Overview

overview

10

Static

static

3

toolspub2(1).exe

windows7-x64

10

toolspub2(1).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2024 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolspub2(1).exe

  • Size

    204KB

  • MD5

    42fd43493fe458c14357e791d574da30

  • SHA1

    cc8add3c129d5a6ea818ff818e6dcf83dbb61691

  • SHA256

    0a995df69165131d1a7a2c734f8f1b221338b2f9754ee1863cb8fd7fbdd296f7

  • SHA512

    49aed3b2bb525f285928d0aecde5d4189356c1374a5ab525e63442da6fe321c278b06216a0a739357bba6028f087d77070cb4d06765ac34c9def6fc2d7a8c706

  • SSDEEP

    3072:ZkIknM3Jq/AmlEkJiAj1K/2sIMOfbAichhFye+Uv3+RLzT+cmk:ZkIyXlEdOfEich3yIAzCcL

Score
10/10
smokeloaderup3backdoorevasiontrojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 2 IoCs
  • NSIS installer 8 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\toolspub2(1).exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2(1).exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3016
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 368
      2⤵
      • Program crash
      PID:4724
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3016 -ip 3016
    1⤵
      PID:4952
    • C:\Users\Admin\AppData\Local\Temp\A22B.exe
      C:\Users\Admin\AppData\Local\Temp\A22B.exe
      1⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:3132
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        2⤵
          PID:2340
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1132
            3⤵
            • Program crash
            PID:4332
      • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
        "C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe"
        1⤵
          PID:4024
        • C:\Users\Admin\AppData\Local\Temp\A605.exe
          C:\Users\Admin\AppData\Local\Temp\A605.exe
          1⤵
            PID:896
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2340 -ip 2340
            1⤵
              PID:1588

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\A22B.exe
              Filesize

              98KB

              MD5

              2c63c9da3570b45cca019dabc4c97c6a

              SHA1

              70ab7eea5f2ae9b063a20596af8ce555bf34fc69

              SHA256

              db0413c9ae3fb3fd227996232f5e80f9df2c33467d83a5e55f953de302d56147

              SHA512

              ab0e0fc2ef15668643500a766413096ad0bb9e8b9dfac2f9ec85f969a5f0035d3f0d9e5694d88dbfeb7d89aff46c2e21ccb15e3421264b5eb7769b51c86e6bc7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A22B.exe
              Filesize

              159KB

              MD5

              9ed667e7739ea5137207a3f153373e01

              SHA1

              d1ae12e418f71e87749d74d792e7e8b8c6c8a7de

              SHA256

              d51beb7c8402833ed3e0059ab72c427ace599ae0c201ae5e220c137e50586c08

              SHA512

              2ab80d24aa5c825707b990d14603d45a9c215d5d6695fddc3cf8261402707a332fb5c7ebe484da7c3bb710758d3426eb13125ae40a38b9b64bb4c85fa83fdef6

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A605.exe
              Filesize

              141KB

              MD5

              d3748d96ae52db562b189861e131a9a1

              SHA1

              ff4434603162a3b90ff21b1cc5482462aa1cafd6

              SHA256

              a925a10619c017d494a1d7d0181732a7e620e96a66a87810b31efdba77a66038

              SHA512

              b647f2faa7daf758ab4f0242c16de1cfb70489c199baccb83db7a69761a95f2175907aaafcee07e34f220faf5811f95a0541eb3e373a9f63c71ef3d26f1a2837

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\A605.exe
              Filesize

              165KB

              MD5

              3c8b9ca780a13a55e185be2ff55275b7

              SHA1

              4b1a3a0b5dc4ac9eafaedb3d60386e52f65eef2a

              SHA256

              4d23bc487472a6f1a59aab587f559575359d2c465f347ac8b60e2081189bab05

              SHA512

              f40fddf7e0fc974017ab4657731f98f232519bce770b1671491804cb344b0e2070df4c486d999211b2b6cbefd024d42f7ffc8bb8d7e7594ff96b266474d483a8

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
              Filesize

              106KB

              MD5

              7a8202a5a056c985c874b2c4fa6274be

              SHA1

              042fc00b50cf7dcffa70ae4958f823ffb751e4f7

              SHA256

              ba8eb15836770688fcd8a642ef98eb243f0e8cc4f13973b23d7ee552a8e77bc4

              SHA512

              4961e43e7d4687ad449c686c7a060e76fd75f681e4389400cf05a273656286d9790ad0b84bc3f21af794f1a522870aa1f1f8952502de5cce3ebe4baaf61e0bf3

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
              Filesize

              80KB

              MD5

              58dca512f2333bea158af0378ddcd526

              SHA1

              c2276394a409c80ad221a128cfae0f95a9c1ac1d

              SHA256

              8759c0f5dd30a44b83e350d0ba9b85ed36b9f9c8c70d07001a1a2ab26acd1748

              SHA512

              6e37001ca753e9b8a8761d1a7de8c0218bc372a4dce91d30eb161e1c0b552031958f1e7666f61c2aa757f2e998c2c2d7c00daaf03a7e3ac9554d9039490f7304

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.exe
              Filesize

              104KB

              MD5

              497e5f2f559d20ea43c388d1b7a12990

              SHA1

              13cd4990dab2517b181086c7a7f1a9edc0e7008d

              SHA256

              34974eae8d909c6806cd637edb7ca755e0d78951aefc721eb099027d6b2d9ad1

              SHA512

              8652bce727b0c117b72da70d1c6bef4ad88a732eb88a86adea16d4295044e7e64828f66edf993fd1dbc059be9130a870435a256b017453b5c32dcd5abb81c775

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\lib.dll
              Filesize

              189KB

              MD5

              72906e3a97617171d6daf5410c266979

              SHA1

              be84e8088089ed4f7de494f35c3be26875b69747

              SHA256

              94095c889d9781a7824d60c5a1d0022262fb97645369e9210f6777eea1be4e68

              SHA512

              bdb9e8bdba623a84b21bded96b699d1c3c105fd4758e2fb08169b8fd148ea41bddf4bd0c5d327dd677fe0911a53c19d688e2ac800708ef3436c1760a75643011

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsnA76C.tmp\System.dll
              Filesize

              12KB

              MD5

              dd87a973e01c5d9f8e0fcc81a0af7c7a

              SHA1

              c9206ced48d1e5bc648b1d0f54cccc18bf643a14

              SHA256

              7fb0f8d452fefaac789986b933df050f3d3e4feb8a8d9944ada995f572dcdca1

              SHA512

              4910b39b1a99622ac8b3c42f173bbe7035ac2f8d40c946468e7db7e2868a2da81ea94da453857f06f39957dd690c7f1ba498936a7aaa0039975e472376f92e8f

              Download Submit

            • memory/896-43-0x0000000000D10000-0x00000000012A6000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/896-35-0x0000000000D10000-0x00000000012A6000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2340-36-0x0000000000E10000-0x0000000000ED4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/2340-29-0x0000000000E10000-0x0000000000ED4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/2340-24-0x00000000006D0000-0x0000000000B04000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/2340-26-0x00000000006D0000-0x0000000000B04000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/2340-28-0x0000000000E10000-0x0000000000ED4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/2340-62-0x0000000000E10000-0x0000000000ED4000-memory.dmp

              Filesize

              784KB

              Download

            • memory/2340-61-0x00000000006D0000-0x0000000000B03000-memory.dmp

              Filesize

              4.2MB

              Download

            • memory/2340-59-0x0000000004720000-0x0000000004722000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3016-1-0x00000000004E0000-0x00000000005E0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/3016-2-0x0000000002180000-0x0000000002189000-memory.dmp

              Filesize

              36KB

              Download

            • memory/3016-7-0x0000000000400000-0x0000000000438000-memory.dmp

              Filesize

              224KB

              Download

            • memory/3016-3-0x0000000000400000-0x0000000000438000-memory.dmp

              Filesize

              224KB

              Download

            • memory/3132-14-0x0000000000010000-0x000000000006D000-memory.dmp

              Filesize

              372KB

              Download

            • memory/3132-48-0x0000000002820000-0x0000000002821000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3132-47-0x0000000002290000-0x00000000022F6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3132-23-0x0000000002290000-0x00000000022F6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3132-16-0x0000000002290000-0x00000000022F6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3132-17-0x0000000002640000-0x000000000264D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/3132-18-0x0000000002290000-0x00000000022F6000-memory.dmp

              Filesize

              408KB

              Download

            • memory/3132-20-0x0000000077564000-0x0000000077565000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3132-21-0x0000000002800000-0x0000000002801000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3132-22-0x0000000002830000-0x000000000283C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/3520-4-0x0000000002EB0000-0x0000000002EC6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4024-58-0x0000000072D50000-0x0000000073467000-memory.dmp

              Filesize

              7.1MB

              Download

            • memory/4024-63-0x0000000072D50000-0x0000000073467000-memory.dmp

              Filesize

              7.1MB

              Download