Overview

overview

10

Static

static

3

835b683a6c...5d.exe

windows7-x64

10

835b683a6c...5d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    218s
  • max time network
    264s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    26/12/2023, 12:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    835b683a6c981701441fa8b0a1bb2f5d.exe

  • Size

    277KB

  • MD5

    835b683a6c981701441fa8b0a1bb2f5d

  • SHA1

    61b6430628d1a847b3fb2305838415dda4d29d76

  • SHA256

    4632afaaca26e69491829d3b0572f3428b4c1c6bbaa290f988c8ed9860973367

  • SHA512

    c51109fffd11fd7f433f025774ffde178882037907b21d86e3e221072f0655fc2b4a7d0d4125b5dcb6968ab764d88f882aaa0aec7b483f0ca6a02de6f39237f8

  • SSDEEP

    6144:vYpBGaYLFCZnrMMgJUlFfK2oXiPUXGSl:vcBGRErMMY+Ff0cUXD

Score
10/10
smokeloaderbackdoorpersistencetrojanupx

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\835b683a6c981701441fa8b0a1bb2f5d.exe
    "C:\Users\Admin\AppData\Local\Temp\835b683a6c981701441fa8b0a1bb2f5d.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1964
  • C:\Users\Admin\AppData\Local\Temp\C5EE.exe
    C:\Users\Admin\AppData\Local\Temp\C5EE.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Users\Admin\AppData\Local\Temp\C5EE.exe
      C:\Users\Admin\AppData\Local\Temp\C5EE.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1764
  • C:\Users\Admin\AppData\Local\Temp\F43F.exe
    C:\Users\Admin\AppData\Local\Temp\F43F.exe
    1⤵
    • Executes dropped EXE
    PID:948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
          Filesize

          1.7MB

          MD5

          30d544d5ec3b09349b66532f77ae0064

          SHA1

          c918c4e73f629fc5c0e7fea9ca1af6d6cf5fc676

          SHA256

          0821cd2a009be4e2e91dbca2604c5e39116ab6b01d7cac151433e47b23bb4658

          SHA512

          a7eeb79a2dde165a50273b2b7621c47a2609cad4329e83395b4464e79e317f32b2e7fc2fae0c2a062e869a181e267fc6e817fb9ba7b0f6ded7a8a96e714d5054

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\C5EE.exe
          Filesize

          2.0MB

          MD5

          3eb4e7d99afa9e61d5fbcd4c42985220

          SHA1

          a67ca6138a9f0cfc70c3406c39e88b88567ff76b

          SHA256

          af5cfa1a66edeb8cc4eae20824fe6b6b15d4955bef4bbe13750d8f9af424c49e

          SHA512

          d704a96c7a32e713772497880d05f83fd5c6ef28f3a3e4da4b2de2dbaebf0505bdbd302b41aca3a326f10c8493101bc4b65fb073233c472c75d541bbceb9aff6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\C5EE.exe
          Filesize

          714KB

          MD5

          d413c9e51f1aeaa668a895fd2ed4ac19

          SHA1

          f552d95dd71d6c35d3f93c1d4e2ca78896ebc488

          SHA256

          c5d2df7b243ff7c29709e0aae66e8019fc6142437072c37ad88605d02e5650cd

          SHA512

          73935de34d8e29c299f3c66cd3b6b9de85dfa7ed57f2a84f221a45fc13a8de7efbddf81921c04eb341eda6002e6a2e21ffde9f5fd5b368dbad7d3b06d57bf637

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\C5EE.exe
          Filesize

          803KB

          MD5

          af9cc5c3f27c0c9c5989f52c62f9d6a0

          SHA1

          2dd2729474284bd03b93f40cce7da7826b8cfac1

          SHA256

          159a885ce40905b2033ad8cec959d72f1ee1ec4b3dad9d7b89144a31471f3343

          SHA512

          9a12bfc9564d998ec888bd369558cbcffbbc310bbb5220ec9d00daaf11cf6725e5e3df1d4e42382c952d919e3801b0d27798066d66b0e295f5ba1308d6349cfa

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\F43F.exe
          Filesize

          37KB

          MD5

          323fc119d7cb9e7eadf6463d0e56f483

          SHA1

          44f8d7761f1c7a64432d9abeb6aaa9ff75526120

          SHA256

          86b3ba5c851008a8ae0eafa2e316c18d76289f830ae321a6703bde09d7ab9ceb

          SHA512

          74bd6208481ab2839faa5e555886fe1dccf36de05a0bf8582b87006fafec2423888816955f669a834feb594bfc3fce4a7ceb3a34d6c23eb077c0fa2e5c13a1e1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\F43F.exe
          Filesize

          101KB

          MD5

          4e982e0da3301ebae6ce1613103c1c4b

          SHA1

          82cf7469d1f9852773a1c29c68392a21bef6cc08

          SHA256

          19c76749399f06aee7897cfeedf56fd8dec84472433348e993167dbe48dd8ba5

          SHA512

          0bab08db6299169cfc298afd94399d095f472e87c388777d338817b635b8fe9d04688c904c5c49dc6617f75c532fb41874a9f5eb6d7d5e3a4b4053531414be77

          Download Submit

        • \Users\Admin\AppData\Local\Temp\C5EE.exe
          Filesize

          702KB

          MD5

          abeb3b1712e580e98b39b9ede4a7895a

          SHA1

          e484cb42b6fa1ec276808cf6644e8ef7213232e1

          SHA256

          d8e8d91e484179aae58cc90d3a2aabb3f1d6e84dd1f935403e41a9520769bbfe

          SHA512

          866c2ad3b25cd9f2b7818382877f04aeac0b1cfe88e918036ce327c56072cf489b8e8c45b1a1d051f4cf6c4b41ad3d099e9d6ed3cdadd476fe3615de0e3b58a4

          Download Submit

        • memory/948-47-0x0000000000340000-0x00000000003FE000-memory.dmp

          Filesize

          760KB

          Download

        • memory/948-49-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/948-48-0x0000000002230000-0x0000000002399000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/948-50-0x0000000000400000-0x0000000000900000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/948-61-0x0000000000400000-0x0000000000900000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/948-46-0x0000000000340000-0x00000000003FE000-memory.dmp

          Filesize

          760KB

          Download

        • memory/1220-5-0x0000000002930000-0x0000000002946000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1628-28-0x0000000002150000-0x0000000002307000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1628-21-0x0000000001F90000-0x0000000002148000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1628-22-0x0000000001F90000-0x0000000002148000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1764-27-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1764-54-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1764-34-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1764-33-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1764-32-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1764-31-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1764-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1764-63-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1764-62-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1764-51-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1764-35-0x0000000000400000-0x0000000000848000-memory.dmp

          Filesize

          4.3MB

          Download

        • memory/1964-3-0x0000000000400000-0x000000000044D000-memory.dmp

          Filesize

          308KB

          Download

        • memory/1964-2-0x0000000000220000-0x000000000022B000-memory.dmp

          Filesize

          44KB

          Download

        • memory/1964-6-0x0000000000400000-0x000000000044D000-memory.dmp

          Filesize

          308KB

          Download

        • memory/1964-1-0x0000000000580000-0x0000000000680000-memory.dmp

          Filesize

          1024KB

          Download