Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/02/2023, 00:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    205KB

  • MD5

    05bc99ce9688cc06dea5e76c432aa9eb

  • SHA1

    5624f3ce3de8c6532a1128cd93933c6e6cd3e367

  • SHA256

    56efcacfde1c2964e3d83156e99dbc29bfbcf8a2382c614472b08fa01a62c76f

  • SHA512

    3e5fd7e61aeb1c41645dfcfb9c76177702c0cdd693b288dab3252b15c975e0625c218147c7efc721d2a70b347c0d02e999232e25f1ac66e5c1e0eb2fd3410c7a

  • SSDEEP

    3072:jUodx9cVqP3sH2d9ZC9QMzV+X7mpuei1vTmrh9Ax672sPaaaahT2M:j9dAUc2fcyMzccmdm7AxO

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:5004
  • C:\Users\Admin\AppData\Roaming\fascweb
    C:\Users\Admin\AppData\Roaming\fascweb
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Roaming\fascweb
      C:\Users\Admin\AppData\Roaming\fascweb
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:824

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\fascweb
    Filesize

    205KB

    MD5

    05bc99ce9688cc06dea5e76c432aa9eb

    SHA1

    5624f3ce3de8c6532a1128cd93933c6e6cd3e367

    SHA256

    56efcacfde1c2964e3d83156e99dbc29bfbcf8a2382c614472b08fa01a62c76f

    SHA512

    3e5fd7e61aeb1c41645dfcfb9c76177702c0cdd693b288dab3252b15c975e0625c218147c7efc721d2a70b347c0d02e999232e25f1ac66e5c1e0eb2fd3410c7a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\fascweb
    Filesize

    205KB

    MD5

    05bc99ce9688cc06dea5e76c432aa9eb

    SHA1

    5624f3ce3de8c6532a1128cd93933c6e6cd3e367

    SHA256

    56efcacfde1c2964e3d83156e99dbc29bfbcf8a2382c614472b08fa01a62c76f

    SHA512

    3e5fd7e61aeb1c41645dfcfb9c76177702c0cdd693b288dab3252b15c975e0625c218147c7efc721d2a70b347c0d02e999232e25f1ac66e5c1e0eb2fd3410c7a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\fascweb
    Filesize

    205KB

    MD5

    05bc99ce9688cc06dea5e76c432aa9eb

    SHA1

    5624f3ce3de8c6532a1128cd93933c6e6cd3e367

    SHA256

    56efcacfde1c2964e3d83156e99dbc29bfbcf8a2382c614472b08fa01a62c76f

    SHA512

    3e5fd7e61aeb1c41645dfcfb9c76177702c0cdd693b288dab3252b15c975e0625c218147c7efc721d2a70b347c0d02e999232e25f1ac66e5c1e0eb2fd3410c7a

    Download Submit

  • memory/824-144-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/824-145-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2348-143-0x000000000076F000-0x0000000000782000-memory.dmp

    Filesize

    76KB

    Download

  • memory/4728-135-0x00000000008C0000-0x00000000008C9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4728-134-0x000000000091F000-0x0000000000932000-memory.dmp

    Filesize

    76KB

    Download

  • memory/5004-136-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/5004-137-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/5004-133-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download