Overview

overview

10

Static

static

10

6e0d5486bb...JC.exe

windows7-x64

10

6e0d5486bb...JC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2023 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e0d5486bbb74259d577fb0a9e6613d520d8da5531b7235401fb4adab3b238abexe_JC.exe

  • Size

    36KB

  • MD5

    5fa3557102d4401a68eaf267dc293160

  • SHA1

    8592aa9a803b3d8b68a71ede5e1fdf518754c859

  • SHA256

    6e0d5486bbb74259d577fb0a9e6613d520d8da5531b7235401fb4adab3b238ab

  • SHA512

    d3ec8431c3fa7f14d5c06d9b48c642cad6b41d61f532a701228c054cca858a7a0e8161f259e81e1267b69e261869c3bd200aa9fcf28c6176b4abe3c2aec30fe2

  • SSDEEP

    384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e0d5486bbb74259d577fb0a9e6613d520d8da5531b7235401fb4adab3b238abexe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\6e0d5486bbb74259d577fb0a9e6613d520d8da5531b7235401fb4adab3b238abexe_JC.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2504
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {DAB9D5BC-2AC6-458C-9FBB-9D76FC1B2997} S-1-5-21-4159544280-4273523227-683900707-1000:UMAXQRGK\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Users\Admin\AppData\Roaming\hdrwuji
      C:\Users\Admin\AppData\Roaming\hdrwuji
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: MapViewOfSection
      PID:1632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\hdrwuji
    Filesize

    36KB

    MD5

    5fa3557102d4401a68eaf267dc293160

    SHA1

    8592aa9a803b3d8b68a71ede5e1fdf518754c859

    SHA256

    6e0d5486bbb74259d577fb0a9e6613d520d8da5531b7235401fb4adab3b238ab

    SHA512

    d3ec8431c3fa7f14d5c06d9b48c642cad6b41d61f532a701228c054cca858a7a0e8161f259e81e1267b69e261869c3bd200aa9fcf28c6176b4abe3c2aec30fe2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\hdrwuji
    Filesize

    36KB

    MD5

    5fa3557102d4401a68eaf267dc293160

    SHA1

    8592aa9a803b3d8b68a71ede5e1fdf518754c859

    SHA256

    6e0d5486bbb74259d577fb0a9e6613d520d8da5531b7235401fb4adab3b238ab

    SHA512

    d3ec8431c3fa7f14d5c06d9b48c642cad6b41d61f532a701228c054cca858a7a0e8161f259e81e1267b69e261869c3bd200aa9fcf28c6176b4abe3c2aec30fe2

    Download Submit

  • memory/1300-55-0x00000000025A0000-0x00000000025B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1300-65-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1300-69-0x000007FEF5480000-0x000007FEF55C3000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1300-70-0x000007FF68800000-0x000007FF6880A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1300-72-0x000007FEF5480000-0x000007FEF55C3000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1632-64-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1632-66-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2504-54-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2504-56-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download