Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2022, 14:18 UTC

General

  • Target

    a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8.exe

  • Size

    30KB

  • MD5

    e7c7dd1609c0ae7d9948db9f5cecb2ab

  • SHA1

    f7d951dee4dd309a299f583afbab259d11221a28

  • SHA256

    a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8

  • SHA512

    5aa6b52c049ddb96b491e8f9c1657bf992df0cfc7075859e4d91eda3e027d64265ca753b96737717546d7b65c41c4f6a1f9938faa8b0372cf8ec7725e60ce2fd

  • SSDEEP

    768:S172poBiLfK2Ss/2q2P66B9QeytQZAERS:O2mBibK4/2PB9Qr2S

Malware Config

Signatures

  • Detects Smokeloader packer 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8.exe
    "C:\Users\Admin\AppData\Local\Temp\a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5108
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
    • Accesses Microsoft Outlook profiles
    • outlook_office_path
    • outlook_win_path
    PID:4292
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    1⤵
      PID:740
    • C:\Users\Admin\AppData\Roaming\ejwcset
      C:\Users\Admin\AppData\Roaming\ejwcset
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2464

    Network

    • flag-unknown
      DNS
      furubujjul.net
      Remote address:
      8.8.8.8:53
      Request
      furubujjul.net
      IN A
      Response
      furubujjul.net
      IN A
      91.195.240.101
    • flag-unknown
      POST
      http://furubujjul.net/
      Remote address:
      91.195.240.101:80
      Request
      POST / HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Accept: */*
      Referer: http://pdcoodjott.net/
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
      Content-Length: 219
      Host: furubujjul.net
      Response
      HTTP/1.1 403 Forbidden
      date: Tue, 20 Dec 2022 14:18:44 GMT
      content-type: text/html
      content-length: 150
      vary: Accept-Encoding
      server: NginX
    • flag-unknown
      DNS
      starvestitibo.org
      explorer.exe
      Remote address:
      8.8.8.8:53
      Request
      starvestitibo.org
      IN A
      Response
      starvestitibo.org
      IN A
      193.106.191.15
    • flag-unknown
      POST
      http://starvestitibo.org/
      Remote address:
      193.106.191.15:80
      Request
      POST / HTTP/1.1
      Connection: Keep-Alive
      Content-Type: application/x-www-form-urlencoded
      Accept: */*
      Referer: http://xdcrv.com/
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
      Content-Length: 132
      Host: starvestitibo.org
      Response
      HTTP/1.1 404 Not Found
      Server: nginx
      Date: Tue, 20 Dec 2022 14:18:44 GMT
      Content-Type: text/html; charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • flag-unknown
      POST
      http://starvestitibo.org/
      explorer.exe
      Remote address:
      193.106.191.15:80
      Request
      POST / HTTP/1.1
      Cache-Control: no-cache
      Connection: Keep-Alive
      Pragma: no-cache
      Content-Type: application/x-www-form-urlencoded
      Accept: */*
      Referer: http://starvestitibo.org/
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
      Content-Length: 533
      Host: starvestitibo.org
      Response
      HTTP/1.1 404 Not Found
      Server: nginx
      Date: Tue, 20 Dec 2022 14:18:47 GMT
      Content-Type: text/html; charset=utf-8
      Transfer-Encoding: chunked
      Connection: keep-alive
    • 93.184.220.29:80
      322 B
      7
    • 91.195.240.101:80
      http://furubujjul.net/
      http
      804 B
      545 B
      7
      6

      HTTP Request

      POST http://furubujjul.net/

      HTTP Response

      403
    • 193.106.191.15:80
      http://starvestitibo.org/
      http
      4.9kB
      256.7kB
      99
      189

      HTTP Request

      POST http://starvestitibo.org/

      HTTP Response

      404
    • 193.106.191.15:80
      http://starvestitibo.org/
      http
      explorer.exe
      1.1kB
      681 B
      5
      4

      HTTP Request

      POST http://starvestitibo.org/

      HTTP Response

      404
    • 20.42.65.84:443
      322 B
      7
    • 8.253.208.113:80
      322 B
      7
    • 8.253.208.113:80
      322 B
      7
    • 104.80.225.205:443
      322 B
      7
    • 52.109.77.1:443
      322 B
      7
    • 8.8.8.8:53
      furubujjul.net
      dns
      60 B
      76 B
      1
      1

      DNS Request

      furubujjul.net

      DNS Response

      91.195.240.101

    • 8.8.8.8:53
      starvestitibo.org
      dns
      explorer.exe
      63 B
      79 B
      1
      1

      DNS Request

      starvestitibo.org

      DNS Response

      193.106.191.15

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\ejwcset

      Filesize

      30KB

      MD5

      e7c7dd1609c0ae7d9948db9f5cecb2ab

      SHA1

      f7d951dee4dd309a299f583afbab259d11221a28

      SHA256

      a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8

      SHA512

      5aa6b52c049ddb96b491e8f9c1657bf992df0cfc7075859e4d91eda3e027d64265ca753b96737717546d7b65c41c4f6a1f9938faa8b0372cf8ec7725e60ce2fd

    • C:\Users\Admin\AppData\Roaming\ejwcset

      Filesize

      30KB

      MD5

      e7c7dd1609c0ae7d9948db9f5cecb2ab

      SHA1

      f7d951dee4dd309a299f583afbab259d11221a28

      SHA256

      a28ede8afeb2ac43b84985c279c94c25d001d00a035b82eb2ab1a019c5a6faa8

      SHA512

      5aa6b52c049ddb96b491e8f9c1657bf992df0cfc7075859e4d91eda3e027d64265ca753b96737717546d7b65c41c4f6a1f9938faa8b0372cf8ec7725e60ce2fd

    • memory/740-136-0x00000000008E0000-0x00000000008EC000-memory.dmp

      Filesize

      48KB

    • memory/2464-142-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/2464-143-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/4292-137-0x0000000001200000-0x0000000001275000-memory.dmp

      Filesize

      468KB

    • memory/4292-138-0x0000000000F80000-0x0000000000FEB000-memory.dmp

      Filesize

      428KB

    • memory/4292-139-0x0000000000F80000-0x0000000000FEB000-memory.dmp

      Filesize

      428KB

    • memory/5108-132-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    • memory/5108-133-0x0000000000400000-0x0000000000409000-memory.dmp

      Filesize

      36KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.