Overview

overview

10

Static

static

3

e2c5a2ced4...12.exe

windows7-x64

10

e2c5a2ced4...12.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    74s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 04:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2c5a2ced4565ddbc0f6084082b497d80861b089ee00af4b1673fb65c5cc9912.exe

  • Size

    246KB

  • MD5

    b99ab7ce474e836bdae5779ab699f533

  • SHA1

    4c5ed4c63a970ffe9aebed11cd02906fdb022f4a

  • SHA256

    e2c5a2ced4565ddbc0f6084082b497d80861b089ee00af4b1673fb65c5cc9912

  • SHA512

    0ad760d516788c1c6163ccf85282fb1834fc1e09d5d92801b3ffd603ffd5c57d71372883ddff55b2e8885f0e33cc894c19af71c37ab59c03c328f5711cd027e3

  • SSDEEP

    6144:Z0z4SHy5uoBMFGV5PEkIXEHvZAObSVs0BC+:dCmuoBMUOMxZqs0BC+

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2c5a2ced4565ddbc0f6084082b497d80861b089ee00af4b1673fb65c5cc9912.exe
    "C:\Users\Admin\AppData\Local\Temp\e2c5a2ced4565ddbc0f6084082b497d80861b089ee00af4b1673fb65c5cc9912.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:3288
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        2⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:3744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 268
        2⤵
        • Program crash
        PID:2808
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4920 -ip 4920
      1⤵
        PID:4796
      • C:\Users\Admin\AppData\Local\Temp\E7B0.exe
        C:\Users\Admin\AppData\Local\Temp\E7B0.exe
        1⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2856
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pJ4QS1xy.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pJ4QS1xy.exe
          2⤵
          • Executes dropped EXE
          PID:2728
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\As9gM9GN.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\As9gM9GN.exe
            3⤵
              PID:3840
              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ux1sa7sj.exe
                C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ux1sa7sj.exe
                4⤵
                  PID:2764
                  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qo6FF0zQ.exe
                    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qo6FF0zQ.exe
                    5⤵
                      PID:4996
                      • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gY87tN9.exe
                        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gY87tN9.exe
                        6⤵
                          PID:1844
              • C:\Users\Admin\AppData\Local\Temp\EE49.exe
                C:\Users\Admin\AppData\Local\Temp\EE49.exe
                1⤵
                  PID:2868
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    2⤵
                      PID:2940
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                      2⤵
                        PID:5024
                    • C:\Users\Admin\AppData\Local\Temp\EF25.bat
                      "C:\Users\Admin\AppData\Local\Temp\EF25.bat"
                      1⤵
                        PID:2092
                      • C:\Users\Admin\AppData\Local\Temp\F158.exe
                        C:\Users\Admin\AppData\Local\Temp\F158.exe
                        1⤵
                          PID:5012

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\E7B0.exe
                          Filesize

                          1.3MB

                          MD5

                          44982523b6322901fba978e54265f9f0

                          SHA1

                          a1528c63e1f1e80ea2427af6809cfe6232a7a665

                          SHA256

                          f8a7926eb0032c34d2b36ed264f4e156510f543a7dde7a344c28441e42107ba4

                          SHA512

                          5c4a167924f7058f8d4d481628b7beeb98d7ac81504df83860659f491ed3584f9c87d7efa2f00ed2cd64d9e2cf41a8ec83c1f517d98c3e27df4f50403e73cb45

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\E7B0.exe
                          Filesize

                          1.3MB

                          MD5

                          44982523b6322901fba978e54265f9f0

                          SHA1

                          a1528c63e1f1e80ea2427af6809cfe6232a7a665

                          SHA256

                          f8a7926eb0032c34d2b36ed264f4e156510f543a7dde7a344c28441e42107ba4

                          SHA512

                          5c4a167924f7058f8d4d481628b7beeb98d7ac81504df83860659f491ed3584f9c87d7efa2f00ed2cd64d9e2cf41a8ec83c1f517d98c3e27df4f50403e73cb45

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\EE49.exe
                          Filesize

                          448KB

                          MD5

                          944bea58be1a10ac8985febf4b77a035

                          SHA1

                          24de9c06ea67404df01a9bc2b4d9a97a767708d9

                          SHA256

                          2abda544bc6150b51cb2baa74980845fc315eae84568c5ebe5c6e4c7f4a048c6

                          SHA512

                          d2664e145df66901040b46d7efc4f4c30cc26b2de90ee711ba29b8b5807f24600fd89e6850dd40abe4f128298fa834d2cc7d6a07cb662144651a549d66a32c20

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\EE49.exe
                          Filesize

                          448KB

                          MD5

                          944bea58be1a10ac8985febf4b77a035

                          SHA1

                          24de9c06ea67404df01a9bc2b4d9a97a767708d9

                          SHA256

                          2abda544bc6150b51cb2baa74980845fc315eae84568c5ebe5c6e4c7f4a048c6

                          SHA512

                          d2664e145df66901040b46d7efc4f4c30cc26b2de90ee711ba29b8b5807f24600fd89e6850dd40abe4f128298fa834d2cc7d6a07cb662144651a549d66a32c20

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\EF25.bat
                          Filesize

                          97KB

                          MD5

                          56102c29c3ba3ab7dc52edfa53148449

                          SHA1

                          eb27c50291630d1bad9a5b50e402fe3eb25b6524

                          SHA256

                          76dc1df76f441f4af5679684042e4c69a57ae7bb435cb67949a4a8457964dad8

                          SHA512

                          347904ad1df9a267718222c28ab4e98b504b01d39369aa082932ecd1f86ac703ef0e1f52268e0aac15f83678990593a6bdf0932bf861ed76ca8462e520ffb454

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\EF25.bat
                          Filesize

                          97KB

                          MD5

                          56102c29c3ba3ab7dc52edfa53148449

                          SHA1

                          eb27c50291630d1bad9a5b50e402fe3eb25b6524

                          SHA256

                          76dc1df76f441f4af5679684042e4c69a57ae7bb435cb67949a4a8457964dad8

                          SHA512

                          347904ad1df9a267718222c28ab4e98b504b01d39369aa082932ecd1f86ac703ef0e1f52268e0aac15f83678990593a6bdf0932bf861ed76ca8462e520ffb454

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\EF25.bat
                          Filesize

                          97KB

                          MD5

                          56102c29c3ba3ab7dc52edfa53148449

                          SHA1

                          eb27c50291630d1bad9a5b50e402fe3eb25b6524

                          SHA256

                          76dc1df76f441f4af5679684042e4c69a57ae7bb435cb67949a4a8457964dad8

                          SHA512

                          347904ad1df9a267718222c28ab4e98b504b01d39369aa082932ecd1f86ac703ef0e1f52268e0aac15f83678990593a6bdf0932bf861ed76ca8462e520ffb454

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\F158.exe
                          Filesize

                          489KB

                          MD5

                          f6c94ae2ff77f8c6fa3779b6b0bab65e

                          SHA1

                          c35c11cd4af852a9f7bff44f7eab8468466f59e5

                          SHA256

                          07d2e23aedf691b23480577e3632327b34e1e616f211d907e8a02676a872e77d

                          SHA512

                          c0018dbb636d1b8324c27425f34b391f5d1c6dad07ea473f66f28cf64bdff6c196db31633464bb04aaf6318fbff5cf427b06a2847f5d77697402faba75589e6d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\F158.exe
                          Filesize

                          489KB

                          MD5

                          f6c94ae2ff77f8c6fa3779b6b0bab65e

                          SHA1

                          c35c11cd4af852a9f7bff44f7eab8468466f59e5

                          SHA256

                          07d2e23aedf691b23480577e3632327b34e1e616f211d907e8a02676a872e77d

                          SHA512

                          c0018dbb636d1b8324c27425f34b391f5d1c6dad07ea473f66f28cf64bdff6c196db31633464bb04aaf6318fbff5cf427b06a2847f5d77697402faba75589e6d

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pJ4QS1xy.exe
                          Filesize

                          1.1MB

                          MD5

                          391a22f8b7d960b0a8b53258d9008d5c

                          SHA1

                          a6d36af2db5dcfeb1f0b2b94086bd921462c81b5

                          SHA256

                          24878574774d261f2e2ee7095ab3cd88be4ff44b085e99d8ecda84dd085f7eed

                          SHA512

                          54749dcdcfda6984ac1eb9e1c501897d28e087fb33c55d828ff8b480225487f9613fe206fa8754e412f401048fbc29d53966bbf2094aff7e74bfbabda09a4fab

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pJ4QS1xy.exe
                          Filesize

                          1.1MB

                          MD5

                          391a22f8b7d960b0a8b53258d9008d5c

                          SHA1

                          a6d36af2db5dcfeb1f0b2b94086bd921462c81b5

                          SHA256

                          24878574774d261f2e2ee7095ab3cd88be4ff44b085e99d8ecda84dd085f7eed

                          SHA512

                          54749dcdcfda6984ac1eb9e1c501897d28e087fb33c55d828ff8b480225487f9613fe206fa8754e412f401048fbc29d53966bbf2094aff7e74bfbabda09a4fab

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\As9gM9GN.exe
                          Filesize

                          950KB

                          MD5

                          4596d5f1efe5756adfe9272a391883f6

                          SHA1

                          e7358159f2574db2ae8b5979daddc0a9e6bb8035

                          SHA256

                          d18b88f7b11df560341050bf3de8c296c20596440a0b05713a39add49f2b4d8c

                          SHA512

                          c0305fe17cc01e52adafbd0f6861965ac5f7b2ce458589a4970fb340c69a5c523505378515b8c0a629dcc23e683ce44b609d5df6f59574d9f29086024a78ed88

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\As9gM9GN.exe
                          Filesize

                          950KB

                          MD5

                          4596d5f1efe5756adfe9272a391883f6

                          SHA1

                          e7358159f2574db2ae8b5979daddc0a9e6bb8035

                          SHA256

                          d18b88f7b11df560341050bf3de8c296c20596440a0b05713a39add49f2b4d8c

                          SHA512

                          c0305fe17cc01e52adafbd0f6861965ac5f7b2ce458589a4970fb340c69a5c523505378515b8c0a629dcc23e683ce44b609d5df6f59574d9f29086024a78ed88

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ux1sa7sj.exe
                          Filesize

                          646KB

                          MD5

                          1b337811ad31717f132477d32397aa24

                          SHA1

                          27ab353e6cae42375eadc05c7d7134139c05afb9

                          SHA256

                          24c756308b2846d10c9701d5a530780f53bff6e182f79e0469b8b60a48a4b16d

                          SHA512

                          7c7cb268cbab5351deac42b9619e37618887a2de5be1c8a38b43bb92f9fdef6c3681a65a5e0f9e365bb35d858e1ca56d8d04f84d0682c39106aadbafa5904e86

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ux1sa7sj.exe
                          Filesize

                          646KB

                          MD5

                          1b337811ad31717f132477d32397aa24

                          SHA1

                          27ab353e6cae42375eadc05c7d7134139c05afb9

                          SHA256

                          24c756308b2846d10c9701d5a530780f53bff6e182f79e0469b8b60a48a4b16d

                          SHA512

                          7c7cb268cbab5351deac42b9619e37618887a2de5be1c8a38b43bb92f9fdef6c3681a65a5e0f9e365bb35d858e1ca56d8d04f84d0682c39106aadbafa5904e86

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qo6FF0zQ.exe
                          Filesize

                          451KB

                          MD5

                          6d3fb6dc9b6280b802428b040d361db9

                          SHA1

                          3cf2dc4af702f0b78924a2b9e0fd325c61e39d23

                          SHA256

                          e321bc1ceb25fc170166e23114fc67caf6e3f8065f254686733eb325b675bb5c

                          SHA512

                          d41ee76063cb2b0e077723239417f6ccdade3295b19fa36d1def1aa60c339510e6c95319522489badc1d025732df63eb9f2df303878155fd56e215670f8e80e5

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\qo6FF0zQ.exe
                          Filesize

                          451KB

                          MD5

                          6d3fb6dc9b6280b802428b040d361db9

                          SHA1

                          3cf2dc4af702f0b78924a2b9e0fd325c61e39d23

                          SHA256

                          e321bc1ceb25fc170166e23114fc67caf6e3f8065f254686733eb325b675bb5c

                          SHA512

                          d41ee76063cb2b0e077723239417f6ccdade3295b19fa36d1def1aa60c339510e6c95319522489badc1d025732df63eb9f2df303878155fd56e215670f8e80e5

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gY87tN9.exe
                          Filesize

                          448KB

                          MD5

                          e9a21e3954a1f3fb17c71aea6c431e0f

                          SHA1

                          b51a4071b66b2bd01eab447bd1ca65a0de926dab

                          SHA256

                          7067940e0d3cfd438d956a788505234cddeb7162709e35f5395907b8f92ba9c7

                          SHA512

                          fe9340a07c208265bef1fee4ba0eef463ad69bfb025e760e1ee924e6a538e4a92ad1da96ea717d888725794350b3c6a04e70ae57771c699565feadccdf2b4f3e

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1gY87tN9.exe
                          Filesize

                          448KB

                          MD5

                          e9a21e3954a1f3fb17c71aea6c431e0f

                          SHA1

                          b51a4071b66b2bd01eab447bd1ca65a0de926dab

                          SHA256

                          7067940e0d3cfd438d956a788505234cddeb7162709e35f5395907b8f92ba9c7

                          SHA512

                          fe9340a07c208265bef1fee4ba0eef463ad69bfb025e760e1ee924e6a538e4a92ad1da96ea717d888725794350b3c6a04e70ae57771c699565feadccdf2b4f3e

                          Download Submit

                        • memory/3228-2-0x0000000000AA0000-0x0000000000AB6000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/3744-1-0x0000000000400000-0x0000000000409000-memory.dmp

                          Filesize

                          36KB

                          Download

                        • memory/3744-5-0x0000000000400000-0x0000000000409000-memory.dmp

                          Filesize

                          36KB

                          Download

                        • memory/3744-0-0x0000000000400000-0x0000000000409000-memory.dmp

                          Filesize

                          36KB

                          Download