Overview

overview

10

Static

static

e11796b9d6...8f.exe

windows7-x64

10

e11796b9d6...8f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    179s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2022 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e11796b9d679364967df2aaf6f7f96b71e6c6f8090bcc2d4086cfce5f8e70b8f.exe

  • Size

    341KB

  • MD5

    fd3b279868c450ea0d9c7f7663e12693

  • SHA1

    426819cca39893b91b6f4a04ad476b41a88c358b

  • SHA256

    e11796b9d679364967df2aaf6f7f96b71e6c6f8090bcc2d4086cfce5f8e70b8f

  • SHA512

    0572fe9b55578b5b90ace39f0b7483249b3f3195ff10ac305314f9ec1c443206ee8eb248adcf01cacc4990c09ebbdd08c2dfe2e87f78315013e829da9949ab1a

  • SSDEEP

    6144:541i1y0FtEj0euJ0/+ymlgltoCDEAG1PF:541i11cA5J02yWgltJG

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e11796b9d679364967df2aaf6f7f96b71e6c6f8090bcc2d4086cfce5f8e70b8f.exe
    "C:\Users\Admin\AppData\Local\Temp\e11796b9d679364967df2aaf6f7f96b71e6c6f8090bcc2d4086cfce5f8e70b8f.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4180
  • C:\Users\Admin\AppData\Local\Temp\F5E4.exe
    C:\Users\Admin\AppData\Local\Temp\F5E4.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2740
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Eshwsfeuryqqffi.tmp",Qiysidaatietut
      2⤵
      • Loads dropped DLL
      PID:5036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 556
      2⤵
      • Program crash
      PID:4848
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2740 -ip 2740
    1⤵
      PID:4276

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Eshwsfeuryqqffi.tmp
      Filesize

      768KB

      MD5

      96655ec3277ef2e9ea4b5723f60f5b04

      SHA1

      b29e9005cedc5e0d63981e59b05a12f006bd8640

      SHA256

      36cb491e91dc40d4a24f25944c5dca41195e1e7eb9788028f72e38b08789616d

      SHA512

      cb151e071426cba0ec433b4ff8b173a9e07fc922e2b9d9d9359bcd5367a79e5bb996e8afbbfe4dd11bde1a33724b7f70479ac248762f5c9d17f3e0d7d67c151c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Eshwsfeuryqqffi.tmp
      Filesize

      768KB

      MD5

      96655ec3277ef2e9ea4b5723f60f5b04

      SHA1

      b29e9005cedc5e0d63981e59b05a12f006bd8640

      SHA256

      36cb491e91dc40d4a24f25944c5dca41195e1e7eb9788028f72e38b08789616d

      SHA512

      cb151e071426cba0ec433b4ff8b173a9e07fc922e2b9d9d9359bcd5367a79e5bb996e8afbbfe4dd11bde1a33724b7f70479ac248762f5c9d17f3e0d7d67c151c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\F5E4.exe
      Filesize

      1.1MB

      MD5

      c9d86b8af2b6aa83f5ab8698b4dac416

      SHA1

      c0f65732321e8512b4b7096ba827a2920106968e

      SHA256

      209623f82b569fb476fdef4b1b84b253fd7b224ec5161867e134783a1ae30740

      SHA512

      eeca416617d692d788fba0042a1bc1477a5783d88f6621f159a49644ac718faac7392845c226ad43aed2310c73445bcd7765874579d3d17acdaa36bfdc0a9a15

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\F5E4.exe
      Filesize

      1.1MB

      MD5

      c9d86b8af2b6aa83f5ab8698b4dac416

      SHA1

      c0f65732321e8512b4b7096ba827a2920106968e

      SHA256

      209623f82b569fb476fdef4b1b84b253fd7b224ec5161867e134783a1ae30740

      SHA512

      eeca416617d692d788fba0042a1bc1477a5783d88f6621f159a49644ac718faac7392845c226ad43aed2310c73445bcd7765874579d3d17acdaa36bfdc0a9a15

      Download Submit
    • memory/2740-136-0x0000000000000000-mapping.dmp
      Download
    • memory/2740-142-0x0000000002261000-0x0000000002340000-memory.dmp
      Filesize

      892KB

      Download
    • memory/2740-143-0x0000000002350000-0x0000000002470000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2740-144-0x0000000000400000-0x0000000000531000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4180-135-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4180-132-0x0000000000507000-0x000000000051C000-memory.dmp
      Filesize

      84KB

      Download
    • memory/4180-134-0x0000000000400000-0x000000000045A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/4180-133-0x0000000000030000-0x0000000000039000-memory.dmp
      Filesize

      36KB

      Download
    • memory/5036-139-0x0000000000000000-mapping.dmp
      Download