Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
06-01-2024 06:47
General
-
Target
458f99c04cb384590b8ea63bf97c41ac.exe
-
Size
275KB
-
MD5
458f99c04cb384590b8ea63bf97c41ac
-
SHA1
6208b70599f90a744fb3dbc262efbef4d62efd56
-
SHA256
6b6f8d06fa4a6cf408b0b087bf8351091b3abbbbd5be00d61ca54b2f32ac2f4e
-
SHA512
117ed8485a04110ea0613a14da61a4324cf71777f5cf886af4137a1bec9a0c5b0851dc054efe772544eb262fb219cf3b4aa181333ae47b68a94ec232e3026ca9
-
SSDEEP
6144:uC2hc8ZKCInY5L72W+TE800Bk1a+T7uqBSnjzV:chc8ZRIn07cTE80iwa+TgfV
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\458f99c04cb384590b8ea63bf97c41ac.exe"C:\Users\Admin\AppData\Local\Temp\458f99c04cb384590b8ea63bf97c41ac.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {CC585288-AA03-4488-9DB2-873400EA04D8} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\vegihafC:\Users\Admin\AppData\Roaming\vegihaf2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5ad5d9327ca4709aecf664e4a4d2e5f97
SHA1b97cb4017acb48d6090d2b4d59c0f2819edae64b
SHA256a1b2ba001f7898a945a56b45e33b74e6c2ab5c7003c9ff70c5953c08fde8cd08
SHA51288c266da93d16988b2bb29c6477c49dd04643b498cb82640c0d4459251092c504647e8823fed03ff6ca6b5667892bcea5690aec6e2a1eae2fac5f81b8086fbeb
-
Filesize
212KB
MD5ce51a78c8dcbd0c7fbc91cd37cd7b937
SHA129f26b397ecf840d09e20dd7b2f6d75316586f99
SHA256319c804b6e37aa3c5b5aa04a0179c23babbb9fa3f685dc198db0e86bee6b87c3
SHA512a51bf9ada5cca5d38fd17e3f179b38fa8b85641dd8f928ac0c8b4a75372dc2442d6cbea4df3c4cc2291c26eb2420a48a518e0907e5f2669d70f664b3ad9d7440
-
Filesize
1024KB
-
Filesize
31.7MB
-
Filesize
31.7MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
1024KB
-
Filesize
36KB
-
Filesize
31.7MB
-
Filesize
31.7MB