Resubmissions
27-03-2023 07:51
230327-jp31kscd46 1027-03-2023 07:48
230327-jm8s2sed6s 127-03-2023 07:35
230327-jeqmhacc77 10Analysis
-
max time kernel
29s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
27-03-2023 07:35
General
-
Target
file.exe
-
Size
269KB
-
MD5
26d85c2bdc983c43452401545f3c6007
-
SHA1
e18a2a223b91f426b5dab23b13970264d1da6ebc
-
SHA256
c8313943995590c444dac429919bc562c8f81c7d81c898fbb9bd7822dce889f4
-
SHA512
d652d2c4ab97507e0b61b37dc069b024a531b56e80f95a449d201ba6b0a1b6baecc33162be4f4a4571054295154c2c4c0a27f6831ac5dd37f0d27e3795fde3e5
-
SSDEEP
3072:Fm6fmyQA+BF8tlkC42EVOkAz+t/lB2SpYeEvyqbxDFoio56WmxeQZn78F:zQLK42EskAhS+7fyZmB
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 35 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1336-56-0x0000000002750000-0x0000000002766000-memory.dmpFilesize
88KB
-
memory/1704-55-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1704-57-0x0000000000400000-0x0000000002B71000-memory.dmpFilesize
39.4MB