Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2022, 22:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    288KB

  • MD5

    832d206dead5aa4cdf20e6efd3048c25

  • SHA1

    a0d17fd5b88be42edccaace0fb641a092afdb067

  • SHA256

    0c0423483302f7f135d822e1262b6a187c735e65fb2372b7d49cd4d8f5b6356b

  • SHA512

    af618c979c410b92e409a575bf82c1675a1be07649298e7ce5c0fcc02f90d82f838b96b4660d26bccc4e4d52c328178f2f0b779e956b5efc3d53b022ce326470

  • SSDEEP

    3072:HYdKY9HuLTC1eqoRfALE4FVwSZEiJNLQnyPT+8U9SkEqwi:LqOLoeqqV4FVw/++nyPS8UIkEq

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2180
  • C:\Users\Admin\AppData\Roaming\cwtjrai
    C:\Users\Admin\AppData\Roaming\cwtjrai
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Roaming\cwtjrai
      C:\Users\Admin\AppData\Roaming\cwtjrai
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:3708

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\cwtjrai
    Filesize

    288KB

    MD5

    832d206dead5aa4cdf20e6efd3048c25

    SHA1

    a0d17fd5b88be42edccaace0fb641a092afdb067

    SHA256

    0c0423483302f7f135d822e1262b6a187c735e65fb2372b7d49cd4d8f5b6356b

    SHA512

    af618c979c410b92e409a575bf82c1675a1be07649298e7ce5c0fcc02f90d82f838b96b4660d26bccc4e4d52c328178f2f0b779e956b5efc3d53b022ce326470

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cwtjrai
    Filesize

    288KB

    MD5

    832d206dead5aa4cdf20e6efd3048c25

    SHA1

    a0d17fd5b88be42edccaace0fb641a092afdb067

    SHA256

    0c0423483302f7f135d822e1262b6a187c735e65fb2372b7d49cd4d8f5b6356b

    SHA512

    af618c979c410b92e409a575bf82c1675a1be07649298e7ce5c0fcc02f90d82f838b96b4660d26bccc4e4d52c328178f2f0b779e956b5efc3d53b022ce326470

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cwtjrai
    Filesize

    288KB

    MD5

    832d206dead5aa4cdf20e6efd3048c25

    SHA1

    a0d17fd5b88be42edccaace0fb641a092afdb067

    SHA256

    0c0423483302f7f135d822e1262b6a187c735e65fb2372b7d49cd4d8f5b6356b

    SHA512

    af618c979c410b92e409a575bf82c1675a1be07649298e7ce5c0fcc02f90d82f838b96b4660d26bccc4e4d52c328178f2f0b779e956b5efc3d53b022ce326470

    Download Submit

  • memory/2180-133-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2180-136-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2180-137-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2764-173-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-186-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-140-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-141-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-142-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-143-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-144-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-145-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-146-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-147-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-176-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-149-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-150-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-151-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-152-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-153-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-154-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-155-0x00000000029B0000-0x00000000029C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-156-0x00000000029D0000-0x00000000029E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-157-0x00000000008C0000-0x00000000008D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-158-0x00000000008C0000-0x00000000008D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-159-0x00000000029D0000-0x00000000029E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-160-0x00000000008C0000-0x00000000008D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-161-0x00000000008C0000-0x00000000008D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-213-0x0000000002400000-0x0000000002410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-212-0x0000000002400000-0x0000000002410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-211-0x0000000002400000-0x0000000002410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-210-0x00000000023E0000-0x00000000023F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-209-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-208-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-170-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-171-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-172-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-138-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-177-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-175-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-148-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-139-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-174-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-179-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-180-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-181-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-182-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-183-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-184-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-185-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-178-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-187-0x00000000029F0000-0x0000000002A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-188-0x00000000029F0000-0x0000000002A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-189-0x00000000029F0000-0x0000000002A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-190-0x00000000029F0000-0x0000000002A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-191-0x00000000029F0000-0x0000000002A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-192-0x00000000029F0000-0x0000000002A00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-193-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-194-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-195-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-196-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-197-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-198-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-199-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-200-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-201-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-202-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-203-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-204-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-205-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-206-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2764-207-0x00000000029A0000-0x00000000029B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3708-169-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3708-168-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4604-135-0x00000000006C0000-0x00000000006C9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4604-134-0x0000000000789000-0x000000000079A000-memory.dmp

    Filesize

    68KB

    Download

  • memory/5036-167-0x00000000005A9000-0x00000000005B9000-memory.dmp

    Filesize

    64KB

    Download