Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2022, 06:43
Static task
static1
Behavioral task
behavioral1
Sample
78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f.exe
Resource
win10v2004-20220812-en
General
-
Target
78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f.exe
-
Size
214KB
-
MD5
5f2d9bcc83051a8a551a1f354f9f84db
-
SHA1
567e472cb11cd62a7484759c2b3903b084e4bf3e
-
SHA256
78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f
-
SHA512
c0327279c2c250ab4aa5d481cce6642d7bd2fd15f411180b0e3b9cf0577d9748be74670b4d1f52f1639bebda846f082d6125f0f90de1224b05e36609e7ab256c
-
SSDEEP
3072:qxSTeBRWL2InV3dlZwRSizQHel6jGsh4dvig8/g3xoxU9Qaa6G3ERWR3LV:MSTgWL2InV3dlMzqc6g3Cx3BU0VB
Malware Config
Extracted
danabot
23.236.181.126:443
123.253.35.251:443
66.85.173.3:443
-
embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
-
type
loader
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/4588-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1688 F292.exe -
Loads dropped DLL 2 IoCs
pid Process 1468 rundll32.exe 1468 rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3888 1688 WerFault.exe 81 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4588 78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f.exe 4588 78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f.exe 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3060 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4588 78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3060 Process not Found Token: SeCreatePagefilePrivilege 3060 Process not Found Token: SeShutdownPrivilege 3060 Process not Found Token: SeCreatePagefilePrivilege 3060 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3060 wrote to memory of 1688 3060 Process not Found 81 PID 3060 wrote to memory of 1688 3060 Process not Found 81 PID 3060 wrote to memory of 1688 3060 Process not Found 81 PID 1688 wrote to memory of 1468 1688 F292.exe 85 PID 1688 wrote to memory of 1468 1688 F292.exe 85 PID 1688 wrote to memory of 1468 1688 F292.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f.exe"C:\Users\Admin\AppData\Local\Temp\78c509fbc08e1077925902692728b8c71b64776778638665f80d315185a3602f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4588
-
C:\Users\Admin\AppData\Local\Temp\F292.exeC:\Users\Admin\AppData\Local\Temp\F292.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start2⤵
- Loads dropped DLL
PID:1468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 6682⤵
- Program crash
PID:3888
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1688 -ip 16881⤵PID:4720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD50bb2b15ca73128dbc816ea4ed583119c
SHA117d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375
-
Filesize
2.4MB
MD50bb2b15ca73128dbc816ea4ed583119c
SHA117d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375
-
Filesize
2.4MB
MD51492330ecf5af9627d18a85158c01423
SHA1b502fab471e0fb5c48af5c33a4d2181dd3c8b3c0
SHA2562b0e7bc57953080835d67271f6ebe7173026b36723a4353dc903fba745bcb1d4
SHA512c1cf2be39462d009eb78440bc64773d2266719c45c51d1d7833de7d4eea1595c27794e23b1ba25870b0aff62d7fd894d8e7ca2c713126e02f1f95baabc02f8dc
-
Filesize
2.4MB
MD51492330ecf5af9627d18a85158c01423
SHA1b502fab471e0fb5c48af5c33a4d2181dd3c8b3c0
SHA2562b0e7bc57953080835d67271f6ebe7173026b36723a4353dc903fba745bcb1d4
SHA512c1cf2be39462d009eb78440bc64773d2266719c45c51d1d7833de7d4eea1595c27794e23b1ba25870b0aff62d7fd894d8e7ca2c713126e02f1f95baabc02f8dc
-
Filesize
2.4MB
MD51492330ecf5af9627d18a85158c01423
SHA1b502fab471e0fb5c48af5c33a4d2181dd3c8b3c0
SHA2562b0e7bc57953080835d67271f6ebe7173026b36723a4353dc903fba745bcb1d4
SHA512c1cf2be39462d009eb78440bc64773d2266719c45c51d1d7833de7d4eea1595c27794e23b1ba25870b0aff62d7fd894d8e7ca2c713126e02f1f95baabc02f8dc