Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    295s
  • platform
    windows10-1703_x64
  • resource
    win10-20231220-en
  • resource tags

    arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07-01-2024 22:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ec49ea3da7d627ad17042d48b66b1c8fbfd840e3e2b5920ea0509a735d9175d2.exe

  • Size

    240KB

  • MD5

    9d388c582710b08133e6d37a77a8ce90

  • SHA1

    0ba1fac8bf12d9095c64cc3c5f787ca2da17a49e

  • SHA256

    ec49ea3da7d627ad17042d48b66b1c8fbfd840e3e2b5920ea0509a735d9175d2

  • SHA512

    ff50426f0add5bba2eee4b8105ad6faef6f0f836200d67213cd141206f34ce0f2ab28a4051694877fecc01d16810c05a1d9445219b54e7c3b14780991cfc8e8b

  • SSDEEP

    3072:LQT/QLtwugecm9rQ1EUJBfJzbSHSpw8waU+tLO03geRp:LE/QLXge19rsBfJXSHwNge

Score
10/10
smokeloaderpub1backdoortrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • NSIS installer 3 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec49ea3da7d627ad17042d48b66b1c8fbfd840e3e2b5920ea0509a735d9175d2.exe
    "C:\Users\Admin\AppData\Local\Temp\ec49ea3da7d627ad17042d48b66b1c8fbfd840e3e2b5920ea0509a735d9175d2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Users\Admin\AppData\Local\Temp\ec49ea3da7d627ad17042d48b66b1c8fbfd840e3e2b5920ea0509a735d9175d2.exe
      "C:\Users\Admin\AppData\Local\Temp\ec49ea3da7d627ad17042d48b66b1c8fbfd840e3e2b5920ea0509a735d9175d2.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 496
        3⤵
        • Program crash
        PID:2248
  • C:\Users\Admin\AppData\Local\Temp\E9F2.exe
    C:\Users\Admin\AppData\Local\Temp\E9F2.exe
    1⤵
    • Executes dropped EXE
    PID:5052
  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:2132
  • C:\Users\Admin\AppData\Local\Temp\F87A.exe
    C:\Users\Admin\AppData\Local\Temp\F87A.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\E9F2.exe
    Filesize

    360KB

    MD5

    80c413180b6bd0dd664adc4e0665b494

    SHA1

    e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

    SHA256

    6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

    SHA512

    347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\F87A.exe
    Filesize

    5.6MB

    MD5

    f7c6d870f0de20c40388b493d2b315d2

    SHA1

    1b25397776ae0481184f151ec3e608f3b65ac8e6

    SHA256

    4e07a3356bb6ffaa23224884b2ec5d79b6f956acc186475adac89867c0d623d9

    SHA512

    0619a22579ee70745034c547c53180d4319c3dc5db326dfecc275cd3b3025f354a3e6fac093a925611a5e0cca5ff9dbcfbfe246d376bb173829f332b670f5655

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
    Filesize

    2.2MB

    MD5

    0badb0e573d95db49ac23c11163d9386

    SHA1

    d86dd20e4498ba5576272df07cd71dd9ed40bf8d

    SHA256

    5ebb608342d1306743d1ab56bb587b00d7e14737f5af48be3fa738a98cf29668

    SHA512

    a83d397fdcf2b749aac8f1db38a991b06a70c58d21c84d09cd8a732ee744287e7d7d58edeb817006b6ee245ed313993a3280aea32fd4c5a079b4f960ab35eff8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\lib.dll
    Filesize

    2.2MB

    MD5

    bc94fe5f3a7d234dceefa5a25c109358

    SHA1

    eefd19123cb554bd975d9848eff08f195c7794bb

    SHA256

    fdbd693e2a9eab791967e78eef8e1a3423c63b570d6fc8ccd9367be931c779c4

    SHA512

    650632899edc1bce009244cf228500c26df33c2036f774f60529c10bf7b277a49d3e635846097cf2d821a54e066a07f5f6ef2be055e1054e8c4a1a938fad9c69

    Download Submit

  • memory/208-1-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/208-9-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/208-4-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/320-10-0x0000000000B10000-0x0000000000C10000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/320-2-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/320-3-0x0000000000B10000-0x0000000000C10000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2960-24-0x0000000001370000-0x0000000001906000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2960-28-0x0000000001370000-0x0000000001906000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3452-5-0x0000000000CF0000-0x0000000000D06000-memory.dmp

    Filesize

    88KB

    Download