Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
27-03-2023 21:48
General
-
Target
eda6d3ec29aef5cd7a2000d17efab7dcb710fcd0906357cb43a68cee6e9b7605.exe
-
Size
265KB
-
MD5
5a8415f7326f6542612327b5411b6a67
-
SHA1
d5915278feac694953077002e6213b397a5e6989
-
SHA256
eda6d3ec29aef5cd7a2000d17efab7dcb710fcd0906357cb43a68cee6e9b7605
-
SHA512
bc9308af2e28f792db6779fc4ee02e5f4049fedda0e1fc8ffb380c98dc0f1c36edcbc034ec23a90133ca346ec683eafd16e06338e8f0d4d8075c48526d5aa390
-
SSDEEP
3072:4jxrRHyW1rl2nLWQ7P9aW7SJCEwwf+cD726rApGisDdfK4DvL5kGOgCU3wsUfsX:qp5yWH2nLPJ7SJCqf+cG6ki1KCSG
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 20 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eda6d3ec29aef5cd7a2000d17efab7dcb710fcd0906357cb43a68cee6e9b7605.exe"C:\Users\Admin\AppData\Local\Temp\eda6d3ec29aef5cd7a2000d17efab7dcb710fcd0906357cb43a68cee6e9b7605.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Roaming\dbfejvcC:\Users\Admin\AppData\Roaming\dbfejvc1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\dbfejvcFilesize
265KB
MD55a8415f7326f6542612327b5411b6a67
SHA1d5915278feac694953077002e6213b397a5e6989
SHA256eda6d3ec29aef5cd7a2000d17efab7dcb710fcd0906357cb43a68cee6e9b7605
SHA512bc9308af2e28f792db6779fc4ee02e5f4049fedda0e1fc8ffb380c98dc0f1c36edcbc034ec23a90133ca346ec683eafd16e06338e8f0d4d8075c48526d5aa390
-
C:\Users\Admin\AppData\Roaming\dbfejvcFilesize
265KB
MD55a8415f7326f6542612327b5411b6a67
SHA1d5915278feac694953077002e6213b397a5e6989
SHA256eda6d3ec29aef5cd7a2000d17efab7dcb710fcd0906357cb43a68cee6e9b7605
SHA512bc9308af2e28f792db6779fc4ee02e5f4049fedda0e1fc8ffb380c98dc0f1c36edcbc034ec23a90133ca346ec683eafd16e06338e8f0d4d8075c48526d5aa390
-
memory/964-153-0x0000000000760000-0x000000000076F000-memory.dmpFilesize
60KB
-
memory/964-151-0x0000000000760000-0x000000000076F000-memory.dmpFilesize
60KB
-
memory/964-176-0x0000000000770000-0x0000000000779000-memory.dmpFilesize
36KB
-
memory/964-152-0x0000000000770000-0x0000000000779000-memory.dmpFilesize
36KB
-
memory/1028-180-0x00000000012A0000-0x00000000012A5000-memory.dmpFilesize
20KB
-
memory/1028-165-0x0000000001290000-0x0000000001299000-memory.dmpFilesize
36KB
-
memory/1028-163-0x0000000001290000-0x0000000001299000-memory.dmpFilesize
36KB
-
memory/1028-164-0x00000000012A0000-0x00000000012A5000-memory.dmpFilesize
20KB
-
memory/1832-178-0x0000000000710000-0x0000000000716000-memory.dmpFilesize
24KB
-
memory/1832-157-0x0000000000700000-0x000000000070C000-memory.dmpFilesize
48KB
-
memory/1832-158-0x0000000000710000-0x0000000000716000-memory.dmpFilesize
24KB
-
memory/1832-159-0x0000000000700000-0x000000000070C000-memory.dmpFilesize
48KB
-
memory/3172-187-0x0000000002D10000-0x0000000002D26000-memory.dmpFilesize
88KB
-
memory/3172-135-0x0000000002E60000-0x0000000002E76000-memory.dmpFilesize
88KB
-
memory/3396-181-0x0000000001280000-0x0000000001286000-memory.dmpFilesize
24KB
-
memory/3396-166-0x0000000001270000-0x000000000127B000-memory.dmpFilesize
44KB
-
memory/3396-167-0x0000000001280000-0x0000000001286000-memory.dmpFilesize
24KB
-
memory/3396-168-0x0000000001270000-0x000000000127B000-memory.dmpFilesize
44KB
-
memory/3528-155-0x0000000000DA0000-0x0000000000DA5000-memory.dmpFilesize
20KB
-
memory/3528-156-0x0000000000D90000-0x0000000000D99000-memory.dmpFilesize
36KB
-
memory/3528-154-0x0000000000D90000-0x0000000000D99000-memory.dmpFilesize
36KB
-
memory/3528-177-0x0000000000DA0000-0x0000000000DA5000-memory.dmpFilesize
20KB
-
memory/3968-171-0x0000000000A10000-0x0000000000A1D000-memory.dmpFilesize
52KB
-
memory/3968-170-0x0000000000A20000-0x0000000000A27000-memory.dmpFilesize
28KB
-
memory/3968-182-0x0000000000A20000-0x0000000000A27000-memory.dmpFilesize
28KB
-
memory/3968-169-0x0000000000A10000-0x0000000000A1D000-memory.dmpFilesize
52KB
-
memory/4440-174-0x0000000001020000-0x000000000102B000-memory.dmpFilesize
44KB
-
memory/4440-172-0x0000000001020000-0x000000000102B000-memory.dmpFilesize
44KB
-
memory/4440-173-0x0000000001030000-0x0000000001038000-memory.dmpFilesize
32KB
-
memory/4440-183-0x0000000001030000-0x0000000001038000-memory.dmpFilesize
32KB
-
memory/4520-150-0x00000000004E0000-0x00000000004EB000-memory.dmpFilesize
44KB
-
memory/4520-175-0x00000000004F0000-0x00000000004F7000-memory.dmpFilesize
28KB
-
memory/4520-148-0x00000000004E0000-0x00000000004EB000-memory.dmpFilesize
44KB
-
memory/4520-149-0x00000000004F0000-0x00000000004F7000-memory.dmpFilesize
28KB
-
memory/4628-160-0x00000000003D0000-0x00000000003F7000-memory.dmpFilesize
156KB
-
memory/4628-162-0x00000000003D0000-0x00000000003F7000-memory.dmpFilesize
156KB
-
memory/4628-161-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/4628-179-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/4668-190-0x0000000000400000-0x0000000000705000-memory.dmpFilesize
3.0MB
-
memory/5076-134-0x00000000008A0000-0x00000000008A9000-memory.dmpFilesize
36KB
-
memory/5076-137-0x0000000000400000-0x0000000000705000-memory.dmpFilesize
3.0MB