Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
04-03-2023 17:25
General
-
Target
78e426a4a1152fcd664359dc397c34d8ad637725dafe18ef262a9f700e0bdf7a.exe
-
Size
181KB
-
MD5
ea1c1109d75b12a3bda3e308c3dd8960
-
SHA1
417b5f689cdb85829e4bdd1b5ef97de9aa96c2e0
-
SHA256
78e426a4a1152fcd664359dc397c34d8ad637725dafe18ef262a9f700e0bdf7a
-
SHA512
ff345a5250b1d753d9802a8932bf5f497add0cfd017b530f942ab488b22a9b38c0c9027d9ec61a2fa026a44a28db732bb6643658f17d8ed8da6361f983002d19
-
SSDEEP
3072:Pn3xqHXBBgXfGYVDkBkM+OovzlsRIPXgeNja/JI0Kx:J2XngXf9aBGjzlsRIPweNUC0K
Malware Config
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Signatures
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\78e426a4a1152fcd664359dc397c34d8ad637725dafe18ef262a9f700e0bdf7a.exe"C:\Users\Admin\AppData\Local\Temp\78e426a4a1152fcd664359dc397c34d8ad637725dafe18ef262a9f700e0bdf7a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E37F.exeC:\Users\Admin\AppData\Local\Temp\E37F.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 2882⤵
- Program crash
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4380 -ip 43801⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
180KB
MD560b55a03146e3388672a9578fa5626a9
SHA1f59712dde5092fe6d2fccbf421b387abf9dfcfb5
SHA256bf021a868b03fa52ae398181b986f44784c734daafb0aaca8aee6d810bf08b9b
SHA51287ea61e46abbd0f0c30b98084a4b500b777a2cb3462f667c04d46ecbc67e743b339cbc8ad369c0f02f43e4035a814266a7121e39c40a01aaf451c3dd85c30d34
-
Filesize
180KB
MD560b55a03146e3388672a9578fa5626a9
SHA1f59712dde5092fe6d2fccbf421b387abf9dfcfb5
SHA256bf021a868b03fa52ae398181b986f44784c734daafb0aaca8aee6d810bf08b9b
SHA51287ea61e46abbd0f0c30b98084a4b500b777a2cb3462f667c04d46ecbc67e743b339cbc8ad369c0f02f43e4035a814266a7121e39c40a01aaf451c3dd85c30d34
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
88KB
-
Filesize
1.4MB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
32KB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
156KB