Overview

overview

10

Static

static

3

df87f718fb...2b.exe

windows7-x64

10

df87f718fb...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2023 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df87f718fb9e4e94e0b202af8b84f22b.exe

  • Size

    282KB

  • MD5

    df87f718fb9e4e94e0b202af8b84f22b

  • SHA1

    e63f6762c1182004f4db715b9216fd8a6387e096

  • SHA256

    e70c261bbee76cac0f53d99beb2c1a70938d75a9c6e99459c531a6ec57a10f54

  • SHA512

    9929db3ebde4297d4b3223bc15c1353e8658afd1cfa5045a7a9afbb573eb300051918e25ef0b3d8db45783c1b6e0cc45f6de46063a2f1dadd5bd009b5052aca8

  • SSDEEP

    6144:bIQEK8NZVn50WAi0HK55N28f4TH8dWDg:tEK87Vn50WAi0Arf4z8Ag

Score
10/10
smokeloaderbackdoorevasiontrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fazanaharahe1.xyz/

http://xandelissane2.xyz/

http://ustiassosale3.xyz/

http://cytheriata4.xyz/

http://ggiergionard5.xyz/

http://rrelleynaniy6.store/

http://danniemusoa7.store/

http://nastanizab8.store/

http://onyokandis9.store/

http://dmunaavank10.store/

http://gilmandros11.site/

http://cusanthana12.site/

http://willietjeana13.site/

http://ximusokall14.site/

http://blodinetisha15.site/

http://urydiahadyss16.club/

http://glasamaddama17.club/

http://marlingarly18.club/

http://alluvianna19.club/

http://xandirkaniel20.club/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • NSIS installer 6 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\df87f718fb9e4e94e0b202af8b84f22b.exe
    "C:\Users\Admin\AppData\Local\Temp\df87f718fb9e4e94e0b202af8b84f22b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Users\Admin\AppData\Local\Temp\df87f718fb9e4e94e0b202af8b84f22b.exe
      "C:\Users\Admin\AppData\Local\Temp\df87f718fb9e4e94e0b202af8b84f22b.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:5072
  • C:\Users\Admin\AppData\Local\Temp\C217.exe
    C:\Users\Admin\AppData\Local\Temp\C217.exe
    1⤵
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:792
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      2⤵
        PID:2248
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 1140
          3⤵
          • Program crash
          PID:3884
    • C:\Users\Admin\AppData\Local\Temp\CA36.exe
      C:\Users\Admin\AppData\Local\Temp\CA36.exe
      1⤵
      • Executes dropped EXE
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        2⤵
          PID:4476
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2248 -ip 2248
        1⤵
          PID:324

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        3
        T1012

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\C217.exe
          Filesize

          85KB

          MD5

          21dc69e2777b3e8e15ef9b8852e02314

          SHA1

          acc744b3f257ebb8a048e9891ebba7cf66093f76

          SHA256

          ed2b591e2d7732122521ecb3952ce47a8c5ac4bc1ae7c521493d092bc1e22a2e

          SHA512

          6dce0d17e0adabbb3a3ed1254458259b424da0c904b79d948a059bf3c3d8ffa1290d8c2a66342c2d40b0adfe4ded3e16053c075dfb84edd16273eaa1af536cb7

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\C217.exe
          Filesize

          86KB

          MD5

          0a69b59a62dd5aa3e1b3b760b62485ed

          SHA1

          1748fbd9d540de98756138448b69b6abcdb43fda

          SHA256

          2f3ed241fe3486af10831248ea6c69db64c866eba6fcaef1d8af6d90d458ca1a

          SHA512

          32bde7fdd99a29afe368cad4f6a859132f463b480e7eaeb3661942845e2ebb16eecbcfddf9ead8896de25e794f06f516b706fb62f09688b682d19acae6198240

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\CA36.exe
          Filesize

          413KB

          MD5

          0dd30fd0c86218554006d24cdd73b461

          SHA1

          fbc60d0cf3b4dce7312f5d953458337f10539182

          SHA256

          861a89036bd34a51bd2230f56d98d672f8dda769e6cb012a328b578347340106

          SHA512

          1056c201bdce6ef77ca0ba6cc11fe3e80caa857d1db02735f2991a89e98bc82cf542e4cd7b63437544d7a582eb325851c7e6af957760e7320376f9fc15d6a7fd

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\CA36.exe
          Filesize

          284KB

          MD5

          4d6fd0cd6ba0642a7d4a60b7cad3623f

          SHA1

          7df9fda9af867d79e85f03a4ac32d67b5122092a

          SHA256

          f1146016028ddd03737543bd7124ee3eee232540e14265b754b6163bb0f2da15

          SHA512

          0bf3df3dd91fc3e0fa0853ad2b8d7d7cc3b2cd85f2a3f2a136c8cd04687cc4b291762c1d729dcb541b004dc18e2c3de20e305c5d2d00af6b847b29e504349d3f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          179KB

          MD5

          61e9a321be8c03d7001d855343a6263a

          SHA1

          4f396446b91ade5965bf56e1096e313e7f252128

          SHA256

          96ab556afb70ddcca6d0dae3f12b4fac7d06b2609553503200899576ace669e0

          SHA512

          26c1e66f41127a787f0a473c945070b6a0575c1e340ba02bb606fad17eccc83fc4f70b203733ebda0a3ed7e9914e178ce64bb79ca75c9c7678e059e964a0beca

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          92KB

          MD5

          fa23949873a89ff520e2788b5c2bb55b

          SHA1

          187a183d9b0dafc8dc463fe80a6ccc8aba8f1279

          SHA256

          864defbec2fdbf1c26aa05e4c6c12f1fea98099890ae1349db642b3c31873b39

          SHA512

          b7bfbac096cad020e7ee7cb3fbd2985fc738fbdec7f70603b97c2b073217398b95c8b5ba66c23ffb26fe385f14e60307c29bc36bace916f7a65cb6c008bb880d

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\lib.dll
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\nsxE688.tmp\System.dll
          Filesize

          3KB

          MD5

          a4900a248b5f8f02d1c8b676708145d2

          SHA1

          ec18e0862f54f367b8c66be9d6bf2644f83f70cb

          SHA256

          ae460d8ee878f44105a2ed5124c2b1a285fa395e075fdbd606aff38a5e2881fc

          SHA512

          787eab78621ae43dbf8c4b807699138bb845c989e8895de69fc7a97a8061f31a1a3c78ee9cf33a1fef64aeeecdab58c652db934dfbfe12211f47c8e4f059c79b

          Download Submit
        • memory/792-26-0x00000000773A4000-0x00000000773A5000-memory.dmp
          Filesize

          4KB

          Download
        • memory/792-27-0x0000000000910000-0x0000000000976000-memory.dmp
          Filesize

          408KB

          Download
        • memory/792-59-0x0000000000910000-0x0000000000976000-memory.dmp
          Filesize

          408KB

          Download
        • memory/792-16-0x0000000000010000-0x000000000006D000-memory.dmp
          Filesize

          372KB

          Download
        • memory/792-24-0x0000000000910000-0x0000000000976000-memory.dmp
          Filesize

          408KB

          Download
        • memory/792-25-0x0000000000990000-0x000000000099D000-memory.dmp
          Filesize

          52KB

          Download
        • memory/792-31-0x0000000002800000-0x0000000002801000-memory.dmp
          Filesize

          4KB

          Download
        • memory/792-30-0x0000000000910000-0x0000000000976000-memory.dmp
          Filesize

          408KB

          Download
        • memory/792-29-0x0000000002830000-0x000000000283C000-memory.dmp
          Filesize

          48KB

          Download
        • memory/2248-54-0x0000000001000000-0x00000000010C4000-memory.dmp
          Filesize

          784KB

          Download
        • memory/2248-57-0x0000000001000000-0x00000000010C4000-memory.dmp
          Filesize

          784KB

          Download
        • memory/2248-63-0x00000000007B0000-0x0000000000BE3000-memory.dmp
          Filesize

          4.2MB

          Download
        • memory/2248-64-0x0000000001000000-0x00000000010C4000-memory.dmp
          Filesize

          784KB

          Download
        • memory/2248-61-0x0000000003300000-0x0000000003302000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2248-60-0x0000000002CC0000-0x0000000002CC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2248-50-0x00000000007B0000-0x0000000000BE4000-memory.dmp
          Filesize

          4.2MB

          Download
        • memory/2248-53-0x00000000007B0000-0x0000000000BE4000-memory.dmp
          Filesize

          4.2MB

          Download
        • memory/2248-55-0x0000000001000000-0x00000000010C4000-memory.dmp
          Filesize

          784KB

          Download
        • memory/2796-2-0x0000000002B70000-0x0000000002B79000-memory.dmp
          Filesize

          36KB

          Download
        • memory/2796-1-0x0000000002B80000-0x0000000002C80000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2804-22-0x00000000008B0000-0x0000000000E46000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/2804-38-0x00000000008B0000-0x0000000000E46000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3420-5-0x00000000025A0000-0x00000000025B6000-memory.dmp
          Filesize

          88KB

          Download
        • memory/4476-51-0x0000000072F60000-0x0000000073677000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/4476-65-0x0000000072F60000-0x0000000073677000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/5072-4-0x0000000000400000-0x0000000000409000-memory.dmp
          Filesize

          36KB

          Download
        • memory/5072-3-0x0000000000400000-0x0000000000409000-memory.dmp
          Filesize

          36KB

          Download
        • memory/5072-6-0x0000000000400000-0x0000000000409000-memory.dmp
          Filesize

          36KB

          Download