Overview

overview

10

Static

static

3

17bd26be8f...b4.exe

windows7-x64

10

17bd26be8f...b4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 04:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    17bd26be8ff1133159cdff41d93d6dc6687388b3c81350dfaa79bbcb8cea41b4.exe

  • Size

    246KB

  • MD5

    59e0a8b4f05bfc3339014f601503e9c8

  • SHA1

    c016e51ea2950d686fdaded1003394ec65e1c74e

  • SHA256

    17bd26be8ff1133159cdff41d93d6dc6687388b3c81350dfaa79bbcb8cea41b4

  • SHA512

    59a2bbc59fdf3dfac42746d8e59deecfe3f6a39d48d7fb823a32b8da0499235cea59c710155c89330196c3ed4ccd9d2d8f84211ee4e3465a64ada72f3be00095

  • SSDEEP

    6144:Gjz4SHy5uoBMFGV5PEkIXEHvZAOTrtSzVs0BC+:vCmuoBMUOMxVgs0BC+

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\17bd26be8ff1133159cdff41d93d6dc6687388b3c81350dfaa79bbcb8cea41b4.exe
    "C:\Users\Admin\AppData\Local\Temp\17bd26be8ff1133159cdff41d93d6dc6687388b3c81350dfaa79bbcb8cea41b4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:768
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4140
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 272
      2⤵
      • Program crash
      PID:1368
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 768 -ip 768
    1⤵
      PID:4712
    • C:\Users\Admin\AppData\Local\Temp\FD9A.exe
      C:\Users\Admin\AppData\Local\Temp\FD9A.exe
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kG8Vz5sR.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kG8Vz5sR.exe
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1376
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wI8GV1hb.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wI8GV1hb.exe
          3⤵
          • Executes dropped EXE
          PID:5116
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iX4rG7xq.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\iX4rG7xq.exe
            4⤵
              PID:316
      • C:\Users\Admin\AppData\Local\Temp\74F.exe
        C:\Users\Admin\AppData\Local\Temp\74F.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4468
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          2⤵
            PID:1672
        • C:\Users\Admin\AppData\Local\Temp\F7E.bat
          "C:\Users\Admin\AppData\Local\Temp\F7E.bat"
          1⤵
          • Executes dropped EXE
          PID:4996
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4468 -ip 4468
          1⤵
            PID:4128
          • C:\Users\Admin\AppData\Local\Temp\1952.exe
            C:\Users\Admin\AppData\Local\Temp\1952.exe
            1⤵
              PID:692

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\74F.exe
              Filesize

              448KB

              MD5

              96b1ef1f7b02b5dc96c390efc396f229

              SHA1

              710e52258d9f50f314d4de1dbbe124e0c1f0898f

              SHA256

              2c2f3977e5594800defaa0633c381d76cd02ea540af507ffbf64e11f71b21bb8

              SHA512

              804694fd1c71f9f1b03aaacf7c2458307e12cd65eda4d0a2363a94b5cb9bb21b1f5f2bb73e2f119e047c9c28623e04567620f7b494244c233d5e53e14b616938

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\74F.exe
              Filesize

              448KB

              MD5

              96b1ef1f7b02b5dc96c390efc396f229

              SHA1

              710e52258d9f50f314d4de1dbbe124e0c1f0898f

              SHA256

              2c2f3977e5594800defaa0633c381d76cd02ea540af507ffbf64e11f71b21bb8

              SHA512

              804694fd1c71f9f1b03aaacf7c2458307e12cd65eda4d0a2363a94b5cb9bb21b1f5f2bb73e2f119e047c9c28623e04567620f7b494244c233d5e53e14b616938

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\F7E.bat
              Filesize

              97KB

              MD5

              6b163af84a7f4053a16696f672e44a42

              SHA1

              02fcc16498120b95d5f6c282f8299b65fa27138a

              SHA256

              fe5c16fdd9a4a01f68d98ff5b0f971b4f420e27d66a700a52c9ad53bea6bd254

              SHA512

              941c1efe71cf43cef79472e3c0ec4929d62385e23df1065fa92629e22073f5521bf117fa35c6adc24d24da46f5b2de99d4590188c8f310eb42f5fb888b7b5f21

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\F7E.bat
              Filesize

              97KB

              MD5

              6b163af84a7f4053a16696f672e44a42

              SHA1

              02fcc16498120b95d5f6c282f8299b65fa27138a

              SHA256

              fe5c16fdd9a4a01f68d98ff5b0f971b4f420e27d66a700a52c9ad53bea6bd254

              SHA512

              941c1efe71cf43cef79472e3c0ec4929d62385e23df1065fa92629e22073f5521bf117fa35c6adc24d24da46f5b2de99d4590188c8f310eb42f5fb888b7b5f21

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\F7E.bat
              Filesize

              97KB

              MD5

              6b163af84a7f4053a16696f672e44a42

              SHA1

              02fcc16498120b95d5f6c282f8299b65fa27138a

              SHA256

              fe5c16fdd9a4a01f68d98ff5b0f971b4f420e27d66a700a52c9ad53bea6bd254

              SHA512

              941c1efe71cf43cef79472e3c0ec4929d62385e23df1065fa92629e22073f5521bf117fa35c6adc24d24da46f5b2de99d4590188c8f310eb42f5fb888b7b5f21

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\FD9A.exe
              Filesize

              1.2MB

              MD5

              058d9f66f904c82d39a0a6b3a4121e93

              SHA1

              87a5b194ab797cfd4c74d9dee8d7ad3c76687c6d

              SHA256

              5b9550c2804391432f7b4bbd37aec1c8d835099706539612582dbccb2303d39e

              SHA512

              4898932b1882cb4ec07164d0e475d418d1aa2d80c7c4382ded33b08cb42ad256746db8454b730468804580d1c2095758287236844b8c42e9db910519a2743df6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\FD9A.exe
              Filesize

              1.2MB

              MD5

              058d9f66f904c82d39a0a6b3a4121e93

              SHA1

              87a5b194ab797cfd4c74d9dee8d7ad3c76687c6d

              SHA256

              5b9550c2804391432f7b4bbd37aec1c8d835099706539612582dbccb2303d39e

              SHA512

              4898932b1882cb4ec07164d0e475d418d1aa2d80c7c4382ded33b08cb42ad256746db8454b730468804580d1c2095758287236844b8c42e9db910519a2743df6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kG8Vz5sR.exe
              Filesize

              1.1MB

              MD5

              2d7034090f894fe7c462c890e56ad912

              SHA1

              16c2b8c79bf89d5765dd059158fa01ef68009568

              SHA256

              a8aa41259dada6c4bfb1c0ad86185887a3430d7f7427b1f205d2134155feaf7e

              SHA512

              04f779721945a896dceacca254477c99a2c6ddd5206944abb7d73d84e78323424ea12150b7d0f74eebaa52131e81ad509a25b88a05d1b675bab7bc66cf17cea6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kG8Vz5sR.exe
              Filesize

              1.1MB

              MD5

              2d7034090f894fe7c462c890e56ad912

              SHA1

              16c2b8c79bf89d5765dd059158fa01ef68009568

              SHA256

              a8aa41259dada6c4bfb1c0ad86185887a3430d7f7427b1f205d2134155feaf7e

              SHA512

              04f779721945a896dceacca254477c99a2c6ddd5206944abb7d73d84e78323424ea12150b7d0f74eebaa52131e81ad509a25b88a05d1b675bab7bc66cf17cea6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wI8GV1hb.exe
              Filesize

              947KB

              MD5

              12b3221471eba9e933de6dba3975c1ae

              SHA1

              5b1b70053390972b985f73b4babf736f09cc6a06

              SHA256

              c69787000aed22c5851fe5372ff730f7ca504ddb49a9e439e0f3f9b0dc7e3bdb

              SHA512

              b672564d85f056361f87fd31c4c579746e9c9fa3eaeb1f83686d6341840261f5d08f397a28ee3eb92fae1895b6041f8e39a1a6422d98dbd61af652d459721228

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wI8GV1hb.exe
              Filesize

              947KB

              MD5

              12b3221471eba9e933de6dba3975c1ae

              SHA1

              5b1b70053390972b985f73b4babf736f09cc6a06

              SHA256

              c69787000aed22c5851fe5372ff730f7ca504ddb49a9e439e0f3f9b0dc7e3bdb

              SHA512

              b672564d85f056361f87fd31c4c579746e9c9fa3eaeb1f83686d6341840261f5d08f397a28ee3eb92fae1895b6041f8e39a1a6422d98dbd61af652d459721228

              Download Submit

            • memory/1672-37-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/1672-42-0x0000000000400000-0x0000000000433000-memory.dmp

              Filesize

              204KB

              Download

            • memory/1980-2-0x0000000002860000-0x0000000002876000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4140-0-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/4140-5-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download

            • memory/4140-1-0x0000000000400000-0x0000000000409000-memory.dmp

              Filesize

              36KB

              Download