Analysis
-
max time kernel
151s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2022, 07:00
Static task
static1
Behavioral task
behavioral1
Sample
451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa.exe
Resource
win10v2004-20221111-en
General
-
Target
451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa.exe
-
Size
214KB
-
MD5
94ce7e3bc61e8f5825b3416dccd1c481
-
SHA1
699b3330bbcdb08df4e5ee3c4e2343b33bb957bd
-
SHA256
451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa
-
SHA512
1caf1d8d4ebdf2caafa092484d03653823c85e394531cea2e00937f5b38c75fe17b1ba86d810bdc6f95f0e5b0d8f6b21afdad260f278331e211095262649f8e9
-
SSDEEP
6144:Lf25OL4bdsVV2jEjxrxwRGgg3CwVpU0VB:Lf2AUxsVVQEjxfvSwVqO
Malware Config
Extracted
danabot
23.236.181.126:443
123.253.35.251:443
66.85.173.3:443
-
embedded_hash
4ADF6A47A6AB8941179837BA4515263C
-
type
loader
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/4272-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1888 CF5B.exe -
Loads dropped DLL 2 IoCs
pid Process 2576 rundll32.exe 2576 rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2808 1888 WerFault.exe 86 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4272 451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa.exe 4272 451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa.exe 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found 700 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 700 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4272 451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found Token: SeShutdownPrivilege 700 Process not Found Token: SeCreatePagefilePrivilege 700 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 700 wrote to memory of 1888 700 Process not Found 86 PID 700 wrote to memory of 1888 700 Process not Found 86 PID 700 wrote to memory of 1888 700 Process not Found 86 PID 1888 wrote to memory of 2576 1888 CF5B.exe 87 PID 1888 wrote to memory of 2576 1888 CF5B.exe 87 PID 1888 wrote to memory of 2576 1888 CF5B.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa.exe"C:\Users\Admin\AppData\Local\Temp\451ec0852088a55084102632e636204feef0989fabe57dc0cb602c4173dc48fa.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4272
-
C:\Users\Admin\AppData\Local\Temp\CF5B.exeC:\Users\Admin\AppData\Local\Temp\CF5B.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start2⤵
- Loads dropped DLL
PID:2576
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 4802⤵
- Program crash
PID:2808
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1888 -ip 18881⤵PID:4296
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD50bb2b15ca73128dbc816ea4ed583119c
SHA117d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375
-
Filesize
2.4MB
MD50bb2b15ca73128dbc816ea4ed583119c
SHA117d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375
-
Filesize
2.4MB
MD5a58965db22a6b00bcd5998af54046f92
SHA1bb20027de42d2b276c424ae2f71367308a55329a
SHA256aaef910054a9aaefab4edd0444f3aabc35db94e5e4881261573ac77aa153c665
SHA51210632e8611f0250cda85518e7dfe93537f3d034201af7e9a9e246c78c558883cafc7d3792a99a5c6559030ff8a5b69df36ac44d67579494fa4d9906c1988d7a1
-
Filesize
2.4MB
MD5a58965db22a6b00bcd5998af54046f92
SHA1bb20027de42d2b276c424ae2f71367308a55329a
SHA256aaef910054a9aaefab4edd0444f3aabc35db94e5e4881261573ac77aa153c665
SHA51210632e8611f0250cda85518e7dfe93537f3d034201af7e9a9e246c78c558883cafc7d3792a99a5c6559030ff8a5b69df36ac44d67579494fa4d9906c1988d7a1
-
Filesize
2.4MB
MD5a58965db22a6b00bcd5998af54046f92
SHA1bb20027de42d2b276c424ae2f71367308a55329a
SHA256aaef910054a9aaefab4edd0444f3aabc35db94e5e4881261573ac77aa153c665
SHA51210632e8611f0250cda85518e7dfe93537f3d034201af7e9a9e246c78c558883cafc7d3792a99a5c6559030ff8a5b69df36ac44d67579494fa4d9906c1988d7a1