Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    236s
  • max time network
    252s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 07:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.0MB

  • MD5

    6b043f7b06e1cd30fd2cb9c027c2e49e

  • SHA1

    0f43fe7998c933a625ef9415599c3fc30652fb3b

  • SHA256

    be9d5bb1cec536aa80f16fcc1f9c5d4245d2e9bda7c8c15ca417a12526d43c2c

  • SHA512

    d1738abf081485079d4e0e3aee557b1ce660b5b520991ea5eedf37bf16f29ab1c77c9d0634174d69167c17c3aea0dc9682d46cdb3a5d53e154c11e003d46671d

  • SSDEEP

    24576:myFOdL0IdHppyQOjw/f2i5hnZiYKVp793JSXz/LK:1FOl0IpyQZfDfY/v0z/L

Score
10/10
smokeloaderbackdoorevasionpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3320
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DB0lD55.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DB0lD55.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nj0BH71.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nj0BH71.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4564
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VD5it37.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VD5it37.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4828
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Mr82Vy3.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Mr82Vy3.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4848
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1424
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 580
              6⤵
              • Program crash
              PID:1372
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AQ3440.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AQ3440.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:4004
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:1356
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                  PID:2424
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 540
                    7⤵
                    • Program crash
                    PID:3380
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 572
                  6⤵
                  • Program crash
                  PID:3416
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pW43Gr.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pW43Gr.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4568
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                5⤵
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:3648
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 152
                5⤵
                • Program crash
                PID:1940
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4848 -ip 4848
        1⤵
          PID:5112
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4004 -ip 4004
          1⤵
            PID:2928
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2424 -ip 2424
            1⤵
              PID:2096
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4568 -ip 4568
              1⤵
                PID:2176
              • C:\Users\Admin\AppData\Local\Temp\32B5.exe
                C:\Users\Admin\AppData\Local\Temp\32B5.exe
                1⤵
                • Executes dropped EXE
                • Adds Run key to start application
                PID:1724

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\32B5.exe
                Filesize

                1.2MB

                MD5

                78c70aee6aae0b8c606e6c90a09c51ad

                SHA1

                34a0034d4b07ee3da7e1ea191c0a3917c743605d

                SHA256

                f52a505f073b254b420b4b7ec62e0afef3e799f137c5b49b2e4afe391666c82d

                SHA512

                7182d21ee2af2351023ffb0c050cf8ec06590f5d25b5a3ea5b2b0c5ddcb7eb68d5cf202d1819e3dda562821b320e6fc7a8fa9a65772590da026bdeabdf4eb636

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\32B5.exe
                Filesize

                1.2MB

                MD5

                78c70aee6aae0b8c606e6c90a09c51ad

                SHA1

                34a0034d4b07ee3da7e1ea191c0a3917c743605d

                SHA256

                f52a505f073b254b420b4b7ec62e0afef3e799f137c5b49b2e4afe391666c82d

                SHA512

                7182d21ee2af2351023ffb0c050cf8ec06590f5d25b5a3ea5b2b0c5ddcb7eb68d5cf202d1819e3dda562821b320e6fc7a8fa9a65772590da026bdeabdf4eb636

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DB0lD55.exe
                Filesize

                909KB

                MD5

                ba42e20d227b4c0e8c235a03d247f150

                SHA1

                a14a6f290e540d57dda0fc46c4b9097c43ddb110

                SHA256

                02e51d503a0b527652b4c056faf3c5aeada709b8081f414c54208d2884181daa

                SHA512

                3ec45774915168905c7aa27314c2e892d3dbf40a83f2118d6758b183a3cdb7b789282f0f8aeb2135519765396f970f116ec5819b36735d0a15525202dfe6e36b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DB0lD55.exe
                Filesize

                909KB

                MD5

                ba42e20d227b4c0e8c235a03d247f150

                SHA1

                a14a6f290e540d57dda0fc46c4b9097c43ddb110

                SHA256

                02e51d503a0b527652b4c056faf3c5aeada709b8081f414c54208d2884181daa

                SHA512

                3ec45774915168905c7aa27314c2e892d3dbf40a83f2118d6758b183a3cdb7b789282f0f8aeb2135519765396f970f116ec5819b36735d0a15525202dfe6e36b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nj0BH71.exe
                Filesize

                621KB

                MD5

                92e4574bc98d05528c9c42167f630971

                SHA1

                3303dd8f823690c169d49492c1ea52d784796d25

                SHA256

                a17673d87dac3dbdf22ba7601f959b161afbcf2a2791590cf805068f7148b759

                SHA512

                d16938abaf4b19c97451d9332087c97a3cb1c0ec7887c3b32e9a8641336bc54d686e8cb9fcbf5d515932de53017735a7ca1892ae1ae453123a4edad3f0132cbe

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nj0BH71.exe
                Filesize

                621KB

                MD5

                92e4574bc98d05528c9c42167f630971

                SHA1

                3303dd8f823690c169d49492c1ea52d784796d25

                SHA256

                a17673d87dac3dbdf22ba7601f959b161afbcf2a2791590cf805068f7148b759

                SHA512

                d16938abaf4b19c97451d9332087c97a3cb1c0ec7887c3b32e9a8641336bc54d686e8cb9fcbf5d515932de53017735a7ca1892ae1ae453123a4edad3f0132cbe

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pW43Gr.exe
                Filesize

                255KB

                MD5

                06c57b862c23f3b3df90853c15d91674

                SHA1

                80b1bdcb20098d0d85c36c0a9aaad8eeb5c59545

                SHA256

                aa2d5b7443a4b58a2f12f0eb47046ff2e3c900fbcdbee2d9b85eb52284891c77

                SHA512

                500e22fbee6480b5f7e4d41047d9eec14dad4cfff781c09067aac37bfccbba6985734c136b81408708e3bc81dd301e65add401818c54cd85ed7e6e2c1f2bbf8e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3pW43Gr.exe
                Filesize

                255KB

                MD5

                06c57b862c23f3b3df90853c15d91674

                SHA1

                80b1bdcb20098d0d85c36c0a9aaad8eeb5c59545

                SHA256

                aa2d5b7443a4b58a2f12f0eb47046ff2e3c900fbcdbee2d9b85eb52284891c77

                SHA512

                500e22fbee6480b5f7e4d41047d9eec14dad4cfff781c09067aac37bfccbba6985734c136b81408708e3bc81dd301e65add401818c54cd85ed7e6e2c1f2bbf8e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VD5it37.exe
                Filesize

                382KB

                MD5

                00b2832b8c738ae03c71614a8c020e84

                SHA1

                0daf365f2db562a88c502915c3d635308b661329

                SHA256

                500e453ddcb616d01b5214dfacc22541de70ee4402b126d6bb9680ce8086b8d4

                SHA512

                f63e240c2970b9eff6be47025b41f0040d07ea17efac194fde1dfe9d42f45127030e7909f729c2f55b117ee31f820a042c830c9de9a236b3fb61fe9e1bd50431

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\VD5it37.exe
                Filesize

                382KB

                MD5

                00b2832b8c738ae03c71614a8c020e84

                SHA1

                0daf365f2db562a88c502915c3d635308b661329

                SHA256

                500e453ddcb616d01b5214dfacc22541de70ee4402b126d6bb9680ce8086b8d4

                SHA512

                f63e240c2970b9eff6be47025b41f0040d07ea17efac194fde1dfe9d42f45127030e7909f729c2f55b117ee31f820a042c830c9de9a236b3fb61fe9e1bd50431

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Mr82Vy3.exe
                Filesize

                237KB

                MD5

                677d51755f3b271dfec873b7aa9feb57

                SHA1

                4551cef3d30ff8e8e9b08631f1e0bfefb9d69a8d

                SHA256

                2c4924323f046045c48eb80d9df482a34395ff0cf40b1c8745bfb3fb1b73ccac

                SHA512

                49ed6ce0f83dffcf80fd7865205dfbcffe40a2aab0a66ace740ab9f33898cb64364299c93e8fdbc0dce79edc2cd52ce95b476d40fb61db4b712ee958b3958e5a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Mr82Vy3.exe
                Filesize

                237KB

                MD5

                677d51755f3b271dfec873b7aa9feb57

                SHA1

                4551cef3d30ff8e8e9b08631f1e0bfefb9d69a8d

                SHA256

                2c4924323f046045c48eb80d9df482a34395ff0cf40b1c8745bfb3fb1b73ccac

                SHA512

                49ed6ce0f83dffcf80fd7865205dfbcffe40a2aab0a66ace740ab9f33898cb64364299c93e8fdbc0dce79edc2cd52ce95b476d40fb61db4b712ee958b3958e5a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AQ3440.exe
                Filesize

                407KB

                MD5

                b2e7c95607ba382b0e0a984efe95575c

                SHA1

                5715d499a45102b06d97af43eac9bd8b378cd323

                SHA256

                ba4e59b62a4c072bda2e8aaf5c551c633f361bfa3d65bc0e2abf53f8d6cbc86f

                SHA512

                62d5d90563db5dd27e8c7f82760654e1bb72771d33b78500d49ec5eff6927468beeee323ef45e4ce442e514c60d1d9fba544ebbb8f2e6fc4d5cfb1e9b7817f46

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2AQ3440.exe
                Filesize

                407KB

                MD5

                b2e7c95607ba382b0e0a984efe95575c

                SHA1

                5715d499a45102b06d97af43eac9bd8b378cd323

                SHA256

                ba4e59b62a4c072bda2e8aaf5c551c633f361bfa3d65bc0e2abf53f8d6cbc86f

                SHA512

                62d5d90563db5dd27e8c7f82760654e1bb72771d33b78500d49ec5eff6927468beeee323ef45e4ce442e514c60d1d9fba544ebbb8f2e6fc4d5cfb1e9b7817f46

                Download Submit

              • memory/1424-30-0x0000000074560000-0x0000000074D10000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1424-28-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/1424-29-0x0000000074560000-0x0000000074D10000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1424-32-0x0000000074560000-0x0000000074D10000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2424-40-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

                Download

              • memory/2424-38-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

                Download

              • memory/2424-37-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

                Download

              • memory/2424-36-0x0000000000400000-0x0000000000433000-memory.dmp

                Filesize

                204KB

                Download

              • memory/3172-46-0x0000000002CA0000-0x0000000002CB6000-memory.dmp

                Filesize

                88KB

                Download

              • memory/3648-44-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/3648-45-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download

              • memory/3648-47-0x0000000000400000-0x0000000000409000-memory.dmp

                Filesize

                36KB

                Download