Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2023, 12:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    193KB

  • MD5

    1fdcefc88cc35b4ff7199ccc87bf870e

  • SHA1

    ae709515d1f927583c15c9d19e8f7f75a292c070

  • SHA256

    32cb8276e6a47e5ab898033755df317af903c775ad2ee52b393a306f9e01b77c

  • SHA512

    4d308f3a9ea776365f77720a5f67f0e6f29488678a7a912564582eeeb7f8dec5e2ae40b4951e547aa36fdba079b2871207fba407033102f5e23d5693a3b1c207

  • SSDEEP

    3072:WabWMwTZfLsbzmHkOW5U05VbgBE1tSSBEpc7r5hiOv2eL72skMa:WaYfLqzmEOcg21tSr0hiOXX2skM

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4816
  • C:\Users\Admin\AppData\Local\Temp\42B6.exe
    C:\Users\Admin\AppData\Local\Temp\42B6.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Aupsoyqaypedu.dll,start
      2⤵
      • Loads dropped DLL
      PID:2836
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 480
      2⤵
      • Program crash
      PID:1104
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4900 -ip 4900
    1⤵
      PID:3016
    • C:\Users\Admin\AppData\Local\Temp\9EC1.exe
      C:\Users\Admin\AppData\Local\Temp\9EC1.exe
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        2⤵
        • Executes dropped EXE
        PID:3460

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\42B6.exe
            Filesize

            3.6MB

            MD5

            ebf1ca07a6fb0d55f50fc1ffd4d7c44e

            SHA1

            40d9b4e7d5fe64823d12556b1e178e7a4aa5c69d

            SHA256

            f8c856af36925a137704cdc13b74b11dcd6d28607df657cfa0cbdde67e96ec5a

            SHA512

            97f06757d580f13ff72fa8504cd89c8253d11200ba28a249de7afc3b82ff5377afff3b729b2debb72d4454d012b62bbbc192e09b07b2da68d7e5cb7588004237

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\42B6.exe
            Filesize

            3.6MB

            MD5

            ebf1ca07a6fb0d55f50fc1ffd4d7c44e

            SHA1

            40d9b4e7d5fe64823d12556b1e178e7a4aa5c69d

            SHA256

            f8c856af36925a137704cdc13b74b11dcd6d28607df657cfa0cbdde67e96ec5a

            SHA512

            97f06757d580f13ff72fa8504cd89c8253d11200ba28a249de7afc3b82ff5377afff3b729b2debb72d4454d012b62bbbc192e09b07b2da68d7e5cb7588004237

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9EC1.exe
            Filesize

            1.8MB

            MD5

            15d34e6db935d28da7e5273798d97104

            SHA1

            e60a3f0a4cf6b67f42f2f6e79c354d40298797c0

            SHA256

            ea8b4c4134a4cc51fb0f71afa356d1976c8043c14e8c332e1bc9705336f3a93f

            SHA512

            906199b568f657a8bf67a3c8d062225613e8cdd42eebc9888e40e73ce49bf66988414be3cbdffa11991f148fe973c1dcab17306ce1875fce5a2b642e995e4112

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9EC1.exe
            Filesize

            1.8MB

            MD5

            15d34e6db935d28da7e5273798d97104

            SHA1

            e60a3f0a4cf6b67f42f2f6e79c354d40298797c0

            SHA256

            ea8b4c4134a4cc51fb0f71afa356d1976c8043c14e8c332e1bc9705336f3a93f

            SHA512

            906199b568f657a8bf67a3c8d062225613e8cdd42eebc9888e40e73ce49bf66988414be3cbdffa11991f148fe973c1dcab17306ce1875fce5a2b642e995e4112

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Aupsoyqaypedu.dll
            Filesize

            4.3MB

            MD5

            1075fc212a63b18bc03fe7bf0f7a9951

            SHA1

            2770f3efcf6815737906f1ef127cd9a99eaf41fd

            SHA256

            d01428119c56ba63677a077d6022ac053940bcf194c4b145018ea33f75425abe

            SHA512

            3a389c321ec8207ceb385015bdb3617f3e6448cc5521ca6ca475014963dcf292ca0e9fd36e2a4c67e225942ba4a91ce12d1daab4d8ab09fb99b7639914239f65

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Aupsoyqaypedu.dll
            Filesize

            4.3MB

            MD5

            1075fc212a63b18bc03fe7bf0f7a9951

            SHA1

            2770f3efcf6815737906f1ef127cd9a99eaf41fd

            SHA256

            d01428119c56ba63677a077d6022ac053940bcf194c4b145018ea33f75425abe

            SHA512

            3a389c321ec8207ceb385015bdb3617f3e6448cc5521ca6ca475014963dcf292ca0e9fd36e2a4c67e225942ba4a91ce12d1daab4d8ab09fb99b7639914239f65

            Download Submit

          • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
            Filesize

            541.5MB

            MD5

            5c11f50a8f1b25bbf3fbe3876e92fe8c

            SHA1

            5caaa5153716da918cd2d38455004189f009bde3

            SHA256

            ccbafdb7823dd45254b115806a0e8d0b0a60b2af6a590be5a6040596841098cd

            SHA512

            f803ffd2b8fe76ce8fd451f3a640da6fb0bacd65d10985ace838bae7b3033e9a44db0a559a9cf13c9e763b671285890d86fb72674c59019e71e27aebaea075dd

            Download Submit

          • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
            Filesize

            544.4MB

            MD5

            48b5f832d62f9b3fd1e3af83efc917c1

            SHA1

            ab90c4ca2313f794069adcf13e0078375dfd6cb4

            SHA256

            54f048799dfd4a734535b1b8fa7f9a25434b9b1ae3245b83d3a7ce39b563e7b3

            SHA512

            ab376ba455a26750aacb63e5172624aec6bccfa284d4270e0bd41a1a1a3b4093c8501a51211e1c961a3525819061ac232b5835ae312841d84789fc7f5f38cda1

            Download Submit

          • memory/2520-150-0x0000000002650000-0x0000000002A20000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/2520-155-0x0000000000400000-0x0000000000803000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/2520-151-0x0000000000400000-0x0000000000803000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/2520-149-0x000000000249C000-0x0000000002646000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/3460-158-0x0000000000400000-0x0000000000803000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3460-157-0x0000000000400000-0x0000000000803000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3460-156-0x00000000023BE000-0x0000000002568000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/4816-135-0x0000000000400000-0x000000000049D000-memory.dmp

            Filesize

            628KB

            Download

          • memory/4816-133-0x0000000000510000-0x0000000000519000-memory.dmp

            Filesize

            36KB

            Download

          • memory/4816-134-0x0000000000400000-0x000000000049D000-memory.dmp

            Filesize

            628KB

            Download

          • memory/4816-132-0x0000000000569000-0x000000000057C000-memory.dmp

            Filesize

            76KB

            Download

          • memory/4900-145-0x0000000000400000-0x00000000008E9000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/4900-141-0x0000000000400000-0x00000000008E9000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/4900-140-0x0000000002A10000-0x0000000002EED000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/4900-139-0x0000000002683000-0x0000000002A02000-memory.dmp

            Filesize

            3.5MB

            Download