Analysis
-
max time kernel
150s -
max time network
58s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
10/03/2023, 20:18 UTC
General
-
Target
e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe
-
Size
198KB
-
MD5
5bc1774ebeca1525058ae1501e5e11c7
-
SHA1
7a51999683bc1d9388925479d890d1037ac6c6cb
-
SHA256
e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9
-
SHA512
5631bce54e0d97724d94266baf768d4b5bf91821d354660feb3e5813407eb3895151764dc7303fe2db4539c152f6592859226d271f0f3a1067f1dbeeb56df1e4
-
SSDEEP
3072:1vHtFqxDMYWC70ckqrWV4q4vNJ3j3f0MzY8/POtmcgldD1ywW:9NFMgYYk24qINJ3zNY83OMzdw
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe"C:\Users\Admin\AppData\Local\Temp\e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\rfruatfC:\Users\Admin\AppData\Roaming\rfruatf1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
-
DNShoh0aeghwugh2gie.comRemote address:8.8.8.8:53Requesthoh0aeghwugh2gie.comIN AResponsehoh0aeghwugh2gie.comIN A109.206.243.140 -
POSThttp://hoh0aeghwugh2gie.com/Remote address:109.206.243.140:80RequestPOST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://alhbdwe.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 336
Host: hoh0aeghwugh2gie.com
ResponseHTTP/1.1 404 Not Found
Date: Fri, 10 Mar 2023 20:18:36 GMT
Server: Apache/2.4.41 (Ubuntu)
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
-
DNS140.243.206.109.in-addr.arpaRemote address:8.8.8.8:53Request140.243.206.109.in-addr.arpaIN PTRResponse
-
DNS44.8.109.52.in-addr.arpaRemote address:8.8.8.8:53Request44.8.109.52.in-addr.arpaIN PTRResponse
-
109.206.243.140:80http://hoh0aeghwugh2gie.com/http
HTTP Request
POST http://hoh0aeghwugh2gie.com/HTTP Response
404 -
20.189.173.4:443
-
8.8.8.8:53hoh0aeghwugh2gie.comdns
DNS Request
hoh0aeghwugh2gie.com
DNS Response
109.206.243.140
-
8.8.8.8:53140.243.206.109.in-addr.arpadns
DNS Request
140.243.206.109.in-addr.arpa
-
8.8.8.8:5344.8.109.52.in-addr.arpadns
DNS Request
44.8.109.52.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
198KB
MD55bc1774ebeca1525058ae1501e5e11c7
SHA17a51999683bc1d9388925479d890d1037ac6c6cb
SHA256e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9
SHA5125631bce54e0d97724d94266baf768d4b5bf91821d354660feb3e5813407eb3895151764dc7303fe2db4539c152f6592859226d271f0f3a1067f1dbeeb56df1e4
-
Filesize
198KB
MD55bc1774ebeca1525058ae1501e5e11c7
SHA17a51999683bc1d9388925479d890d1037ac6c6cb
SHA256e051e630d779620dfe52e68e157f38a6b2f97f66b6136a8e75bf02634a5a65b9
SHA5125631bce54e0d97724d94266baf768d4b5bf91821d354660feb3e5813407eb3895151764dc7303fe2db4539c152f6592859226d271f0f3a1067f1dbeeb56df1e4
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
156KB
-
Filesize
48KB
-
Filesize
156KB
-
Filesize
52KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
708KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
708KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
36KB