Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2022, 08:17
Static task
static1
Behavioral task
behavioral1
Sample
6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578.exe
Resource
win10v2004-20221111-en
General
-
Target
6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578.exe
-
Size
213KB
-
MD5
e56b99e9aa41ef33cabc2fed9135eda7
-
SHA1
bb48bbbdad29d3d15e5916913c4cbe93496aa2c8
-
SHA256
6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578
-
SHA512
aa24a8808f156e75abf1dde8dd5f1dd009581e7b41fa06d3cd5b61f99a37f2bf2a4452143cb50a2fab0e8a6fe7220a8d766529c665a0d53dcc79d010d7e8bb9b
-
SSDEEP
3072:Z6ouiPHLy7QZwRhu/s0VRYukFi1wHTC6U8/g3xoKptpZbG3ERWR3LV:EouIHLIQquhbIFiOC6Bg3CKphqU0VB
Malware Config
Extracted
danabot
23.236.181.126:443
123.253.35.251:443
66.85.173.3:443
-
embedded_hash
8F56CD73F6B5CD5D7B17B0BA61E70A82
-
type
loader
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/2500-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2760 4074.exe 4228 sjrdcjb -
Loads dropped DLL 1 IoCs
pid Process 4540 rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4248 2760 WerFault.exe 89 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sjrdcjb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sjrdcjb Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI sjrdcjb -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2500 6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578.exe 2500 6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578.exe 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found 2480 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2480 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2500 6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578.exe 4228 sjrdcjb -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 2480 Process not Found Token: SeCreatePagefilePrivilege 2480 Process not Found Token: SeShutdownPrivilege 2480 Process not Found Token: SeCreatePagefilePrivilege 2480 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2480 wrote to memory of 2760 2480 Process not Found 89 PID 2480 wrote to memory of 2760 2480 Process not Found 89 PID 2480 wrote to memory of 2760 2480 Process not Found 89 PID 2760 wrote to memory of 4540 2760 4074.exe 90 PID 2760 wrote to memory of 4540 2760 4074.exe 90 PID 2760 wrote to memory of 4540 2760 4074.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578.exe"C:\Users\Admin\AppData\Local\Temp\6e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2500
-
C:\Users\Admin\AppData\Local\Temp\4074.exeC:\Users\Admin\AppData\Local\Temp\4074.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start2⤵
- Loads dropped DLL
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 4802⤵
- Program crash
PID:4248
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2760 -ip 27601⤵PID:3460
-
C:\Users\Admin\AppData\Roaming\sjrdcjbC:\Users\Admin\AppData\Roaming\sjrdcjb1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD56e10b6107066da8b83187a14c8b68b23
SHA1bfe5bb0d1fbd503226abf58fbd88e91e8f17ba05
SHA256804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e
SHA5126f4715008d918f0a940bae3970e072c39b16a6c8fb66f10bc32c4b611c93a437b3475646d0fafa3e814af6d5013a518ba5893c2c984b558f66733b4d03f83461
-
Filesize
2.4MB
MD56e10b6107066da8b83187a14c8b68b23
SHA1bfe5bb0d1fbd503226abf58fbd88e91e8f17ba05
SHA256804a0999f1e0c5a8e083f0a36ccfe7ad8a6ab94a0c77d6ab74175540c990f95e
SHA5126f4715008d918f0a940bae3970e072c39b16a6c8fb66f10bc32c4b611c93a437b3475646d0fafa3e814af6d5013a518ba5893c2c984b558f66733b4d03f83461
-
Filesize
2.4MB
MD5c144e146ff6b53a979bb0a7733301249
SHA16b648baf0069d293dcff7b71e59695dc1356e905
SHA25613370ccf3099b560350a7c7a3e4fe1185984983ee72312d1eff181d9a0b27aed
SHA512b3e35a13f2477b899961196bfd013de784edc22266598cbfe9726a343bc7998fa03c6852c5f0c5dfc35304f8eaeeb0cb11385f2e098e8179809e50335443b200
-
Filesize
2.4MB
MD5c144e146ff6b53a979bb0a7733301249
SHA16b648baf0069d293dcff7b71e59695dc1356e905
SHA25613370ccf3099b560350a7c7a3e4fe1185984983ee72312d1eff181d9a0b27aed
SHA512b3e35a13f2477b899961196bfd013de784edc22266598cbfe9726a343bc7998fa03c6852c5f0c5dfc35304f8eaeeb0cb11385f2e098e8179809e50335443b200
-
Filesize
213KB
MD5e56b99e9aa41ef33cabc2fed9135eda7
SHA1bb48bbbdad29d3d15e5916913c4cbe93496aa2c8
SHA2566e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578
SHA512aa24a8808f156e75abf1dde8dd5f1dd009581e7b41fa06d3cd5b61f99a37f2bf2a4452143cb50a2fab0e8a6fe7220a8d766529c665a0d53dcc79d010d7e8bb9b
-
Filesize
213KB
MD5e56b99e9aa41ef33cabc2fed9135eda7
SHA1bb48bbbdad29d3d15e5916913c4cbe93496aa2c8
SHA2566e94d256f51234f1bda863f499495ece3a878c0f3c47cf7c0f28023a0c76e578
SHA512aa24a8808f156e75abf1dde8dd5f1dd009581e7b41fa06d3cd5b61f99a37f2bf2a4452143cb50a2fab0e8a6fe7220a8d766529c665a0d53dcc79d010d7e8bb9b