Overview

overview

10

Static

static

3

e1d04ea9b2...9d.exe

windows7-x64

10

e1d04ea9b2...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 05:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e1d04ea9b2999651b365830ab57ff89d.exe

  • Size

    246KB

  • MD5

    e1d04ea9b2999651b365830ab57ff89d

  • SHA1

    7fc1f5a92e66620e66e8d4d0f17704040d879a95

  • SHA256

    e70377f317976aa7fa721c3c2e0b6f9e14169cd16ac11c85f18aefba6f13548a

  • SHA512

    c6f6dd3eadef96588a0d42ed1dced6894093d3fe017084b088a176a5d50379ea2eb1cad2ccff04d057258b54d28b3f113a9b528c12b012c3c204a8623b26c803

  • SSDEEP

    6144:WXz4SHy5uoBMFGV5PEkIXEHvZAOvRpnXVs0BC+:vCmuoBMUOMxh1s0BC+

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1d04ea9b2999651b365830ab57ff89d.exe
    "C:\Users\Admin\AppData\Local\Temp\e1d04ea9b2999651b365830ab57ff89d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2784
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 148
      2⤵
      • Program crash
      PID:3396
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2396 -ip 2396
    1⤵
      PID:2172
    • C:\Users\Admin\AppData\Local\Temp\DA43.exe
      C:\Users\Admin\AppData\Local\Temp\DA43.exe
      1⤵
      • Executes dropped EXE
      PID:3200
    • C:\Users\Admin\AppData\Local\Temp\EF24.exe
      C:\Users\Admin\AppData\Local\Temp\EF24.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
          PID:4136
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          2⤵
            PID:632
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            2⤵
              PID:3940
          • C:\Users\Admin\AppData\Local\Temp\F80E.bat
            "C:\Users\Admin\AppData\Local\Temp\F80E.bat"
            1⤵
            • Executes dropped EXE
            PID:744
          • C:\Users\Admin\AppData\Local\Temp\FD4F.exe
            C:\Users\Admin\AppData\Local\Temp\FD4F.exe
            1⤵
            • Executes dropped EXE
            PID:1652
          • C:\Users\Admin\AppData\Local\Temp\31C.exe
            C:\Users\Admin\AppData\Local\Temp\31C.exe
            1⤵
              PID:5108

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\DA43.exe
              Filesize

              1.3MB

              MD5

              11e55586a1c9957b5ef1ca8eae7eb1d1

              SHA1

              fa8390c9662d22223eca762e4cc923379073c942

              SHA256

              88ad234ee3b3259a7f9260b8939f12199dac6cf9e75c39764093455bcb8431b2

              SHA512

              12ef1f3c9f45eb7047aa3e1a38df3a6f729deb07b832eda59c1eeba52a85cb86ae0502fc01d19d7514817eff7cee2cb1bafc043feb65c86fc6f00fc99ee4abfe

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\DA43.exe
              Filesize

              1.3MB

              MD5

              11e55586a1c9957b5ef1ca8eae7eb1d1

              SHA1

              fa8390c9662d22223eca762e4cc923379073c942

              SHA256

              88ad234ee3b3259a7f9260b8939f12199dac6cf9e75c39764093455bcb8431b2

              SHA512

              12ef1f3c9f45eb7047aa3e1a38df3a6f729deb07b832eda59c1eeba52a85cb86ae0502fc01d19d7514817eff7cee2cb1bafc043feb65c86fc6f00fc99ee4abfe

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\EF24.exe
              Filesize

              407KB

              MD5

              9634c504f71e61702400626e6bf08115

              SHA1

              2a43a748891053653f4e6f086e8cdad9d0427e14

              SHA256

              624523de4ca9e421e57cfeb51ef243a32a469ab547ab884e0db3befe6383fa7b

              SHA512

              c9f2891fc451d63cf3070abe4e64b10ca3e65bc92cf4733f7f9d455b8810e558cafdf38345166ba098580e61bcf265a0193abbdfb793eb42c17e3b2d55dfcbd2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\EF24.exe
              Filesize

              407KB

              MD5

              9634c504f71e61702400626e6bf08115

              SHA1

              2a43a748891053653f4e6f086e8cdad9d0427e14

              SHA256

              624523de4ca9e421e57cfeb51ef243a32a469ab547ab884e0db3befe6383fa7b

              SHA512

              c9f2891fc451d63cf3070abe4e64b10ca3e65bc92cf4733f7f9d455b8810e558cafdf38345166ba098580e61bcf265a0193abbdfb793eb42c17e3b2d55dfcbd2

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\F80E.bat
              Filesize

              97KB

              MD5

              3039dc5c244eb1d05d148d7a8564762c

              SHA1

              389e4b3dd42508514ab9ed6e036cccd76a1832ba

              SHA256

              768d0f7284c83bf2136191453781945d95cc5432a21c8b2548f09f8f838e194e

              SHA512

              67d3d9fe5191c611f3cdbf883b54a06c249a6fe9bc35afceaa08a4c2a1c0058781794435e14b19dd4d0ef4481af01a266f7814eabee90d4fc2706b9ba493457d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\F80E.bat
              Filesize

              97KB

              MD5

              3039dc5c244eb1d05d148d7a8564762c

              SHA1

              389e4b3dd42508514ab9ed6e036cccd76a1832ba

              SHA256

              768d0f7284c83bf2136191453781945d95cc5432a21c8b2548f09f8f838e194e

              SHA512

              67d3d9fe5191c611f3cdbf883b54a06c249a6fe9bc35afceaa08a4c2a1c0058781794435e14b19dd4d0ef4481af01a266f7814eabee90d4fc2706b9ba493457d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\FD4F.exe
              Filesize

              463KB

              MD5

              34a2f8f4d5572b4f6a20ab4d8f31f520

              SHA1

              91d3a6e057299e9158c931429c9a08a52b550b6d

              SHA256

              dcc05d8f34d776cf2257fa68096df5708fe6f2c4c4aa63bcd7e424a4c8d75d2a

              SHA512

              35a8b506e0fd966027c4cc9c936a0a45b26ca1423afda3124e0f9d0dd43bb46a4ba8ca31ffef0180a5285d98c0b21f1f1f7b3fac60f6328d4c32b8e143691197

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\FD4F.exe
              Filesize

              463KB

              MD5

              34a2f8f4d5572b4f6a20ab4d8f31f520

              SHA1

              91d3a6e057299e9158c931429c9a08a52b550b6d

              SHA256

              dcc05d8f34d776cf2257fa68096df5708fe6f2c4c4aa63bcd7e424a4c8d75d2a

              SHA512

              35a8b506e0fd966027c4cc9c936a0a45b26ca1423afda3124e0f9d0dd43bb46a4ba8ca31ffef0180a5285d98c0b21f1f1f7b3fac60f6328d4c32b8e143691197

              Download Submit

            • memory/412-2-0x00000000030A0000-0x00000000030B6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/2784-1-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/2784-0-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/2784-5-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download