Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    29/08/2023, 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    30KB

  • MD5

    35a15fad3767597b01a20d75c3c6889a

  • SHA1

    eef19e2757667578f73c4b5720cf94c2ab6e60c8

  • SHA256

    90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc

  • SHA512

    c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

  • SSDEEP

    384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1900
  • C:\Users\Admin\AppData\Local\Temp\711B.exe
    C:\Users\Admin\AppData\Local\Temp\711B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /u EKbLw8.S -S
      2⤵
      • Loads dropped DLL
      PID:2736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\711B.exe
    Filesize

    2.9MB

    MD5

    8e28480f46d96df481b8b1fd2bb86b80

    SHA1

    d1460bb42885a64597cbb150cf0188510893d3fc

    SHA256

    4a7bfd4be9c6237cfcb79e75f3448d12695eb6e601325cd52693cb2918b0dd5f

    SHA512

    6663fb58db24713b8717752e9631577d4576ca12a8f2659519186aae68d31f613082751d7881215cc7b4c3ebf1225943861c86643cffc507090e4ad28ae3e25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\711B.exe
    Filesize

    2.9MB

    MD5

    8e28480f46d96df481b8b1fd2bb86b80

    SHA1

    d1460bb42885a64597cbb150cf0188510893d3fc

    SHA256

    4a7bfd4be9c6237cfcb79e75f3448d12695eb6e601325cd52693cb2918b0dd5f

    SHA512

    6663fb58db24713b8717752e9631577d4576ca12a8f2659519186aae68d31f613082751d7881215cc7b4c3ebf1225943861c86643cffc507090e4ad28ae3e25a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\EKbLw8.S
    Filesize

    2.6MB

    MD5

    5ddcf83e32289ba201ed4f506d2931d1

    SHA1

    df1757e8c529343ce5c0cdc757859fa2903fcb01

    SHA256

    2b45a4b650ea3ff1368fa5bc5f01ef6d0941e675c05721736f94d7b3f4bbcffc

    SHA512

    5ff5b0b417db4ca8524b02a0c8a35e9f3428f495b1ae1344dc8310576650fc928b07382d33f4b54aa7bbe18b5c2a157170b3f4a0209be5d76337b5b82bbf5d0c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\EKblw8.s
    Filesize

    2.6MB

    MD5

    5ddcf83e32289ba201ed4f506d2931d1

    SHA1

    df1757e8c529343ce5c0cdc757859fa2903fcb01

    SHA256

    2b45a4b650ea3ff1368fa5bc5f01ef6d0941e675c05721736f94d7b3f4bbcffc

    SHA512

    5ff5b0b417db4ca8524b02a0c8a35e9f3428f495b1ae1344dc8310576650fc928b07382d33f4b54aa7bbe18b5c2a157170b3f4a0209be5d76337b5b82bbf5d0c

    Download Submit

  • memory/1264-1-0x00000000021E0000-0x00000000021F6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1900-2-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1900-0-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2736-17-0x0000000002010000-0x00000000022A5000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2736-18-0x0000000000190000-0x0000000000196000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2736-19-0x0000000002010000-0x00000000022A5000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2736-21-0x00000000022B0000-0x00000000023BB000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2736-22-0x00000000026E0000-0x00000000027D3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/2736-23-0x00000000026E0000-0x00000000027D3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/2736-25-0x00000000026E0000-0x00000000027D3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/2736-26-0x00000000026E0000-0x00000000027D3000-memory.dmp

    Filesize

    972KB

    Download