Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 09:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    186KB

  • MD5

    a1459c570face3f3eae78496ac288a06

  • SHA1

    6169a9da842c46f53423d1ffc5fed891824664e7

  • SHA256

    c0b3e8361edf417d689ce08ed889646d0d396bcaa8a52feb1e5dbb6fd39c7432

  • SHA512

    295df76711999f63d652745af7f21b68d534fe2b90aa1d25cfa38755f2d86d982d7d4486615f4baaa030c8d6fa2df05a4e547a6df7059b7cf4dfb510203c0b3e

  • SSDEEP

    3072:3BIElgxVBhL8JafGW8wD52poHtv8YxhOAYi0cF73VTBCBkZ:aEyDLgafG/nwkDLFcZ5A2

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 20 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5104
  • C:\Users\Admin\AppData\Local\Temp\87BE.exe
    C:\Users\Admin\AppData\Local\Temp\87BE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3696
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14205
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2124
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 528
      2⤵
      • Program crash
      PID:1780
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3696 -ip 3696
    1⤵
      PID:4324
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3252

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\87BE.exe
        Filesize

        1.0MB

        MD5

        113c46ff43811083942746787c74670e

        SHA1

        4ccf9e38b219780b732f829a67bf4737a58a80bf

        SHA256

        8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13

        SHA512

        d9cca0c584c19a0ef8f247a865f8bb9ccb0d92f577ca32597c21fd15c884d14fc8d9c81fc0f0ad43f182a48b72912ef4d04e9c633eb9d3cbf84bb8e36d885488

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\87BE.exe
        Filesize

        1.0MB

        MD5

        113c46ff43811083942746787c74670e

        SHA1

        4ccf9e38b219780b732f829a67bf4737a58a80bf

        SHA256

        8bffaa7522696c6760727929ec1c15b5aa346333f2c38833d23fbd5ed5765f13

        SHA512

        d9cca0c584c19a0ef8f247a865f8bb9ccb0d92f577ca32597c21fd15c884d14fc8d9c81fc0f0ad43f182a48b72912ef4d04e9c633eb9d3cbf84bb8e36d885488

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp
        Filesize

        774KB

        MD5

        d5e88f35e214f2dff51a7d494316bac2

        SHA1

        6306dfa71c4e32dede210631cf90732693c0afcf

        SHA256

        f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

        SHA512

        ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp
        Filesize

        774KB

        MD5

        d5e88f35e214f2dff51a7d494316bac2

        SHA1

        6306dfa71c4e32dede210631cf90732693c0afcf

        SHA256

        f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4

        SHA512

        ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d

        Download Submit

      • memory/900-153-0x00000000049E0000-0x0000000004B20000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/900-147-0x0000000005380000-0x0000000005EE1000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/900-160-0x0000000005380000-0x0000000005EE1000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/900-157-0x0000000004A59000-0x0000000004A5B000-memory.dmp

        Filesize

        8KB

        Download

      • memory/900-152-0x00000000049E0000-0x0000000004B20000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/900-151-0x00000000049E0000-0x0000000004B20000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/900-142-0x0000000000000000-mapping.dmp

        Download

      • memory/900-150-0x00000000049E0000-0x0000000004B20000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/900-149-0x00000000049E0000-0x0000000004B20000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/900-148-0x00000000049E0000-0x0000000004B20000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/900-146-0x0000000005380000-0x0000000005EE1000-memory.dmp

        Filesize

        11.4MB

        Download

      • memory/2124-155-0x000002BF19820000-0x000002BF19960000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2124-154-0x00007FF7DD6E6890-mapping.dmp

        Download

      • memory/2124-159-0x000002BF17F60000-0x000002BF18204000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/2124-158-0x0000000000B00000-0x0000000000D92000-memory.dmp

        Filesize

        2.6MB

        Download

      • memory/2124-156-0x000002BF19820000-0x000002BF19960000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3696-141-0x0000000000400000-0x00000000028BA000-memory.dmp

        Filesize

        36.7MB

        Download

      • memory/3696-140-0x0000000004790000-0x00000000048B5000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3696-136-0x0000000000000000-mapping.dmp

        Download

      • memory/3696-145-0x0000000000400000-0x00000000028BA000-memory.dmp

        Filesize

        36.7MB

        Download

      • memory/3696-139-0x00000000046A4000-0x0000000004786000-memory.dmp

        Filesize

        904KB

        Download

      • memory/5104-132-0x00000000009CD000-0x00000000009DD000-memory.dmp

        Filesize

        64KB

        Download

      • memory/5104-134-0x0000000000400000-0x000000000064C000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/5104-133-0x00000000007D0000-0x00000000007D9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/5104-135-0x0000000000400000-0x000000000064C000-memory.dmp

        Filesize

        2.3MB

        Download