Resubmissions
04-08-2023 10:28
230804-mh3ysabf6v 1004-08-2023 07:37
230804-jfwvxaaa58 1004-08-2023 07:23
230804-h7916saa29 1004-08-2023 07:18
230804-h5a43aba9z 1002-08-2023 17:02
230802-vkan1sha8t 10Analysis
-
max time kernel
585s -
max time network
362s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
04-08-2023 07:37
General
-
Target
weboffice.exe
-
Size
289KB
-
MD5
a7110aaac6cddd884e259c5fcc96cf39
-
SHA1
adf55266ed1a0edd9667a6fcba4197d2e0e88599
-
SHA256
9d2f8abbb0f5b815698996aea136c4956b87e4bf248c2527f8711e78e432ffa2
-
SHA512
9d4027c94a2c53035350646a04e13626953da445c874e9dc203148e9cb82474b122b51ad91cb895cbf3c2173fa352e08d0c13334aaff3cb8a0cab0350edf08ba
-
SSDEEP
3072:Zm25HAnLcec0G2ADW4albi/pHvMgO6qyIE65Fl1nZ0bzF1:DALceZGVoAhGFyIEOldZ011
Malware Config
Extracted
smokeloader
2022
http://metallergroup.ru/
http://infomailforyoumak.ru/
http://coinmakopenarea.su/
http://internetcygane.ru/
http://zallesman.ru/
http://maxteroper.ru/
http://kilomunara.com/
http://napropertyhub.eu/
http://nafillimonilini.net/
http://goodlenuxilam.site/
http://jimloamfilling.online/
http://vertusupportjk.org/
http://liverpulapp.ru/
http://zarabovannyok.eu/
http://cityofuganda.ug/
http://hillespostelnm.eu/
http://humanitarydp.ru/
http://zaikaopentra.com.ru/
http://zaikaopentra-com-ug.su/
http://jslopasitmon.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\weboffice.exe"C:\Users\Admin\AppData\Local\Temp\weboffice.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {F6C69B8E-B0F3-46EC-B8FD-A908A83E6072} S-1-5-21-1014134971-2480516131-292343513-1000:NYBYVYTJ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\urtguucC:\Users\Admin\AppData\Roaming\urtguuc2⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
289KB
MD5a7110aaac6cddd884e259c5fcc96cf39
SHA1adf55266ed1a0edd9667a6fcba4197d2e0e88599
SHA2569d2f8abbb0f5b815698996aea136c4956b87e4bf248c2527f8711e78e432ffa2
SHA5129d4027c94a2c53035350646a04e13626953da445c874e9dc203148e9cb82474b122b51ad91cb895cbf3c2173fa352e08d0c13334aaff3cb8a0cab0350edf08ba
-
Filesize
289KB
MD5a7110aaac6cddd884e259c5fcc96cf39
SHA1adf55266ed1a0edd9667a6fcba4197d2e0e88599
SHA2569d2f8abbb0f5b815698996aea136c4956b87e4bf248c2527f8711e78e432ffa2
SHA5129d4027c94a2c53035350646a04e13626953da445c874e9dc203148e9cb82474b122b51ad91cb895cbf3c2173fa352e08d0c13334aaff3cb8a0cab0350edf08ba
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
1024KB
-
Filesize
40KB
-
Filesize
32.1MB
-
Filesize
32.1MB
-
Filesize
40KB
-
Filesize
1024KB
-
Filesize
32.1MB
-
Filesize
32.1MB