Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
28-03-2023 06:15
General
-
Target
e34bf84f16df714eaf3d0c4bdeb5ed3b.exe
-
Size
250KB
-
MD5
e34bf84f16df714eaf3d0c4bdeb5ed3b
-
SHA1
8e34d2764c1d9c707b874a23576d63c4b4135f4b
-
SHA256
942af905e90552cd7b35c1cda77866220dbf3732b3379ed18caa0b3e641b4ef5
-
SHA512
c5146a8ee610f0a223865c2f7c21be9477d1b195d7d43d82c907e35867f1dfbb892fa6251ea55a3077ea9e665ea54962ac98154ed7c92034fe552cf369054312
-
SSDEEP
6144:NiDsbZrkxL39ZsTF3lSEg3iwR3W+kxg8YI:8KrkxT9ZAF1toidq8Y
Score
10/10
Malware Config
Extracted
Family
smokeloader
Botnet
sprg
Extracted
Family
smokeloader
Version
2022
C2
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e34bf84f16df714eaf3d0c4bdeb5ed3b.exe"C:\Users\Admin\AppData\Local\Temp\e34bf84f16df714eaf3d0c4bdeb5ed3b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1388-157-0x0000000000520000-0x0000000000547000-memory.dmpFilesize
156KB
-
memory/1388-159-0x0000000000520000-0x0000000000547000-memory.dmpFilesize
156KB
-
memory/1388-173-0x0000000000CA0000-0x0000000000CAC000-memory.dmpFilesize
48KB
-
memory/1388-158-0x0000000000CA0000-0x0000000000CAC000-memory.dmpFilesize
48KB
-
memory/2696-161-0x0000000000520000-0x0000000000547000-memory.dmpFilesize
156KB
-
memory/2696-174-0x0000000000520000-0x0000000000547000-memory.dmpFilesize
156KB
-
memory/2696-160-0x0000000000650000-0x0000000000659000-memory.dmpFilesize
36KB
-
memory/2696-162-0x0000000000650000-0x0000000000659000-memory.dmpFilesize
36KB
-
memory/2900-152-0x00000000005A0000-0x00000000005A9000-memory.dmpFilesize
36KB
-
memory/2900-153-0x0000000000600000-0x000000000060F000-memory.dmpFilesize
60KB
-
memory/2900-154-0x00000000005A0000-0x00000000005A9000-memory.dmpFilesize
36KB
-
memory/2900-171-0x0000000000600000-0x000000000060F000-memory.dmpFilesize
60KB
-
memory/3140-135-0x00000000020A0000-0x00000000020B6000-memory.dmpFilesize
88KB
-
memory/3344-134-0x0000000000960000-0x0000000000969000-memory.dmpFilesize
36KB
-
memory/3344-136-0x0000000000400000-0x0000000000702000-memory.dmpFilesize
3.0MB
-
memory/3428-167-0x0000000000800000-0x000000000080D000-memory.dmpFilesize
52KB
-
memory/3428-165-0x0000000000800000-0x000000000080D000-memory.dmpFilesize
52KB
-
memory/3428-166-0x0000000001450000-0x000000000145B000-memory.dmpFilesize
44KB
-
memory/3428-176-0x0000000001450000-0x000000000145B000-memory.dmpFilesize
44KB
-
memory/3640-177-0x0000000000800000-0x000000000080D000-memory.dmpFilesize
52KB
-
memory/3640-168-0x0000000000800000-0x000000000080B000-memory.dmpFilesize
44KB
-
memory/3640-169-0x0000000000800000-0x000000000080D000-memory.dmpFilesize
52KB
-
memory/3640-170-0x0000000000800000-0x000000000080B000-memory.dmpFilesize
44KB
-
memory/3808-156-0x0000000000CA0000-0x0000000000CAC000-memory.dmpFilesize
48KB
-
memory/3808-172-0x00000000005A0000-0x00000000005A9000-memory.dmpFilesize
36KB
-
memory/3808-155-0x0000000000CA0000-0x0000000000CAC000-memory.dmpFilesize
48KB
-
memory/3848-146-0x0000000000C30000-0x0000000000C3B000-memory.dmpFilesize
44KB
-
memory/3848-147-0x0000000000960000-0x0000000000969000-memory.dmpFilesize
36KB
-
memory/3848-148-0x0000000000C30000-0x0000000000C3B000-memory.dmpFilesize
44KB
-
memory/4088-163-0x0000000001450000-0x000000000145B000-memory.dmpFilesize
44KB
-
memory/4088-164-0x0000000001450000-0x000000000145B000-memory.dmpFilesize
44KB
-
memory/4088-175-0x0000000000650000-0x0000000000659000-memory.dmpFilesize
36KB
-
memory/4768-149-0x0000000000600000-0x000000000060F000-memory.dmpFilesize
60KB
-
memory/4768-150-0x0000000000C30000-0x0000000000C3B000-memory.dmpFilesize
44KB
-
memory/4768-151-0x0000000000600000-0x000000000060F000-memory.dmpFilesize
60KB