Overview

overview

10

Static

static

3

0faa7c27d8...74.exe

windows7-x64

10

0faa7c27d8...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    28s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-01-2024 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0faa7c27d8cedbb19af0586a236ce4eca6b151509e526bedcc970606e391ce74.exe

  • Size

    311KB

  • MD5

    cf5a70c2f7978229efebcca70f6d2053

  • SHA1

    b2eb3eb28b89c31ccd4f4c89edaa1ed6d5a233a4

  • SHA256

    0faa7c27d8cedbb19af0586a236ce4eca6b151509e526bedcc970606e391ce74

  • SHA512

    7f16690701912b9d043113783827dfbfd2b89fee0b74e4a0bc38ee73535bd7a4bc23014eee1632196926109d4b5e37cb076df975149b422df7719db0af8f000b

  • SSDEEP

    3072:eQLtli/LX0eRJibugK7Onq8zVvV6nnOh7wZPO6VmRZcJfTK7KVDrc+B5f239+9Uz:eQLtwk47Oqq36nnwZKfTgYn79oUq

Score
10/10
smokeloaderpub1backdoorevasiontrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 2 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0faa7c27d8cedbb19af0586a236ce4eca6b151509e526bedcc970606e391ce74.exe
    "C:\Users\Admin\AppData\Local\Temp\0faa7c27d8cedbb19af0586a236ce4eca6b151509e526bedcc970606e391ce74.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2424
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 388
      2⤵
      • Program crash
      PID:4392
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2424 -ip 2424
    1⤵
      PID:3016
    • C:\Users\Admin\AppData\Local\Temp\9D3A.exe
      C:\Users\Admin\AppData\Local\Temp\9D3A.exe
      1⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
          PID:4844
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 1132
            3⤵
            • Program crash
            PID:4324
      • C:\Users\Admin\AppData\Local\Temp\B47C.exe
        C:\Users\Admin\AppData\Local\Temp\B47C.exe
        1⤵
          PID:2980
          • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
            "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
            2⤵
              PID:2476
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4844 -ip 4844
            1⤵
              PID:3928

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\9D3A.exe
              Filesize

              11KB

              MD5

              e9a401caa72bdb102bae36fce497ebfc

              SHA1

              7ed12f7406994a5dd8e775a3723354b87323e0de

              SHA256

              35b4cbf16cf954208297bb6b33fad0ae7c0f62933711df0a692b2a30cfcae935

              SHA512

              b454e5179b61afc2bbfd64cb23e183f0575186bbe8cfe0d00b5b27c4e0e42513108b939aa6a001360e576de0159b418eddee9c3b4138e74a447d6f3467ebcb00

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\9D3A.exe
              Filesize

              18KB

              MD5

              6e5dfaef319bf0df17eaa4ca5bd99d20

              SHA1

              b522e3a115f0187f3e1159032e89bed5582e0b56

              SHA256

              e6336fc691b9713737abe3a1511393b8c51ad69eb141cfa382d07bd97b7cb18f

              SHA512

              8b7ca3979393767e690dd7726f9433cf1040fa8d9d3dbc6c033636e6d33edf126cfbbbf4b8f27e5abcefc1a221a2e35357df353c8de03d739476e4d418635b1b

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\B47C.exe
              Filesize

              72KB

              MD5

              a2e2964d37bbcf6206e7f1adf594d183

              SHA1

              a9c0d33e23166352922eb6207e78fac5f58233fa

              SHA256

              816953bf6cfd071ae225f5b59cd1fb2fdef4e1c26c6f994e50350b7fe4da44d9

              SHA512

              f91995f7cf2da22edbfbbc964eac43268b70ba34b7de81aaa6cc3560d02d7425d1f6764f91bdbecf2da58351a4b214a88daeea6b4e941348ead7d9ef2f39bbd4

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\B47C.exe
              Filesize

              1KB

              MD5

              350e4003ef18942c96d982621a05286d

              SHA1

              77e3608787ea00b65656622a170722a3c1506977

              SHA256

              27f7c2bdb5136c46b8430b1af9b11a2ff0d936a7266ee845199e9ee27e572dbc

              SHA512

              60f9259ee5eb2487e6af46707c31ad4282927518211ee4fcd11e1ce9fb44c7731b1864f9079722f4302fd557a8eb8c7cf171618d095c29daf18c3ba31cf9d8a5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
              Filesize

              106KB

              MD5

              355c52f31598b8d10518eb323681a3ab

              SHA1

              8be3c3da698218e361f542bb40ac217897c15bde

              SHA256

              c877c45e6e7a8dbd79e9c071ca851e6c9aeb7b2d2192080254e71347f79b609c

              SHA512

              8c2a9e3eb895dca7525a5cbf134edc20c82f29b08d5f1ae3373c3e733918d7c52ac8f3457e5ae3f09c729d3aad5bff62fe14a6337f24faa8ab6cde190f67fb3a

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
              Filesize

              81KB

              MD5

              609e373bfe3435713b4ef0c9d35bb11e

              SHA1

              b19e60b9a3c650c3f7605cebc59ac97c71039f9b

              SHA256

              ae0dd9c698d75b51b6382aeeb880ad1ce1f1f7f18291e0ce07c9ed49be173a4f

              SHA512

              c109f92cd1d4a0f215adac2ab226df80ae71316ef5bdd7d16c4b4513e9550e4cdac3704c9aead04b15394919d8d0839eb1a8fccdc632abba9254e38a4d415f92

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
              Filesize

              98KB

              MD5

              910bbc40849a132a42908465afec7056

              SHA1

              156eb81efd327bc9b330c4e16b768b02b8be098d

              SHA256

              687cd0be8ea7ac53bb1b174a249ce7faa9d9066a84efcfa189138051059af9ad

              SHA512

              7923e5f516cb1c94804aab29881ea432597ecdc0f779f6d1a51f3115f74829be64deb2b9e45324a2fefe53187d8c58442380e157e6e74784e14ada6cc9b6c44e

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\lib.dll
              Filesize

              84KB

              MD5

              9e64978317830797d76296d47cfef152

              SHA1

              d63b8ef84954be79f998b36e3eb75819c2c9d2d8

              SHA256

              c90d0e30138eeaf4a48881418516813f3da1c93ab8951e1ddb73f949208d5bc7

              SHA512

              bc6ae93db27141812797f2956892e3a5f30387d18dd4b3d292768f61a791f18b237e7fdaaf0ac1e15d8bdcbe2a87f4d93f9855bef51fb6f137eaec3c39280d2c

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsjB586.tmp\System.dll
              Filesize

              12KB

              MD5

              dd87a973e01c5d9f8e0fcc81a0af7c7a

              SHA1

              c9206ced48d1e5bc648b1d0f54cccc18bf643a14

              SHA256

              7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

              SHA512

              4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

              Download Submit

            • memory/2424-7-0x0000000000400000-0x0000000000454000-memory.dmp

              Filesize

              336KB

              Download

            • memory/2424-2-0x00000000004F0000-0x00000000004F9000-memory.dmp

              Filesize

              36KB

              Download

            • memory/2424-3-0x0000000000400000-0x0000000000454000-memory.dmp

              Filesize

              336KB

              Download

            • memory/2424-1-0x0000000000670000-0x0000000000770000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/2724-17-0x0000000000920000-0x000000000092D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/2724-23-0x00000000022D0000-0x0000000002336000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2724-19-0x00000000022D0000-0x0000000002336000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2724-14-0x0000000000010000-0x000000000006D000-memory.dmp

              Filesize

              372KB

              Download

            • memory/2724-16-0x00000000022D0000-0x0000000002336000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2724-22-0x0000000002830000-0x000000000283C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/2724-18-0x0000000077AA4000-0x0000000077AA5000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2724-32-0x00000000022D0000-0x0000000002336000-memory.dmp

              Filesize

              408KB

              Download

            • memory/2724-21-0x0000000002800000-0x0000000002801000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2980-39-0x0000000000AD0000-0x0000000001066000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2980-46-0x0000000000AD0000-0x0000000001066000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/3416-4-0x0000000002BD0000-0x0000000002BE6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4844-33-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4844-27-0x0000000000600000-0x00000000006C4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/4844-28-0x0000000000600000-0x00000000006C4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/4844-30-0x0000000000600000-0x00000000006C4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/4844-26-0x0000000000DA0000-0x00000000011D4000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/4844-24-0x0000000000DA0000-0x00000000011D4000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/4844-61-0x0000000000600000-0x00000000006C4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/4844-60-0x0000000000DA0000-0x00000000011D3000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/4844-58-0x00000000042C0000-0x00000000042C2000-memory.dmp

              Filesize

              8KB

              Download