Overview

overview

10

Static

static

3

9705b26988...02.exe

windows7-x64

10

9705b26988...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2023 01:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9705b269886bfc7a262c12486f5e6802.exe

  • Size

    181KB

  • MD5

    9705b269886bfc7a262c12486f5e6802

  • SHA1

    a9cb5931ddcc0cf8e5b886270bffdd14472e5248

  • SHA256

    ed51744a40d59eb9079f26bbb57ddc76bf4b9d60ee1d575adf731b2571559ceb

  • SHA512

    5b23708a0f57a4e05533593f9fa9a85bc5f5201c98d6c6684151f33c764710f1988f7029af79e2c7bf45a1513495567e48f0d18b9efd534d84fdab9d1603cde6

  • SSDEEP

    3072:OBfsGpcW25Gp+VIVnZqJQ1m9yGV0iT1gOcKFxq25KnB+WWxm78w2AAAvSFfG:SsGckEKnZU2GVBgWKB+hgv2A+G

Score
10/10
smokeloader6699backdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Botnet

6699

Extracted

Family

smokeloader

Version

2022

C2

http://atillapro.com/

https://atillapro.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\9705b269886bfc7a262c12486f5e6802.exe
    "C:\Users\Admin\AppData\Local\Temp\9705b269886bfc7a262c12486f5e6802.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Users\Admin\AppData\Local\Temp\9705b269886bfc7a262c12486f5e6802.exe
      "C:\Users\Admin\AppData\Local\Temp\9705b269886bfc7a262c12486f5e6802.exe"
      2⤵
        PID:1952
      • C:\Users\Admin\AppData\Local\Temp\9705b269886bfc7a262c12486f5e6802.exe
        "C:\Users\Admin\AppData\Local\Temp\9705b269886bfc7a262c12486f5e6802.exe"
        2⤵
          PID:2792
        • C:\Users\Admin\AppData\Local\Temp\9705b269886bfc7a262c12486f5e6802.exe
          "C:\Users\Admin\AppData\Local\Temp\9705b269886bfc7a262c12486f5e6802.exe"
          2⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:2784
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {9944E07A-E200-403B-BD45-DDCF5A746CB6} S-1-5-21-2058106572-1146578376-825901627-1000:LPKQNNGV\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3056
        • C:\Users\Admin\AppData\Roaming\iifvbbf
          C:\Users\Admin\AppData\Roaming\iifvbbf
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2788
          • C:\Users\Admin\AppData\Roaming\iifvbbf
            "C:\Users\Admin\AppData\Roaming\iifvbbf"
            3⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: MapViewOfSection
            PID:2772

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\iifvbbf
        Filesize

        181KB

        MD5

        9705b269886bfc7a262c12486f5e6802

        SHA1

        a9cb5931ddcc0cf8e5b886270bffdd14472e5248

        SHA256

        ed51744a40d59eb9079f26bbb57ddc76bf4b9d60ee1d575adf731b2571559ceb

        SHA512

        5b23708a0f57a4e05533593f9fa9a85bc5f5201c98d6c6684151f33c764710f1988f7029af79e2c7bf45a1513495567e48f0d18b9efd534d84fdab9d1603cde6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\iifvbbf
        Filesize

        181KB

        MD5

        9705b269886bfc7a262c12486f5e6802

        SHA1

        a9cb5931ddcc0cf8e5b886270bffdd14472e5248

        SHA256

        ed51744a40d59eb9079f26bbb57ddc76bf4b9d60ee1d575adf731b2571559ceb

        SHA512

        5b23708a0f57a4e05533593f9fa9a85bc5f5201c98d6c6684151f33c764710f1988f7029af79e2c7bf45a1513495567e48f0d18b9efd534d84fdab9d1603cde6

        Download Submit
      • C:\Users\Admin\AppData\Roaming\iifvbbf
        Filesize

        181KB

        MD5

        9705b269886bfc7a262c12486f5e6802

        SHA1

        a9cb5931ddcc0cf8e5b886270bffdd14472e5248

        SHA256

        ed51744a40d59eb9079f26bbb57ddc76bf4b9d60ee1d575adf731b2571559ceb

        SHA512

        5b23708a0f57a4e05533593f9fa9a85bc5f5201c98d6c6684151f33c764710f1988f7029af79e2c7bf45a1513495567e48f0d18b9efd534d84fdab9d1603cde6

        Download Submit
      • C:\Users\Public\UnityStub.exe
        Filesize

        181KB

        MD5

        9705b269886bfc7a262c12486f5e6802

        SHA1

        a9cb5931ddcc0cf8e5b886270bffdd14472e5248

        SHA256

        ed51744a40d59eb9079f26bbb57ddc76bf4b9d60ee1d575adf731b2571559ceb

        SHA512

        5b23708a0f57a4e05533593f9fa9a85bc5f5201c98d6c6684151f33c764710f1988f7029af79e2c7bf45a1513495567e48f0d18b9efd534d84fdab9d1603cde6

        Download Submit
      • C:\Users\Public\UnityStub.exe
        Filesize

        181KB

        MD5

        9705b269886bfc7a262c12486f5e6802

        SHA1

        a9cb5931ddcc0cf8e5b886270bffdd14472e5248

        SHA256

        ed51744a40d59eb9079f26bbb57ddc76bf4b9d60ee1d575adf731b2571559ceb

        SHA512

        5b23708a0f57a4e05533593f9fa9a85bc5f5201c98d6c6684151f33c764710f1988f7029af79e2c7bf45a1513495567e48f0d18b9efd534d84fdab9d1603cde6

        Download Submit
      • memory/1356-6-0x0000000002540000-0x0000000002556000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1356-21-0x0000000002560000-0x0000000002576000-memory.dmp
        Filesize

        88KB

        Download
      • memory/2340-1-0x0000000000130000-0x0000000000133000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2340-2-0x0000000000810000-0x000000000096C000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/2772-22-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2784-7-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2784-5-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2784-4-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2788-17-0x0000000000790000-0x00000000008EC000-memory.dmp
        Filesize

        1.4MB

        Download