Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2023, 11:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    311KB

  • MD5

    d7d7655f0a47063ef00c99486713406f

  • SHA1

    954da0c4e4a7e463e85d8d62a201d7be000c56bf

  • SHA256

    bf5deb42e439e5fc1e2117994bdb6483ebc724fabfeebede12293a325a91cfc7

  • SHA512

    bbddc0a41697d999554f0a2a6743dcbf92ffb690a7ecfa785e3421bf3eaa86c27a4fef9e1ebabcf8b453bf19416d5b3db478ab2216900c11b690da34767e11ee

  • SSDEEP

    3072:I4XMVLjlJ75ks54DTm4XUJaZmztZdHNfS6NeGEpHTp+dPOK5twsR9wVCaSzdeO:RULjnOhHdiEmzbpNfS+dWKQNor

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2268
  • C:\Users\Admin\AppData\Roaming\wtdjgva
    C:\Users\Admin\AppData\Roaming\wtdjgva
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Roaming\wtdjgva
      C:\Users\Admin\AppData\Roaming\wtdjgva
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:3924

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\wtdjgva
          Filesize

          311KB

          MD5

          d7d7655f0a47063ef00c99486713406f

          SHA1

          954da0c4e4a7e463e85d8d62a201d7be000c56bf

          SHA256

          bf5deb42e439e5fc1e2117994bdb6483ebc724fabfeebede12293a325a91cfc7

          SHA512

          bbddc0a41697d999554f0a2a6743dcbf92ffb690a7ecfa785e3421bf3eaa86c27a4fef9e1ebabcf8b453bf19416d5b3db478ab2216900c11b690da34767e11ee

          Download Submit

        • C:\Users\Admin\AppData\Roaming\wtdjgva
          Filesize

          311KB

          MD5

          d7d7655f0a47063ef00c99486713406f

          SHA1

          954da0c4e4a7e463e85d8d62a201d7be000c56bf

          SHA256

          bf5deb42e439e5fc1e2117994bdb6483ebc724fabfeebede12293a325a91cfc7

          SHA512

          bbddc0a41697d999554f0a2a6743dcbf92ffb690a7ecfa785e3421bf3eaa86c27a4fef9e1ebabcf8b453bf19416d5b3db478ab2216900c11b690da34767e11ee

          Download Submit

        • C:\Users\Admin\AppData\Roaming\wtdjgva
          Filesize

          311KB

          MD5

          d7d7655f0a47063ef00c99486713406f

          SHA1

          954da0c4e4a7e463e85d8d62a201d7be000c56bf

          SHA256

          bf5deb42e439e5fc1e2117994bdb6483ebc724fabfeebede12293a325a91cfc7

          SHA512

          bbddc0a41697d999554f0a2a6743dcbf92ffb690a7ecfa785e3421bf3eaa86c27a4fef9e1ebabcf8b453bf19416d5b3db478ab2216900c11b690da34767e11ee

          Download Submit

        • memory/1276-143-0x0000000002D77000-0x0000000002D8C000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2220-135-0x0000000002C40000-0x0000000002C49000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2220-134-0x0000000002C67000-0x0000000002C7C000-memory.dmp

          Filesize

          84KB

          Download

        • memory/2268-136-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2268-137-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2268-133-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3924-144-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/3924-145-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download