Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
05-06-2023 02:01
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
270KB
-
MD5
2c4c3cef5eea7986bf45497a9337ae0b
-
SHA1
5b8077c5d2bb879a3de1e854f545d66884972a2a
-
SHA256
60e02417501b729855130e7591da7007dfab65da36c9baf8c4be4d94425398f6
-
SHA512
b85e9d0581c0a46321c5e0e6392aa64731989732e817dbe28fda28bbee4a0ffc392a5052cf4a52a1a92433ceae96e5606d74989f265b6d3dbbc66ed69892cabe
-
SSDEEP
6144:ndIEuWBbb9dwtyXqJ7GS99digVJV+6MRxE4D:nuEuWpjOyXqJ7jdp+bZ
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid process 948 file.exe 948 file.exe 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 1256 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1256 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file.exepid process 948 file.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/948-55-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/948-57-0x0000000000400000-0x0000000002CEA000-memory.dmpFilesize
40.9MB
-
memory/1256-56-0x0000000002140000-0x0000000002156000-memory.dmpFilesize
88KB
-
memory/1256-60-0x000007FE878B0000-0x000007FE878BA000-memory.dmpFilesize
40KB