Overview

overview

10

Static

static

dbb5a1f87b...6e.exe

windows7-x64

10

dbb5a1f87b...6e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dbb5a1f87b3db55e2228f08b6d2f482db0452af05fe11d579cd4dc92c105086e.exe

  • Size

    168KB

  • MD5

    21dc7d54b5ccd1be83218d572b202010

  • SHA1

    7a814c0bc1a767c18245121f6afb998da48b0b74

  • SHA256

    dbb5a1f87b3db55e2228f08b6d2f482db0452af05fe11d579cd4dc92c105086e

  • SHA512

    3a34bd23ff052fc285fc6baf81544eea74d36e0af27c85c9cc4afd05f42170cd6592786a2489406ab709a91cc654775cfcb1cb2e96cb2ee29124b5efe8b23baf

  • SSDEEP

    3072:O4V1Ra/FLNhS55tYYKnK3QY3fwM6raEAyD:RodLNItYYmpZ2y

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dbb5a1f87b3db55e2228f08b6d2f482db0452af05fe11d579cd4dc92c105086e.exe
    "C:\Users\Admin\AppData\Local\Temp\dbb5a1f87b3db55e2228f08b6d2f482db0452af05fe11d579cd4dc92c105086e.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2764
  • C:\Users\Admin\AppData\Roaming\tsurhew
    C:\Users\Admin\AppData\Roaming\tsurhew
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:3568
  • C:\Users\Admin\AppData\Local\Temp\8B53.exe
    C:\Users\Admin\AppData\Local\Temp\8B53.exe
    1⤵
    • Executes dropped EXE
    PID:3916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8B53.exe
    Filesize

    3.6MB

    MD5

    ae7a6e5474e6f83bd69291c89b322171

    SHA1

    345fd599a443ac15d89df887121b602e40a375b5

    SHA256

    bb263c2c0927449caf1a7a7fcb7d9665bc876d02977d9d8fec7665009e6e63e8

    SHA512

    2154547451edd66a0b4adad43db0c909ed934ebf1ae14a667650184ae0bba55d00bb454759685b1ccc2c3fb5b04293e81c068e947c1998055b0bff720bc2c30e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\8B53.exe
    Filesize

    3.6MB

    MD5

    ae7a6e5474e6f83bd69291c89b322171

    SHA1

    345fd599a443ac15d89df887121b602e40a375b5

    SHA256

    bb263c2c0927449caf1a7a7fcb7d9665bc876d02977d9d8fec7665009e6e63e8

    SHA512

    2154547451edd66a0b4adad43db0c909ed934ebf1ae14a667650184ae0bba55d00bb454759685b1ccc2c3fb5b04293e81c068e947c1998055b0bff720bc2c30e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\tsurhew
    Filesize

    168KB

    MD5

    21dc7d54b5ccd1be83218d572b202010

    SHA1

    7a814c0bc1a767c18245121f6afb998da48b0b74

    SHA256

    dbb5a1f87b3db55e2228f08b6d2f482db0452af05fe11d579cd4dc92c105086e

    SHA512

    3a34bd23ff052fc285fc6baf81544eea74d36e0af27c85c9cc4afd05f42170cd6592786a2489406ab709a91cc654775cfcb1cb2e96cb2ee29124b5efe8b23baf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\tsurhew
    Filesize

    168KB

    MD5

    21dc7d54b5ccd1be83218d572b202010

    SHA1

    7a814c0bc1a767c18245121f6afb998da48b0b74

    SHA256

    dbb5a1f87b3db55e2228f08b6d2f482db0452af05fe11d579cd4dc92c105086e

    SHA512

    3a34bd23ff052fc285fc6baf81544eea74d36e0af27c85c9cc4afd05f42170cd6592786a2489406ab709a91cc654775cfcb1cb2e96cb2ee29124b5efe8b23baf

    Download Submit
  • memory/2764-133-0x0000000002300000-0x0000000002309000-memory.dmp
    Filesize

    36KB

    Download
  • memory/2764-134-0x0000000000400000-0x000000000070B000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2764-135-0x0000000000400000-0x000000000070B000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2764-132-0x000000000073D000-0x000000000074E000-memory.dmp
    Filesize

    68KB

    Download
  • memory/3568-138-0x00000000009AD000-0x00000000009BE000-memory.dmp
    Filesize

    68KB

    Download
  • memory/3568-140-0x0000000000400000-0x000000000070B000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/3568-139-0x0000000000400000-0x000000000070B000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/3916-141-0x0000000000000000-mapping.dmp
    Download
  • memory/3916-144-0x00000000025AF000-0x0000000002931000-memory.dmp
    Filesize

    3.5MB

    Download
  • memory/3916-145-0x0000000002940000-0x0000000002E22000-memory.dmp
    Filesize

    4.9MB

    Download