Analysis
-
max time kernel
240s -
max time network
245s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
-
submitted
11/10/2023, 08:48
General
-
Target
file.exe
-
Size
267KB
-
MD5
97e58a64090cb6f872c94a67eb2bee5c
-
SHA1
79a87878bd9c3d2d73f31eb2248ad7aebf70f5e7
-
SHA256
185031cb27faf0d5aa70d1d8e1016409e7ea9cb58690da2f64d907a4182ef6d4
-
SHA512
0bfdace4340ca97f36a868a90a21efd574fe196a54327f3656b8779d350299950898549f115e0c2657adc37a1e068602fc6e3d0a7881126afc48bab1130af1fe
-
SSDEEP
3072:D1i6xZDYH2IQRH+7MFJSwRujTSRHfU08RZ0Vn41b8Ubpxh5JetoMUMxNTxx:ZXYWT+oFMOUmpi0VnabZbprQo/MxNTf
Malware Config
Extracted
smokeloader
2022
http://potunulit.org/
http://hutnilior.net/
http://bulimu55t.net/
http://soryytlic4.net/
http://novanosa5org.org/
http://nuljjjnuli.org/
http://tolilolihul.net/
http://somatoka51hub.net/
http://hujukui3.net/
http://bukubuka1.net/
http://golilopaster.org/
http://newzelannd66.org/
http://otriluyttn.org/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
84KB
-
Filesize
36KB
-
Filesize
320KB
-
Filesize
84KB
-
Filesize
36KB
-
Filesize
320KB
-
Filesize
88KB