Overview

overview

10

Static

static

10

0x00060000...19.exe

windows7-x64

10

0x00060000...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2023, 04:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0x0006000000015c2f-119.exe

  • Size

    41KB

  • MD5

    966e3f87d18b25d0b2044e704e3ece7b

  • SHA1

    67df29ea557d4897d35f65b76684bd5551f6570a

  • SHA256

    2b97b07f0ebc338bbcbad650197f4e33e39523fc8ae01fbe4d5f7c3ef23ba5ae

  • SHA512

    90548db33f7471cf2545f61480cbbae6094b028b05b76a232cc3dde3a3827a2471a057407f40ff6b4538dc6b4f90205a66b1d7bd28a7ad8467d6748e14346991

  • SSDEEP

    384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x0006000000015c2f-119.exe
    "C:\Users\Admin\AppData\Local\Temp\0x0006000000015c2f-119.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:852
  • C:\Users\Admin\AppData\Local\Temp\8056.exe
    C:\Users\Admin\AppData\Local\Temp\8056.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" .\FYbFY.ZJN
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:884
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FYbFY.ZJN
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2460
        • C:\Windows\system32\RunDll32.exe
          C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FYbFY.ZJN
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1440
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FYbFY.ZJN
            5⤵
            • Loads dropped DLL
            PID:1020

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\8056.exe
          Filesize

          2.5MB

          MD5

          bcd04c210bcf815b5e1f30a522e00b23

          SHA1

          be8afe6153b771cd460152dfe7c676ec369c6890

          SHA256

          522f981d1b11461056cb59ddc8c6b9d959006b47a1f5680953649a88652640c3

          SHA512

          f809454abd4ff8e20c17180888451df4a646917ff369e37dad63298bba253f407f5cb8f89577fff31dd9ea85077b559a01df6a01b738e5c80931c35a3bce2184

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\8056.exe
          Filesize

          2.5MB

          MD5

          bcd04c210bcf815b5e1f30a522e00b23

          SHA1

          be8afe6153b771cd460152dfe7c676ec369c6890

          SHA256

          522f981d1b11461056cb59ddc8c6b9d959006b47a1f5680953649a88652640c3

          SHA512

          f809454abd4ff8e20c17180888451df4a646917ff369e37dad63298bba253f407f5cb8f89577fff31dd9ea85077b559a01df6a01b738e5c80931c35a3bce2184

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\FYbFY.ZJN
          Filesize

          2.3MB

          MD5

          b3e2f91f483fd9f68bb4fd411dc3765d

          SHA1

          218a41dbd904892300c990ec8a59a0eb0a0ff47d

          SHA256

          2ae008326aa986aa077287858d1f6592526b47055f7a48e8ff2caf4759f09f2b

          SHA512

          e68310996bfa3088d3e107473f8729791ec848f81f00d1a18bded4b4e14303029ca769e7c722c12e0e031aea0cf2c7a4e1355412ed5c7935b6e95e09827f8555

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\fYbFY.ZJN
          Filesize

          2.3MB

          MD5

          b3e2f91f483fd9f68bb4fd411dc3765d

          SHA1

          218a41dbd904892300c990ec8a59a0eb0a0ff47d

          SHA256

          2ae008326aa986aa077287858d1f6592526b47055f7a48e8ff2caf4759f09f2b

          SHA512

          e68310996bfa3088d3e107473f8729791ec848f81f00d1a18bded4b4e14303029ca769e7c722c12e0e031aea0cf2c7a4e1355412ed5c7935b6e95e09827f8555

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\fYbFY.ZJN
          Filesize

          2.3MB

          MD5

          b3e2f91f483fd9f68bb4fd411dc3765d

          SHA1

          218a41dbd904892300c990ec8a59a0eb0a0ff47d

          SHA256

          2ae008326aa986aa077287858d1f6592526b47055f7a48e8ff2caf4759f09f2b

          SHA512

          e68310996bfa3088d3e107473f8729791ec848f81f00d1a18bded4b4e14303029ca769e7c722c12e0e031aea0cf2c7a4e1355412ed5c7935b6e95e09827f8555

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\fYbFY.ZJN
          Filesize

          2.3MB

          MD5

          b3e2f91f483fd9f68bb4fd411dc3765d

          SHA1

          218a41dbd904892300c990ec8a59a0eb0a0ff47d

          SHA256

          2ae008326aa986aa077287858d1f6592526b47055f7a48e8ff2caf4759f09f2b

          SHA512

          e68310996bfa3088d3e107473f8729791ec848f81f00d1a18bded4b4e14303029ca769e7c722c12e0e031aea0cf2c7a4e1355412ed5c7935b6e95e09827f8555

          Download Submit

        • memory/852-133-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/852-135-0x0000000000400000-0x0000000000409000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1020-170-0x0000000003380000-0x000000000345E000-memory.dmp

          Filesize

          888KB

          Download

        • memory/1020-169-0x0000000003380000-0x000000000345E000-memory.dmp

          Filesize

          888KB

          Download

        • memory/1020-166-0x0000000003380000-0x000000000345E000-memory.dmp

          Filesize

          888KB

          Download

        • memory/1020-165-0x0000000002F10000-0x0000000003007000-memory.dmp

          Filesize

          988KB

          Download

        • memory/1020-163-0x0000000000400000-0x0000000000644000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/1020-162-0x0000000001160000-0x0000000001166000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2460-153-0x00000000026C0000-0x0000000002904000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2460-160-0x0000000002DA0000-0x0000000002E7E000-memory.dmp

          Filesize

          888KB

          Download

        • memory/2460-159-0x0000000002DA0000-0x0000000002E7E000-memory.dmp

          Filesize

          888KB

          Download

        • memory/2460-156-0x0000000002DA0000-0x0000000002E7E000-memory.dmp

          Filesize

          888KB

          Download

        • memory/2460-155-0x0000000002CA0000-0x0000000002D97000-memory.dmp

          Filesize

          988KB

          Download

        • memory/2460-151-0x00000000026C0000-0x0000000002904000-memory.dmp

          Filesize

          2.3MB

          Download

        • memory/2460-152-0x00000000025A0000-0x00000000025A6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3208-134-0x0000000002B30000-0x0000000002B46000-memory.dmp

          Filesize

          88KB

          Download