Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
10/03/2023, 11:20
General
-
Target
b76b84ca83697613fb8d2a8bc116961c8aadab57ca385f8a3032d9399aeff01f.exe
-
Size
164KB
-
MD5
f5e4f6e86f8c5cbd492e36ae2aa9f72d
-
SHA1
3d5be475174f64cb83886ea3109767686fe0bd0a
-
SHA256
b76b84ca83697613fb8d2a8bc116961c8aadab57ca385f8a3032d9399aeff01f
-
SHA512
51bfc69acfeeb6222c281a0380a65fc83fab342adaf876a81b90f1b869fe2878d20c47d3117d122d9d2732e3edbd8d496c8799d99905db1ce8060b8a20ccf06b
-
SSDEEP
3072:4IiV3N1ncO8WEmQSkDMeAUhL1zkeM5sOeVbfZgH:4FV9xn8WEmjkIebhJQeROtH
Malware Config
Extracted
smokeloader
2022
http://ahead4scores.ac.ug/index.php
https://ahead4scores.ac.ug/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 31 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 55 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b76b84ca83697613fb8d2a8bc116961c8aadab57ca385f8a3032d9399aeff01f.exe"C:\Users\Admin\AppData\Local\Temp\b76b84ca83697613fb8d2a8bc116961c8aadab57ca385f8a3032d9399aeff01f.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 852 -s 7122⤵
- Program crash
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 852 -ip 8521⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
88KB
-
Filesize
512KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
428KB
-
Filesize
428KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
1.4MB
-
Filesize
36KB