Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2023 07:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    334KB

  • MD5

    4757415db2cb6f0c2fe7deb0cc2640a7

  • SHA1

    f28b5fbc920703bafe414d4e4ce6c9e4965963d0

  • SHA256

    60fe43fe56681f11075849841523ef3ba8e20a68fb0191f8d31b0e12ac94d00f

  • SHA512

    9f98d8963bd9afd1e6d66fe3db2c7b34e329456c9e3db7785f7917a22b17fcb44f457d8ba3a1cc2eb5042c65bca4c367b9b4bd4bd113d012ad342ebcf9026a0e

  • SSDEEP

    6144:IDsLXWohp/BGIBmE8FhC1n28gqjAWTM4xVvkHb+ewx:yszWoz/BJZ8FsJ2QXTMENi+r

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2124
  • C:\Users\Admin\AppData\Local\Temp\DBFD.exe
    C:\Users\Admin\AppData\Local\Temp\DBFD.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Uwuepfhtwy.tmp",Iypewfhtshu
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 22691
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4444
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 528
      2⤵
      • Program crash
      PID:2364
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1180 -ip 1180
    1⤵
      PID:1424
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3924

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\DBFD.exe
        Filesize

        1.1MB

        MD5

        4f93d31b2f55d9a2d9c4ad09b6d42147

        SHA1

        f0b6365c8212bf757ad67e7936f559d2b2df9973

        SHA256

        5fd7b36420e0042c0d9a1c11ee59ab2e443fca1bf933bbf3a663c4c76d827db0

        SHA512

        ace309ae9ee505d8769f12a71cf5260b1e3eca1d7942092d1bfca7a44f30489969021f875e3468545fb6bf3d7164cab09b4e0884898376d91bc0cc2846b63e15

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\DBFD.exe
        Filesize

        1.1MB

        MD5

        4f93d31b2f55d9a2d9c4ad09b6d42147

        SHA1

        f0b6365c8212bf757ad67e7936f559d2b2df9973

        SHA256

        5fd7b36420e0042c0d9a1c11ee59ab2e443fca1bf933bbf3a663c4c76d827db0

        SHA512

        ace309ae9ee505d8769f12a71cf5260b1e3eca1d7942092d1bfca7a44f30489969021f875e3468545fb6bf3d7164cab09b4e0884898376d91bc0cc2846b63e15

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Uwuepfhtwy.tmp
        Filesize

        783KB

        MD5

        bca40b7547bf1cb7bf2d7a53d01ff6a8

        SHA1

        ea624306e9ac715746bd9710a2c803a7e8fdefaa

        SHA256

        f683b568c71a82666d0d4f99a966b4c600116cdae6167f284e3cbc19075010d8

        SHA512

        fc2d85b8df331e510305a8eb1b5f176b24d43a6df449aa90c0dd2bb6bfd37e647310a35aeb9a1ef1bcf3a6ed444d1127b7da0d47f707ba59874c7fcd00a277aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Uwuepfhtwy.tmp
        Filesize

        783KB

        MD5

        bca40b7547bf1cb7bf2d7a53d01ff6a8

        SHA1

        ea624306e9ac715746bd9710a2c803a7e8fdefaa

        SHA256

        f683b568c71a82666d0d4f99a966b4c600116cdae6167f284e3cbc19075010d8

        SHA512

        fc2d85b8df331e510305a8eb1b5f176b24d43a6df449aa90c0dd2bb6bfd37e647310a35aeb9a1ef1bcf3a6ed444d1127b7da0d47f707ba59874c7fcd00a277aa

        Download Submit

      • memory/668-139-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-145-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-141-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-142-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-143-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-144-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-161-0x00000000025A0000-0x00000000025B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-147-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-150-0x00000000025A0000-0x00000000025B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-149-0x0000000002590000-0x00000000025A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-151-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-138-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-155-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-153-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-152-0x00000000025A0000-0x00000000025B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-156-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-154-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-157-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-158-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-159-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-165-0x00000000025A0000-0x00000000025B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-148-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-140-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-137-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-160-0x00000000025A0000-0x00000000025B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/668-136-0x0000000002580000-0x0000000002590000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1180-162-0x0000000000000000-mapping.dmp

        Download

      • memory/1180-171-0x0000000000400000-0x0000000000529000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/1180-170-0x0000000002270000-0x0000000002395000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1180-169-0x0000000002188000-0x000000000226D000-memory.dmp

        Filesize

        916KB

        Download

      • memory/2124-132-0x0000000000829000-0x000000000083E000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2124-134-0x0000000000400000-0x0000000000459000-memory.dmp

        Filesize

        356KB

        Download

      • memory/2124-133-0x00000000005E0000-0x00000000005E9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/2124-135-0x0000000000400000-0x0000000000459000-memory.dmp

        Filesize

        356KB

        Download

      • memory/2700-175-0x0000000005BF0000-0x0000000005D30000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2700-178-0x0000000005BF0000-0x0000000005D30000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2700-172-0x0000000004F70000-0x0000000005ABE000-memory.dmp

        Filesize

        11.3MB

        Download

      • memory/2700-176-0x0000000005BF0000-0x0000000005D30000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2700-174-0x0000000005BF0000-0x0000000005D30000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2700-166-0x0000000000000000-mapping.dmp

        Download

      • memory/2700-177-0x0000000005BF0000-0x0000000005D30000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2700-185-0x0000000004F70000-0x0000000005ABE000-memory.dmp

        Filesize

        11.3MB

        Download

      • memory/2700-179-0x0000000005BF0000-0x0000000005D30000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2700-173-0x0000000004F70000-0x0000000005ABE000-memory.dmp

        Filesize

        11.3MB

        Download

      • memory/4444-182-0x0000020609240000-0x0000020609380000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4444-181-0x0000020609240000-0x0000020609380000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/4444-180-0x00007FF610BD6890-mapping.dmp

        Download

      • memory/4444-184-0x00000206077F0000-0x0000020607A9E000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4444-183-0x0000000000430000-0x00000000006CD000-memory.dmp

        Filesize

        2.6MB

        Download