Overview

overview

10

Static

static

048005548f...f2.exe

windows7-x64

10

048005548f...f2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2022, 17:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    048005548f4ff156c8a9cee922435c214e24b7a772106c8e840e36edf7776bf2.exe

  • Size

    230KB

  • MD5

    86a1badfd643c574eb49a7e16e541292

  • SHA1

    d28c39dde6d6b4ce9bfc4c7f505bc8d02b781852

  • SHA256

    048005548f4ff156c8a9cee922435c214e24b7a772106c8e840e36edf7776bf2

  • SHA512

    b317a066342c9aaac02f26848ccc2812248491e7ce2ab3fdfc87e3be547ca2eb33f884f63960f10fd4f4780b52cc17766323784203210c30a0872a71cf00cff5

  • SSDEEP

    3072:Uh0RMLL2p5PxGbqqwBuYAwVZPYsecXjLptl1A+V+Y700:uLKd57B7LRtTH4+Vl7l

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 19 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\048005548f4ff156c8a9cee922435c214e24b7a772106c8e840e36edf7776bf2.exe
    "C:\Users\Admin\AppData\Local\Temp\048005548f4ff156c8a9cee922435c214e24b7a772106c8e840e36edf7776bf2.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4928
  • C:\Users\Admin\AppData\Local\Temp\ED04.exe
    C:\Users\Admin\AppData\Local\Temp\ED04.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:1516
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:3780
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:2172
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:4656
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:1468
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:3520
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:3756
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:1172
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:792
                    • C:\Windows\SysWOW64\explorer.exe
                      C:\Windows\SysWOW64\explorer.exe
                      1⤵
                        PID:4296
                      • C:\Windows\SysWOW64\explorer.exe
                        C:\Windows\SysWOW64\explorer.exe
                        1⤵
                          PID:4256
                        • C:\Windows\explorer.exe
                          C:\Windows\explorer.exe
                          1⤵
                            PID:1564
                          • C:\Windows\SysWOW64\explorer.exe
                            C:\Windows\SysWOW64\explorer.exe
                            1⤵
                              PID:2012

                            Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\ED04.exe
                                    Filesize

                                    67KB

                                    MD5

                                    666d8f33d37064fd5d14e2166c9bfa69

                                    SHA1

                                    3b27df9335a9b2efe9da1057e9f8312a72d1ca9d

                                    SHA256

                                    7fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157

                                    SHA512

                                    ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\ED04.exe
                                    Filesize

                                    67KB

                                    MD5

                                    666d8f33d37064fd5d14e2166c9bfa69

                                    SHA1

                                    3b27df9335a9b2efe9da1057e9f8312a72d1ca9d

                                    SHA256

                                    7fddf1b75f50d43214867f367223f2d241d62ae63deea334d051c0ee19d18157

                                    SHA512

                                    ac3c993f019bb402db474fda65d587ae7717725eea9b3a869acd3530543b7b94d354f19474f6b1c7fc760b5b22622328def2bef26e3900c186b16e8a3d3b90df

                                    Download Submit

                                  • memory/792-176-0x00000000004B0000-0x00000000004D2000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/792-159-0x0000000000480000-0x00000000004A7000-memory.dmp

                                    Filesize

                                    156KB

                                    Download

                                  • memory/792-158-0x00000000004B0000-0x00000000004D2000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/1172-175-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

                                    Filesize

                                    24KB

                                    Download

                                  • memory/1172-156-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/1172-155-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

                                    Filesize

                                    24KB

                                    Download

                                  • memory/1468-144-0x0000000000FD0000-0x0000000000FDB000-memory.dmp

                                    Filesize

                                    44KB

                                    Download

                                  • memory/1468-172-0x0000000000FE0000-0x0000000000FE7000-memory.dmp

                                    Filesize

                                    28KB

                                    Download

                                  • memory/1468-143-0x0000000000FE0000-0x0000000000FE7000-memory.dmp

                                    Filesize

                                    28KB

                                    Download

                                  • memory/1564-167-0x0000000000490000-0x0000000000497000-memory.dmp

                                    Filesize

                                    28KB

                                    Download

                                  • memory/1564-168-0x0000000000480000-0x000000000048D000-memory.dmp

                                    Filesize

                                    52KB

                                    Download

                                  • memory/1564-179-0x0000000000490000-0x0000000000497000-memory.dmp

                                    Filesize

                                    28KB

                                    Download

                                  • memory/2012-171-0x0000000000FD0000-0x0000000000FDB000-memory.dmp

                                    Filesize

                                    44KB

                                    Download

                                  • memory/2012-170-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/2012-180-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/3380-141-0x0000000005240000-0x00000000052A6000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/3380-139-0x00000000008F0000-0x0000000000906000-memory.dmp

                                    Filesize

                                    88KB

                                    Download

                                  • memory/3520-173-0x0000000000560000-0x0000000000569000-memory.dmp

                                    Filesize

                                    36KB

                                    Download

                                  • memory/3520-146-0x0000000000550000-0x000000000055F000-memory.dmp

                                    Filesize

                                    60KB

                                    Download

                                  • memory/3520-145-0x0000000000560000-0x0000000000569000-memory.dmp

                                    Filesize

                                    36KB

                                    Download

                                  • memory/3756-152-0x0000000000170000-0x0000000000175000-memory.dmp

                                    Filesize

                                    20KB

                                    Download

                                  • memory/3756-174-0x0000000000170000-0x0000000000175000-memory.dmp

                                    Filesize

                                    20KB

                                    Download

                                  • memory/3756-153-0x0000000000160000-0x0000000000169000-memory.dmp

                                    Filesize

                                    36KB

                                    Download

                                  • memory/4256-165-0x0000000000160000-0x000000000016B000-memory.dmp

                                    Filesize

                                    44KB

                                    Download

                                  • memory/4256-164-0x0000000000170000-0x0000000000176000-memory.dmp

                                    Filesize

                                    24KB

                                    Download

                                  • memory/4256-178-0x0000000000170000-0x0000000000176000-memory.dmp

                                    Filesize

                                    24KB

                                    Download

                                  • memory/4296-161-0x00000000008F0000-0x00000000008F5000-memory.dmp

                                    Filesize

                                    20KB

                                    Download

                                  • memory/4296-177-0x00000000008F0000-0x00000000008F5000-memory.dmp

                                    Filesize

                                    20KB

                                    Download

                                  • memory/4296-162-0x00000000008E0000-0x00000000008E9000-memory.dmp

                                    Filesize

                                    36KB

                                    Download

                                  • memory/4928-135-0x0000000000400000-0x000000000045E000-memory.dmp

                                    Filesize

                                    376KB

                                    Download

                                  • memory/4928-134-0x0000000000400000-0x000000000045E000-memory.dmp

                                    Filesize

                                    376KB

                                    Download

                                  • memory/4928-133-0x00000000004E0000-0x00000000004E9000-memory.dmp

                                    Filesize

                                    36KB

                                    Download

                                  • memory/4928-132-0x000000000059D000-0x00000000005AD000-memory.dmp

                                    Filesize

                                    64KB

                                    Download