Overview

overview

10

Static

static

3

2739b41aab...c5.exe

windows7-x64

10

2739b41aab...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    36s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2024 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2739b41aab3ff3cc0727ada7ad04162f0379ef151c7d4b4296e963a2a74891c5.exe

  • Size

    300KB

  • MD5

    8c6bef1a357f339aae97e1e29a5eb682

  • SHA1

    43da742dc3c195f703680ee5078c4a9ec77b92e0

  • SHA256

    2739b41aab3ff3cc0727ada7ad04162f0379ef151c7d4b4296e963a2a74891c5

  • SHA512

    35da85906b763230494a348d3f08ae21172f1680af940661d5dec51becb45b9f783eefc130f7611290a8cf4cfa263c195c0ca9152cb4c2f3e8e80a981f180931

  • SSDEEP

    6144:qLSLqSQSiZ9jlMWzLUeBPSGfTgYn79o6q:qLSmSiZ9jlMWXdP5n7a

Score
10/10
smokeloaderpub1backdoorevasiontrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2739b41aab3ff3cc0727ada7ad04162f0379ef151c7d4b4296e963a2a74891c5.exe
    "C:\Users\Admin\AppData\Local\Temp\2739b41aab3ff3cc0727ada7ad04162f0379ef151c7d4b4296e963a2a74891c5.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4560
  • C:\Users\Admin\AppData\Local\Temp\D1B7.exe
    C:\Users\Admin\AppData\Local\Temp\D1B7.exe
    1⤵
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:4784
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      2⤵
        PID:4612
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1148
          3⤵
          • Program crash
          PID:1640
    • C:\Users\Admin\AppData\Local\Temp\D8AE.exe
      C:\Users\Admin\AppData\Local\Temp\D8AE.exe
      1⤵
      • Executes dropped EXE
      PID:2652
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        2⤵
          PID:4448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4612 -ip 4612
        1⤵
          PID:1412

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\D1B7.exe
          Filesize

          360KB

          MD5

          80c413180b6bd0dd664adc4e0665b494

          SHA1

          e791e4a3391fc6b7bcb58399cd4fa3c52a06b940

          SHA256

          6d99cec56614b6b8a23dfa84a50c6bbfde535411c6366ac2bcc20c9f5af62880

          SHA512

          347f4ae6f308b37d055a6177478e45ab3838d7020abed70c7aa138d2c3771e709de204da8550aebdcaa6139d869dc7328cc7e645c4dd48d1066f9ad70225644a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\D8AE.exe
          Filesize

          2.0MB

          MD5

          c74486643fc206113cf40f9ae565a63f

          SHA1

          09825afb45e1dcc2090b8768eb40e8a12bcc5bd0

          SHA256

          d13b4c567263f7cc3b9ae8c8410d44066cfdb847a0530d4e07538fb2557027e6

          SHA512

          44fd96d509bb8b71b272976129f56c2735badb6ed129bdf05d13b7e7ea9bf60143de93e581f918b27027ef237f0d7b027e03642678bde920c82cbd5984dec3c3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\D8AE.exe
          Filesize

          2.1MB

          MD5

          8436d56518f09ce75f84ab69fac478e4

          SHA1

          6ac0278c03dd601479642f568093e5e5c9dc9690

          SHA256

          e773feb8c25e797c4d26d4a459995ebf05565b5ac19a77fdc7f2a490a5ccc69a

          SHA512

          4c7384a3004760e83b3ab630f610e3b0574328a85d4abca9c20f812355f7f7800188b628cfc829a813c85fa3addbc0804f61454a40b1853ce893d675f8f349e6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          147KB

          MD5

          be845b62057f54b1210b5e52600b4544

          SHA1

          8506b4c209914fa0c50b361c78c3b3d3c81fad93

          SHA256

          623e53ebe1c923e65b9f6cea9c99244eef6a1e04bd3582952ff1a636ecb8452d

          SHA512

          87f5e0b1d314af098db68653f4fdfb42abd186d162d0e6c9f697f0f2ce88df2d0a00b58d26b693e0b536e3e937299f89e2a2eea4ca632149484406751fec311f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          123KB

          MD5

          29e849fa9c84877961b2c8714eaf8f84

          SHA1

          8502aa4c4be20d604e3cd451af8257dca9ce0f86

          SHA256

          6fae06496ca47739a1dcc0e931c9d1b89a01c85327a861223c0fa95a7258baca

          SHA512

          11c3981f157faba73f40bfc0c1dd6afdd360a0dbbc2481684624c86932ac39b30ea715c11457a25e4695fd5c910c991842628edb7d2fc12542d04589fec61d93

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
          Filesize

          87KB

          MD5

          3cbb401424f9570422172c620b82ec48

          SHA1

          a62e5001b4642436c2bc1dd5e297e67c497284e2

          SHA256

          8f80fdb5571b757887594504d1e0883d36fcb6725e941906298933bc5fe6b168

          SHA512

          dc4dc737bd94f1e260f6c366023dcba55f4f548a12ffb898023b0f4e40a6758fce8e094a3530108395feade89483520c1f3caf7f7a8ade1855d9e8599142a171

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\lib.dll
          Filesize

          98KB

          MD5

          0aa4a4d113d3d4a4fa010b99ced2bab3

          SHA1

          fe2b963b602a41aef0411296fa31414700fc4ed1

          SHA256

          cc9ec7ad11d1a67bcd56faa8b04805787f828248ce5b8b9acc8b8c25cf519a55

          SHA512

          d8bd894061a40c5b8f2a1ce594720a45d249dcc225f369e61f0f7b08850aa9c7c26c24e5b3089027806da6061481bf52eccb0fbd89283c3c13e5bc5b1c679983

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nsqFA9D.tmp\System.dll
          Filesize

          12KB

          MD5

          dd87a973e01c5d9f8e0fcc81a0af7c7a

          SHA1

          c9206ced48d1e5bc648b1d0f54cccc18bf643a14

          SHA256

          7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

          SHA512

          4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

          Download Submit

        • memory/2652-36-0x0000000000240000-0x00000000007D6000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2652-21-0x0000000000240000-0x00000000007D6000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3512-4-0x0000000002A90000-0x0000000002AA6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4560-5-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/4560-3-0x00000000005F0000-0x00000000005F9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4560-2-0x0000000000400000-0x0000000000451000-memory.dmp

          Filesize

          324KB

          Download

        • memory/4560-1-0x0000000000710000-0x0000000000810000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4612-54-0x0000000001000000-0x00000000010C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/4612-56-0x0000000001000000-0x00000000010C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/4612-62-0x0000000001000000-0x00000000010C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/4612-61-0x0000000000870000-0x0000000000CA3000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/4612-59-0x00000000032D0000-0x00000000032D2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4612-53-0x0000000001000000-0x00000000010C4000-memory.dmp

          Filesize

          784KB

          Download

        • memory/4612-44-0x0000000000870000-0x0000000000CA4000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/4612-51-0x0000000000870000-0x0000000000CA4000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/4784-23-0x0000000002500000-0x000000000250D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/4784-25-0x0000000002140000-0x00000000021A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4784-52-0x0000000002140000-0x00000000021A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4784-24-0x0000000077744000-0x0000000077745000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4784-17-0x0000000002140000-0x00000000021A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4784-14-0x0000000000010000-0x000000000006D000-memory.dmp

          Filesize

          372KB

          Download

        • memory/4784-58-0x00000000026F0000-0x00000000026F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4784-28-0x0000000002700000-0x000000000270C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4784-29-0x0000000002140000-0x00000000021A6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4784-26-0x00000000026C0000-0x00000000026C1000-memory.dmp

          Filesize

          4KB

          Download