Overview

overview

10

Static

static

9e0ec04961...42.exe

windows7-x64

10

9e0ec04961...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e0ec049617b681301bd6c970c461133e08cb0c0f4bb4be1241dc8ba6de43642.exe

  • Size

    274KB

  • MD5

    d7de0cc636944a78ef28f674e67798d3

  • SHA1

    3d167a70946f951ca0f29facca8ed3b991d4720a

  • SHA256

    9e0ec049617b681301bd6c970c461133e08cb0c0f4bb4be1241dc8ba6de43642

  • SHA512

    4b6a9fc1787ef06473a353b8abe509e8460fa38be40a45d32783ca190d428bb078d80dbb1fb84be2f706b37ae9621cc671176008a6e10d553a1caa602866e7c4

  • SSDEEP

    3072:7xXV86YGJwDUbcVFxaWR5ReccWtH37SV8EY1Xx0/iVRvJTcpSbP3YgV2qs64j:7VLwBVFxBSKh0/IDc2fVS

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e0ec049617b681301bd6c970c461133e08cb0c0f4bb4be1241dc8ba6de43642.exe
    "C:\Users\Admin\AppData\Local\Temp\9e0ec049617b681301bd6c970c461133e08cb0c0f4bb4be1241dc8ba6de43642.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3192
  • C:\Users\Admin\AppData\Local\Temp\3400.exe
    C:\Users\Admin\AppData\Local\Temp\3400.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Eshwsfeuryqqffi.tmp",Qiysidaatietut
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:4280
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 556
      2⤵
      • Program crash
      PID:3732
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2184 -ip 2184
    1⤵
      PID:4332

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3400.exe
      Filesize

      1.1MB

      MD5

      2cf63f5a820ae17c9fe2e087675c3512

      SHA1

      6e94fbdc85a3e18610039f7533a8c5eace0febec

      SHA256

      2a6344b7f08a540282425a5eda9d372b2e3e3d29b2585927f5cd15165bddb942

      SHA512

      c607a835999f9b5cf010e95b131bf2729463a0e5a1d53b3fa86007ecde99ac3e403c2770056c07af25de81f4cfd75628ba042a1585620feb5feab9187c0740d8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3400.exe
      Filesize

      1.1MB

      MD5

      2cf63f5a820ae17c9fe2e087675c3512

      SHA1

      6e94fbdc85a3e18610039f7533a8c5eace0febec

      SHA256

      2a6344b7f08a540282425a5eda9d372b2e3e3d29b2585927f5cd15165bddb942

      SHA512

      c607a835999f9b5cf010e95b131bf2729463a0e5a1d53b3fa86007ecde99ac3e403c2770056c07af25de81f4cfd75628ba042a1585620feb5feab9187c0740d8

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Eshwsfeuryqqffi.tmp
      Filesize

      768KB

      MD5

      96655ec3277ef2e9ea4b5723f60f5b04

      SHA1

      b29e9005cedc5e0d63981e59b05a12f006bd8640

      SHA256

      36cb491e91dc40d4a24f25944c5dca41195e1e7eb9788028f72e38b08789616d

      SHA512

      cb151e071426cba0ec433b4ff8b173a9e07fc922e2b9d9d9359bcd5367a79e5bb996e8afbbfe4dd11bde1a33724b7f70479ac248762f5c9d17f3e0d7d67c151c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Eshwsfeuryqqffi.tmp
      Filesize

      768KB

      MD5

      96655ec3277ef2e9ea4b5723f60f5b04

      SHA1

      b29e9005cedc5e0d63981e59b05a12f006bd8640

      SHA256

      36cb491e91dc40d4a24f25944c5dca41195e1e7eb9788028f72e38b08789616d

      SHA512

      cb151e071426cba0ec433b4ff8b173a9e07fc922e2b9d9d9359bcd5367a79e5bb996e8afbbfe4dd11bde1a33724b7f70479ac248762f5c9d17f3e0d7d67c151c

      Download Submit
    • memory/2184-141-0x0000000000400000-0x0000000000531000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2184-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2184-139-0x00000000020C4000-0x00000000021A3000-memory.dmp
      Filesize

      892KB

      Download
    • memory/2184-140-0x00000000022B0000-0x00000000023D0000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2184-145-0x0000000000400000-0x0000000000531000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3192-135-0x0000000000400000-0x0000000000463000-memory.dmp
      Filesize

      396KB

      Download
    • memory/3192-132-0x0000000000678000-0x0000000000689000-memory.dmp
      Filesize

      68KB

      Download
    • memory/3192-134-0x0000000000400000-0x0000000000463000-memory.dmp
      Filesize

      396KB

      Download
    • memory/3192-133-0x0000000000600000-0x0000000000609000-memory.dmp
      Filesize

      36KB

      Download
    • memory/4280-142-0x0000000000000000-mapping.dmp
      Download