Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    299s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07-01-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21a3403e49ae025b38441ee648e8eebf5b99b7c24226b968f2b38a4ce66ed431.exe

  • Size

    219KB

  • MD5

    71c0797d060ae8a45196a9336fbf7b5d

  • SHA1

    a2838790fa259240e53207be47535d0f89d15f40

  • SHA256

    21a3403e49ae025b38441ee648e8eebf5b99b7c24226b968f2b38a4ce66ed431

  • SHA512

    2c2ae9c6510408b17a77e3ac1623a550784d2002fcaea4bf75372aeabb06a430cbe7f5543fd9631c92a545a0817f007fb65d192d75c35239c3bbb7a906fb48d9

  • SSDEEP

    3072:s9L3vACvLJiX7ezDwPh0jb4rVyYI08+Yi1DrRlWwgvXF/LwHO1/D:s9L3Xv5cPhSoVyYI+KwgdDwHa

Score
10/10
smokeloaderpub1backdoortrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 6 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\21a3403e49ae025b38441ee648e8eebf5b99b7c24226b968f2b38a4ce66ed431.exe
    "C:\Users\Admin\AppData\Local\Temp\21a3403e49ae025b38441ee648e8eebf5b99b7c24226b968f2b38a4ce66ed431.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Users\Admin\AppData\Local\Temp\21a3403e49ae025b38441ee648e8eebf5b99b7c24226b968f2b38a4ce66ed431.exe
      "C:\Users\Admin\AppData\Local\Temp\21a3403e49ae025b38441ee648e8eebf5b99b7c24226b968f2b38a4ce66ed431.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4392
  • C:\Users\Admin\AppData\Local\Temp\710.exe
    C:\Users\Admin\AppData\Local\Temp\710.exe
    1⤵
    • Executes dropped EXE
    PID:4292
  • C:\Users\Admin\AppData\Local\Temp\1190.exe
    C:\Users\Admin\AppData\Local\Temp\1190.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
      "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:4564
  • C:\Users\Admin\AppData\Roaming\wafcfbf
    C:\Users\Admin\AppData\Roaming\wafcfbf
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4224
    • C:\Users\Admin\AppData\Roaming\wafcfbf
      C:\Users\Admin\AppData\Roaming\wafcfbf
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1190.exe
    Filesize

    481KB

    MD5

    22ff64cbde80065ea1ff79b8f06385c8

    SHA1

    dfe429bc56a9e9a459cae9e2d6dc802562130731

    SHA256

    447505bf5ddaadb69b1ee3e6ba29936481887fa9bd9c6c79e2f22d593d256071

    SHA512

    5e28f0ad7d1ab7ee794ac6d80ea603855b7e5871ee2f525880ce0f28703ccc01cbe478ed8da5673166281225d4dc5318b577c9955a61b01ad7aff3bafd3e84e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1190.exe
    Filesize

    5KB

    MD5

    eae440ce6b3b1b7fab8f6d864a9690e1

    SHA1

    1473e6cce94e354245a3ee39c88bcb21fcf26902

    SHA256

    9e8585762f49957e92aacc82ac553a0e9e44f1580cd78d9500100728aca4b5db

    SHA512

    6bcee9a386aab39c145e94a3c4da2a8567009ea6960508c23ec48a9613c3ba8f33056adf65a000c16b39e6903f25e61c32a65df036eed61ee7a36140232f292a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\710.exe
    Filesize

    360KB

    MD5

    80c413180b6bd0dd664adc4e0665b494

    SHA1

    e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

    SHA256

    6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

    SHA512

    347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\710.exe
    Filesize

    195KB

    MD5

    567f2b15b305b54671a26967b4b31daa

    SHA1

    11cf46a4b7b05553495db5c66e1a042fe33e6cfb

    SHA256

    613ee10704a87798488ee86de2c1a9a38ce3b0cfb608af96f28734ab1372744c

    SHA512

    4f163dd7a1f7ca0c403a8d497b5075866bf9b05add6c6c2cae78da90af13f1266497995c23540184cbe498ab60cddc4d84ed153b0fdb9c7d2bea9f88856397fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
    Filesize

    33KB

    MD5

    9d90f82de2c941f34db1f0ba88237979

    SHA1

    d511adbe4d8ebb2eaaab2601a4a936748d55e412

    SHA256

    649882fe443be0e047a4439e7acce9f82a56bf22a7ff7eb666196236461ac532

    SHA512

    59a3484fae3d25a0c4486241bee5c21d179e5a10a6f8e8035c003909ba11f2e4a4b9c811f22f46664010a773e802dbcde126e808c4da75b318d52f0c9562b5f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
    Filesize

    92KB

    MD5

    fa23949873a89ff520e2788b5c2bb55b

    SHA1

    187a183d9b0dafc8dc463fe80a6ccc8aba8f1279

    SHA256

    864defbec2fdbf1c26aa05e4c6c12f1fea98099890ae1349db642b3c31873b39

    SHA512

    b7bfbac096cad020e7ee7cb3fbd2985fc738fbdec7f70603b97c2b073217398b95c8b5ba66c23ffb26fe385f14e60307c29bc36bace916f7a65cb6c008bb880d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wafcfbf
    Filesize

    176KB

    MD5

    7c881f0395b0469a24bb2732f66b6149

    SHA1

    9a4e6fefa542a9dfab8fd95f763c10ee8ec4256a

    SHA256

    c814aefbc24ffd770505ffdb30d485513ea84aa4bd37d26e180b6db6550ce888

    SHA512

    73876c13d999ec3261ef52cd5a3d28f501a17774696c18b526bf4a40eb8d0233c5529ef530725915820def885dc768046e6be31cf4f7be7d56ad0d3dd8113b59

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wafcfbf
    Filesize

    33KB

    MD5

    14d70c7cd0f736f1f740f2c63bfba53a

    SHA1

    ef29631cca5a5f4668c6fdbc109a2312336949a3

    SHA256

    ede277c100eba22fe101be3f3570e026326a91a5fed117da68b7863ad1e11801

    SHA512

    3d6b7f09663ec79677991a05c8d9f4c51878579faa47369453f7b3641adc8c366704d1b684b4c75b87bfcf220978a0da30065fc89c74bad8fa4add09bed85127

    Download Submit

  • C:\Users\Admin\AppData\Roaming\wafcfbf
    Filesize

    50KB

    MD5

    1d15810dd2f87923c8168139a6678b58

    SHA1

    51b4c60079b7e769b731b1e37a961ae829617529

    SHA256

    be2f4e1fd8f6acfc037e51f16af2bbcd3014fad984f9431d63a6b168586f9041

    SHA512

    edb26116e315b4aaddf8e4e0afeeb9c1fab485f3158622b1bbf66d4e5a8ba7f785ba843f8470765dc9dd693e5dd2504caa705aa0df93a930072dc66fe47a6ea0

    Download Submit

  • \Users\Admin\AppData\Local\Temp\lib.dll
    Filesize

    72KB

    MD5

    576163b65f03c062b65669c0156cf4f4

    SHA1

    acd6611f9bc9575b5cfad0118d222ed8f63bca84

    SHA256

    19172f775ff211c010cbd7464d4e9187052625dc02c19ce4a8ce121a934721ac

    SHA512

    9df1b98cbe47bb9dbcd50f8b19f1bf2e2c75ab772ec525f26b20e090b307116cb17d74e4a9133f77e13fbdc4c63e239f820c6e6830746ae6ddbe57c637b7da05

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsw15F5.tmp\System.dll
    Filesize

    12KB

    MD5

    dd87a973e01c5d9f8e0fcc81a0af7c7a

    SHA1

    c9206ced48d1e5bc648b1d0f54cccc18bf643a14

    SHA256

    7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

    SHA512

    4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

    Download Submit

  • memory/688-22-0x0000000000830000-0x0000000000DC6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/688-26-0x0000000000830000-0x0000000000DC6000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2912-46-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2912-48-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/3312-5-0x0000000000680000-0x0000000000696000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3312-47-0x00000000008B0000-0x00000000008C6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3456-2-0x0000000000540000-0x0000000000640000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3456-3-0x00000000004A0000-0x00000000004A9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4224-44-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4392-1-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4392-4-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4392-6-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/4564-38-0x0000000073A20000-0x0000000074137000-memory.dmp

    Filesize

    7.1MB

    Download

  • memory/4564-39-0x0000000073A20000-0x0000000074137000-memory.dmp

    Filesize

    7.1MB

    Download