Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
27-03-2023 23:41
General
-
Target
f0f32bfe6277bb7d507e9ac7ffc72c85230e99352168136d66cc73e5898cd408.exe
-
Size
265KB
-
MD5
fef570cafc077e302fd07b2dd59e7265
-
SHA1
1486ba4af2bbe43aa7334fdd03ff80b2777fc497
-
SHA256
f0f32bfe6277bb7d507e9ac7ffc72c85230e99352168136d66cc73e5898cd408
-
SHA512
627afc69aa15e278b5dee0161df92516ca88fd7d5a9a44882bd861a2ca39944ce73a6a9e1e12c2cdedd1356ea8640a697368120174d9f5348c98152faef852ff
-
SSDEEP
3072:AjO8RHyGl/COeLQO7+g1WFcSmASjXp15Q0K7Qnx/YL5ktQCU3wsUfsX:CJ5yG8OeLrYFcS70Xp1m0Kox/R
Score
10/10
Malware Config
Extracted
Family
smokeloader
Botnet
sprg
Extracted
Family
smokeloader
Version
2022
C2
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0f32bfe6277bb7d507e9ac7ffc72c85230e99352168136d66cc73e5898cd408.exe"C:\Users\Admin\AppData\Local\Temp\f0f32bfe6277bb7d507e9ac7ffc72c85230e99352168136d66cc73e5898cd408.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1724-169-0x0000000000C60000-0x0000000000C6B000-memory.dmpFilesize
44KB
-
memory/1724-178-0x00000000001E0000-0x00000000001ED000-memory.dmpFilesize
52KB
-
memory/1724-171-0x0000000000C60000-0x0000000000C6B000-memory.dmpFilesize
44KB
-
memory/1724-170-0x00000000001E0000-0x00000000001ED000-memory.dmpFilesize
52KB
-
memory/3160-135-0x0000000000E60000-0x0000000000E76000-memory.dmpFilesize
88KB
-
memory/3248-161-0x00000000010C0000-0x00000000010E7000-memory.dmpFilesize
156KB
-
memory/3248-162-0x0000000000820000-0x0000000000829000-memory.dmpFilesize
36KB
-
memory/3248-160-0x0000000000820000-0x0000000000829000-memory.dmpFilesize
36KB
-
memory/3248-176-0x00000000010C0000-0x00000000010E7000-memory.dmpFilesize
156KB
-
memory/3564-150-0x00000000001C0000-0x00000000001CF000-memory.dmpFilesize
60KB
-
memory/3564-151-0x00000000001C0000-0x00000000001CF000-memory.dmpFilesize
60KB
-
memory/3564-149-0x00000000001C0000-0x00000000001CF000-memory.dmpFilesize
60KB
-
memory/3580-165-0x0000000000800000-0x000000000080B000-memory.dmpFilesize
44KB
-
memory/3580-164-0x0000000000820000-0x0000000000829000-memory.dmpFilesize
36KB
-
memory/3580-163-0x0000000000800000-0x000000000080B000-memory.dmpFilesize
44KB
-
memory/3620-167-0x0000000000800000-0x000000000080B000-memory.dmpFilesize
44KB
-
memory/3620-166-0x00000000001E0000-0x00000000001ED000-memory.dmpFilesize
52KB
-
memory/3620-168-0x00000000001E0000-0x00000000001ED000-memory.dmpFilesize
52KB
-
memory/3620-177-0x0000000000800000-0x000000000080B000-memory.dmpFilesize
44KB
-
memory/3904-147-0x0000000000890000-0x0000000000899000-memory.dmpFilesize
36KB
-
memory/3904-148-0x0000000000900000-0x000000000090B000-memory.dmpFilesize
44KB
-
memory/3904-172-0x0000000000890000-0x0000000000899000-memory.dmpFilesize
36KB
-
memory/3904-146-0x0000000000900000-0x000000000090B000-memory.dmpFilesize
44KB
-
memory/4568-136-0x0000000000400000-0x0000000000705000-memory.dmpFilesize
3.0MB
-
memory/4568-134-0x0000000000890000-0x0000000000899000-memory.dmpFilesize
36KB
-
memory/4748-156-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/4748-155-0x0000000000440000-0x0000000000450000-memory.dmpFilesize
64KB
-
memory/4748-153-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/4844-157-0x00000000010C0000-0x00000000010E7000-memory.dmpFilesize
156KB
-
memory/4844-158-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/4844-175-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB
-
memory/4844-159-0x00000000010C0000-0x00000000010E7000-memory.dmpFilesize
156KB
-
memory/4896-154-0x0000000000440000-0x0000000000450000-memory.dmpFilesize
64KB
-
memory/4896-173-0x0000000000430000-0x0000000000439000-memory.dmpFilesize
36KB
-
memory/4896-174-0x0000000000440000-0x0000000000450000-memory.dmpFilesize
64KB
-
memory/4896-152-0x0000000000430000-0x0000000000439000-memory.dmpFilesize
36KB