Overview

overview

10

Static

static

3

718b20cdfd...f0.exe

windows7-x64

10

718b20cdfd...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2023 05:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    718b20cdfd7efb4a26aa0aa020e46af0.exe

  • Size

    147KB

  • MD5

    718b20cdfd7efb4a26aa0aa020e46af0

  • SHA1

    466be33731b34e28b56580f499cc7665bd3e77a9

  • SHA256

    0ff586cfb65d5fff23f0410d1082a1852c75ca972967fb84031febe0e9a227af

  • SHA512

    2cd4b934b3e51be5869b7f78bdaabb8803e8b6ef36cb51d63384ac5492f7a277cd84c3837026027cd3945e14199650fa97c52a96a03b9541af7c755f1247502f

  • SSDEEP

    1536:/qdK3LyZnzrkB4BNeF1hwEQjomml3mwG0SbJrSKfIqNW0IyBRg3Hiz2j5t9WMi9y:SsX17mF4JcWpQSY2j5t9WptBD

Score
10/10
smokeloaderbackdoorevasiontrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fazanaharahe1.xyz/

http://xandelissane2.xyz/

http://ustiassosale3.xyz/

http://cytheriata4.xyz/

http://ggiergionard5.xyz/

http://rrelleynaniy6.store/

http://danniemusoa7.store/

http://nastanizab8.store/

http://onyokandis9.store/

http://dmunaavank10.store/

http://gilmandros11.site/

http://cusanthana12.site/

http://willietjeana13.site/

http://ximusokall14.site/

http://blodinetisha15.site/

http://urydiahadyss16.club/

http://glasamaddama17.club/

http://marlingarly18.club/

http://alluvianna19.club/

http://xandirkaniel20.club/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs regedit.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe
    "C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe
      "C:\Users\Admin\AppData\Local\Temp\718b20cdfd7efb4a26aa0aa020e46af0.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:796
  • C:\Users\Admin\AppData\Local\Temp\7407.exe
    C:\Users\Admin\AppData\Local\Temp\7407.exe
    1⤵
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:2792
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      2⤵
        PID:2984
        • C:\Users\Admin\AppData\Local\Temp\oue5s1m33q5_1.exe
          /suac
          3⤵
            PID:2104
            • C:\Windows\SysWOW64\regedit.exe
              "C:\Windows\SysWOW64\regedit.exe"
              4⤵
              • Runs regedit.exe
              PID:1792
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\OUE5S1~1.EXE" /RL HIGHEST
              4⤵
              • Creates scheduled task(s)
              PID:2128

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      3
      T1082

      Query Registry

      2
      T1012

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7407.exe
        Filesize

        1KB

        MD5

        95d4a7c3cae8812079436e7acb2fed4e

        SHA1

        caafd113902eba0f567d7ed2a8ef954976044d37

        SHA256

        60bd7c910492f0507b35fffde3541416984bb31340099f3d52a065f7d9f68a04

        SHA512

        bfe9ad29aad0835f66a0c9fa67ca7beb2809229489149fb8853c6b170bfced27cdbbec5552eee46e92716490cf4301d3cb18d3efd458b0b95564a399c9eab8f8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7407.exe
        Filesize

        20KB

        MD5

        b663433e0215f1476a2104a778ca6113

        SHA1

        fca2d17d1066bfd07613cda69c5c31599c31c21b

        SHA256

        958ddf7f60b74d0fdfa2b8d9b5c96d732f25ccc36c70852978d4779ea96b3ea1

        SHA512

        644f3ee9db0cf036f8a66ffb2a33b934ca5b79c239e527ee05b5653d0c0ed84dc12eabca9d7fc367f66aab085a8eb89c37f889b9f07b2c0098d3702a10a4a4f4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7407.exe
        MD5

        d41d8cd98f00b204e9800998ecf8427e

        SHA1

        da39a3ee5e6b4b0d3255bfef95601890afd80709

        SHA256

        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

        SHA512

        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\oue5s1m33q5_1.exe
        Filesize

        95KB

        MD5

        9c1ad1d5996f1f1093d64c602bc5cde6

        SHA1

        eab89fdcbc8b67581858c422f6781cd297e8a44a

        SHA256

        47c3082b7ac720c173f8451707c1ff5ac60832fc83d37448a2dd7b3073ebcd95

        SHA512

        53dddc06e7d79902700d4f35f0adc25d5e9793ba4cfd5fe5a6c06ec264b207f4924a784236c219e85fd0bbf7dd19bad53fcb9854dd557ba410d2c5f49b3ddf3c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\etvftrj
        Filesize

        39KB

        MD5

        b6e971a33939692cfede33d8d6dc8ddf

        SHA1

        7726614b04ce207a39d7f8ea6bee66d4b4dce348

        SHA256

        6083ea90e35d15901beec456cd34a2ddbccd134ce4deda191f7ff884dffcdc07

        SHA512

        1f3b5bc5e1a6b58777073f8d768763ee80b3959b55e86cf5a446447453f99cd37c903f943c97cda8241806daa32f3da9c6570d522b81f59f2b4aec0b08f133d7

        Download Submit
      • \Users\Admin\AppData\Local\Temp\oue5s1m33q5_1.exe
        Filesize

        51KB

        MD5

        b881eb51e51788c7ba5f738ff5be118d

        SHA1

        2d634cfa69c28aa6e31dc0df03c444c1e09b2d93

        SHA256

        3571c465496ce6064c0946f41261ecbb05751d7e20ead1fdd5ea1fbd98027d03

        SHA512

        9804cea40ce0c6afe644b061ac463160437fc3b752e47680de245d00f24feb2805681cc0b31aa674fc8f617cba5894fbec88a5b31fb4f9a53b1e152e39374ecc

        Download Submit
      • memory/796-6-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/796-5-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/796-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/796-8-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1192-7-0x00000000024C0000-0x00000000024D6000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1192-87-0x0000000002490000-0x0000000002491000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1192-84-0x00000000024A0000-0x00000000024A6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/1192-53-0x0000000076D11000-0x0000000076D12000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1268-4-0x0000000000020000-0x0000000000029000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1268-2-0x0000000002210000-0x0000000002310000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1792-95-0x0000000000790000-0x00000000007F5000-memory.dmp
        Filesize

        404KB

        Download
      • memory/1792-96-0x00000000000D0000-0x00000000000DB000-memory.dmp
        Filesize

        44KB

        Download
      • memory/1792-93-0x0000000000790000-0x00000000007F6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/1792-92-0x0000000000790000-0x00000000007F6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2104-82-0x0000000000420000-0x0000000000486000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2104-77-0x0000000000420000-0x0000000000486000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2104-98-0x0000000000010000-0x000000000006D000-memory.dmp
        Filesize

        372KB

        Download
      • memory/2104-99-0x0000000000420000-0x0000000000486000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2104-100-0x00000000004D0000-0x00000000004D6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2104-80-0x00000000004D0000-0x00000000004D6000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2104-83-0x0000000000420000-0x0000000000486000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2104-81-0x0000000002510000-0x000000000251C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2792-28-0x0000000076EB0000-0x0000000076EB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2792-49-0x0000000000290000-0x0000000000296000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2792-50-0x0000000001C80000-0x0000000001CE6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2792-26-0x0000000001C80000-0x0000000001CE6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2792-25-0x00000000002A0000-0x00000000002AD000-memory.dmp
        Filesize

        52KB

        Download
      • memory/2792-23-0x0000000001C80000-0x0000000001CE6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2792-22-0x0000000000010000-0x000000000006D000-memory.dmp
        Filesize

        372KB

        Download
      • memory/2792-29-0x0000000001D80000-0x0000000001D81000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2792-30-0x0000000001DF0000-0x0000000001DFC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2792-31-0x0000000001C80000-0x0000000001CE6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/2792-24-0x0000000000290000-0x0000000000296000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2944-66-0x0000000076D11000-0x0000000076D12000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2984-46-0x0000000000390000-0x0000000000391000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2984-51-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-58-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-60-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-59-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-61-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-56-0x0000000076CC0000-0x0000000076E69000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2984-65-0x0000000000260000-0x0000000000266000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2984-64-0x0000000000170000-0x0000000000234000-memory.dmp
        Filesize

        784KB

        Download
      • memory/2984-63-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-75-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-78-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-54-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-55-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-36-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-57-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-52-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-35-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-45-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-44-0x0000000000170000-0x0000000000234000-memory.dmp
        Filesize

        784KB

        Download
      • memory/2984-47-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-85-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-33-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-91-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-34-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-38-0x0000000000170000-0x0000000000234000-memory.dmp
        Filesize

        784KB

        Download
      • memory/2984-37-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-39-0x0000000000260000-0x0000000000266000-memory.dmp
        Filesize

        24KB

        Download
      • memory/2984-40-0x0000000000170000-0x0000000000234000-memory.dmp
        Filesize

        784KB

        Download
      • memory/2984-42-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2984-43-0x00000000003A0000-0x00000000003AC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2984-102-0x0000000076EA0000-0x0000000077021000-memory.dmp
        Filesize

        1.5MB

        Download