Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
23-11-2022 10:35
General
-
Target
file.exe
-
Size
186KB
-
MD5
134701afe1946ef02dd43616ea9ad100
-
SHA1
5a7dc7947a3824e81ed893ba03886d84092c5bae
-
SHA256
a0a9dc9dca037ec22207239bf99c94e577ef00fe6bfa959088377d7fc3ac4912
-
SHA512
0ffafcfd26d00823fe9d137ee812ca6fe7bce02cd7f0046dc10eecb579cc435a04896f52f34790aee0987eca9fedb51c4e24de328609485df27c6090e24cda05
-
SSDEEP
3072:MDusvefFLMLCmFW4xO5leU1ln/4oiKSIviu:Cu5L6rFvw1h/4oRSIa
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\A0EE.exeC:\Users\Admin\AppData\Local\Temp\A0EE.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uayqupoehp.tmp",Rrptfe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 4602⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1480 -ip 14801⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD501c40d63b3d1f09c8dfd5304c0c7899b
SHA11d9622ccf4c8edac550b4bcec1bd25704dd5a935
SHA2567e6c4f31583c0959a868d29819f8a321d6bd91cf156e33f0ff5f01941806731a
SHA51230e7116d8b2508ca30bd44baa12fc635125de94a3ef80bf4dfb2cc5f58975388f3e9fac22e13e6ded0ecb9e106d9fb97b2d502fc50b638590453b5985355f75c
-
Filesize
1.0MB
MD501c40d63b3d1f09c8dfd5304c0c7899b
SHA11d9622ccf4c8edac550b4bcec1bd25704dd5a935
SHA2567e6c4f31583c0959a868d29819f8a321d6bd91cf156e33f0ff5f01941806731a
SHA51230e7116d8b2508ca30bd44baa12fc635125de94a3ef80bf4dfb2cc5f58975388f3e9fac22e13e6ded0ecb9e106d9fb97b2d502fc50b638590453b5985355f75c
-
Filesize
774KB
MD5d5e88f35e214f2dff51a7d494316bac2
SHA16306dfa71c4e32dede210631cf90732693c0afcf
SHA256f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4
SHA512ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d
-
Filesize
774KB
MD5d5e88f35e214f2dff51a7d494316bac2
SHA16306dfa71c4e32dede210631cf90732693c0afcf
SHA256f1828a7b26be78bb27df25b98762eb7dd7e49ee8582d5eee42ded05b0eebc1e4
SHA512ff167f0379173f976e3f91f41f6c88e67b12dfb0386b66d19f78d3aa3f11534cf2ce1c1d753ada0133cf291adca7ad8367087b791a5c05eaf371dd877ebcce1d
-
Filesize
3.1MB
-
-
Filesize
900KB
-
Filesize
1.1MB
-
Filesize
3.1MB
-
-
Filesize
2.3MB
-
Filesize
68KB
-
Filesize
2.3MB
-
Filesize
36KB