Analysis
-
max time kernel
150s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2023 00:31
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
324KB
-
MD5
0456df472fd5ce1f06f608334c3129e2
-
SHA1
2b41245daf0eeee8409b6b36af1ba0a3e236693f
-
SHA256
b1d1d43f4de2fa19f96bc3027b45a11e25e05f77ebcfd829729925d07eaa48cf
-
SHA512
e180c115e3a89f7ae8a6b74b5cbf168a7b08dec98810a08d42c177f18c797609e122476ee7ec33fb11fb5440a6752cea9a693c32831a2df49750715e3d25e357
-
SSDEEP
3072:3/KtoFFp3yjNGGurbv6YHGur9EypJ9BrFTpErLxjOWzuTFKph5aEPS:vMoLp3ibQiw9Bz+0/BKjp
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
setup.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
setup.exepid process 2032 setup.exe 2032 setup.exe 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1268 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
setup.exepid process 2032 setup.exe
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1268-56-0x0000000002A70000-0x0000000002A86000-memory.dmpFilesize
88KB
-
memory/1268-60-0x000007FF50F90000-0x000007FF50F9A000-memory.dmpFilesize
40KB
-
memory/2032-55-0x0000000000240000-0x0000000000249000-memory.dmpFilesize
36KB
-
memory/2032-57-0x0000000000400000-0x00000000022BA000-memory.dmpFilesize
30.7MB