Analysis
-
max time kernel
151s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
03-04-2023 12:03
General
-
Target
setup.exe
-
Size
244KB
-
MD5
68a9b3b951dd04cb7bc8b14efd585037
-
SHA1
207a20aac8a8d1537d50fbb494215de4ae01cfe6
-
SHA256
a17d4305d879fd288d926be3d78e28d798743522d0a0f9e98d7befe423a6bc88
-
SHA512
479ba339507438f9e16be1db43859ec78f72243f58dad9555a59b994469311b19cda1d8d1365de21f765b210e510db294e6af91905ec6818d100e4c41f983334
-
SSDEEP
3072:188WRPZvdFUsQnRFhuCoPel4ispR7LMkjjhJunuRVlgf4y+hKx7XJLHhGSCOEP:OlZliVRLef1js8Vl84XhKx5LBTu
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1084-55-0x00000000003C0000-0x00000000003C9000-memory.dmpFilesize
36KB
-
memory/1084-57-0x0000000000400000-0x00000000007F1000-memory.dmpFilesize
3.9MB
-
memory/1344-56-0x0000000002560000-0x0000000002576000-memory.dmpFilesize
88KB