Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
08-07-2023 16:31
General
-
Target
2f3f9d5bf3901c8b739563dac.exe
-
Size
232KB
-
MD5
2f3f9d5bf3901c8b739563daccf6b564
-
SHA1
6e5f3458712f56c6d09c8b590af31e80038d16b7
-
SHA256
954a8d78e97e2bb65568d4c5d692a2a9975a330eaa7fae20e4620d18ccbb5881
-
SHA512
b711d8e07fb99ff9dda011d49d2d5cae8a446a012d5ce17c1958bfd837405c3f87b3cf9d9eb118f13182289800b04499d8b4e456d46c47edce6bce87acacd5f6
-
SSDEEP
3072:3lAehY5NAN5dYLnjO0zhkOkw0Nr4wG+aTp24c+1d8o4jJFTqQU:VAgVYTthJkpk+R
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of WriteProcessMemory 33 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f3f9d5bf3901c8b739563dac.exe"C:\Users\Admin\AppData\Local\Temp\2f3f9d5bf3901c8b739563dac.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
44KB
-
Filesize
32KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
52KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
88KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
20KB
-
Filesize
23.3MB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
60KB
-
Filesize
36KB
-
Filesize
60KB