Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2022, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
14fc3f7aa86e6a1d3aa9f495f655bd3c.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
14fc3f7aa86e6a1d3aa9f495f655bd3c.exe
Resource
win10v2004-20220812-en
General
-
Target
14fc3f7aa86e6a1d3aa9f495f655bd3c.exe
-
Size
215KB
-
MD5
14fc3f7aa86e6a1d3aa9f495f655bd3c
-
SHA1
e2b3671d1ea075869364feae1bb25211d1b67eb3
-
SHA256
3fda0717577158ee8900f86e513ed75353c6318a406ac58c5d65b7879416c51c
-
SHA512
dd774eebdfc759e5b7f724641dab1239abb810a905713c848921dc79a487389d0debcedf9427023abf3bc1882426216200ef0e13d38c2c820e4a8111193e233d
-
SSDEEP
3072:aT/HcX0LGlZwRNcycMvIdu++dbKgcVW3ni9D8/g3xodZWGhG/G3ERWR3Le:S/HC0LGlVvMAdu1FJni9Ag3CBGuU0V6
Malware Config
Extracted
danabot
23.236.181.126:443
123.253.35.251:443
66.85.173.3:443
-
embedded_hash
B3EDAC43C91B09AD307C06053739571B
-
type
loader
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/1152-133-0x00000000001F0000-0x00000000001F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 5048 65AF.exe -
Loads dropped DLL 1 IoCs
pid Process 2068 rundll32.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{15190547-C82C-4C57-A8D9-29F193681A82}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{09C66F6A-B48D-45F4-902E-BAFBBBB1022E}.catalogItem svchost.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2764 5048 WerFault.exe 81 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 14fc3f7aa86e6a1d3aa9f495f655bd3c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 14fc3f7aa86e6a1d3aa9f495f655bd3c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 14fc3f7aa86e6a1d3aa9f495f655bd3c.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1152 14fc3f7aa86e6a1d3aa9f495f655bd3c.exe 1152 14fc3f7aa86e6a1d3aa9f495f655bd3c.exe 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found 3004 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3004 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1152 14fc3f7aa86e6a1d3aa9f495f655bd3c.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3004 Process not Found Token: SeCreatePagefilePrivilege 3004 Process not Found Token: SeShutdownPrivilege 3004 Process not Found Token: SeCreatePagefilePrivilege 3004 Process not Found -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3004 Process not Found 3004 Process not Found 3004 Process not Found -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3004 Process not Found 3004 Process not Found 3004 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3004 wrote to memory of 5048 3004 Process not Found 81 PID 3004 wrote to memory of 5048 3004 Process not Found 81 PID 3004 wrote to memory of 5048 3004 Process not Found 81 PID 5048 wrote to memory of 2068 5048 65AF.exe 84 PID 5048 wrote to memory of 2068 5048 65AF.exe 84 PID 5048 wrote to memory of 2068 5048 65AF.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe"C:\Users\Admin\AppData\Local\Temp\14fc3f7aa86e6a1d3aa9f495f655bd3c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1152
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:736
-
C:\Users\Admin\AppData\Local\Temp\65AF.exeC:\Users\Admin\AppData\Local\Temp\65AF.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start2⤵
- Loads dropped DLL
PID:2068
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 4882⤵
- Program crash
PID:2764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5048 -ip 50481⤵PID:3112
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD50bb2b15ca73128dbc816ea4ed583119c
SHA117d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375
-
Filesize
2.4MB
MD50bb2b15ca73128dbc816ea4ed583119c
SHA117d05964d9208ca1a27fd007ad5f41752cfa893e
SHA256295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8
SHA512d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375
-
Filesize
2.4MB
MD56b18b5240982a579febbbc5388999861
SHA18d979e0591c95932c6d637723d8135756b545028
SHA256d06be158ad31304b89a410ccb075eac7f2eb3877e96ffc9d5965ad8f251d7405
SHA51208f069a3f4b4b077e42234d70c5ee5134b8dacb5fb47e8f3d0d7607fde2eade51a2e71c0e4cd8c281cae31d6f88fe872063e004abd62d756e77a112ceefd11b7
-
Filesize
2.4MB
MD56b18b5240982a579febbbc5388999861
SHA18d979e0591c95932c6d637723d8135756b545028
SHA256d06be158ad31304b89a410ccb075eac7f2eb3877e96ffc9d5965ad8f251d7405
SHA51208f069a3f4b4b077e42234d70c5ee5134b8dacb5fb47e8f3d0d7607fde2eade51a2e71c0e4cd8c281cae31d6f88fe872063e004abd62d756e77a112ceefd11b7