Analysis
-
max time kernel
150s -
max time network
57s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
-
submitted
29/03/2023, 05:32
General
-
Target
3bb98307c2020155ce2b4ff03c0e38a9882d83d643f3060e65e09bef2299dc38.exe
-
Size
246KB
-
MD5
86d13df6970d4435814dd56a9b1ca6ee
-
SHA1
4d13d581db3991ca7b7c2f900e618c129fe44431
-
SHA256
3bb98307c2020155ce2b4ff03c0e38a9882d83d643f3060e65e09bef2299dc38
-
SHA512
a9ee1048e6385056e8003649232ed6eeab7f2e6056bd74ead0f46ba08b8601cef2dda37a1b422917b731d6ca06efb9a47a354d50a17832eaa9e09c40ce142a47
-
SSDEEP
3072:/5INVuYlL0antE7Tqa8E+SbiAgcReTHYybEhfAQh5T1YPnDA:uNVlL0amTR8EyxcYahT1YPn
Malware Config
Extracted
smokeloader
sprg
Extracted
smokeloader
2022
http://hoh0aeghwugh2gie.com/
http://hie7doodohpae4na.com/
http://aek0aicifaloh1yo.com/
http://yic0oosaeiy7ahng.com/
http://wa5zu7sekai8xeih.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bb98307c2020155ce2b4ff03c0e38a9882d83d643f3060e65e09bef2299dc38.exe"C:\Users\Admin\AppData\Local\Temp\3bb98307c2020155ce2b4ff03c0e38a9882d83d643f3060e65e09bef2299dc38.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
60KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
688KB
-
Filesize
88KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
48KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
36KB
-
Filesize
156KB
-
Filesize
156KB
-
Filesize
36KB