Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/01/2024, 23:36
Static task
static1
Behavioral task
behavioral1
Sample
75cde21e312b2027780644fff8bd18f0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
75cde21e312b2027780644fff8bd18f0.exe
Resource
win10v2004-20231215-en
General
-
Target
75cde21e312b2027780644fff8bd18f0.exe
-
Size
164KB
-
MD5
75cde21e312b2027780644fff8bd18f0
-
SHA1
fe17a4a5728041af5bd9c0cb6dc634ea443ebc8d
-
SHA256
e36ea88c9197fd42bd890b24de532afca1debe4d7a9867afcc83b04f09db6860
-
SHA512
235d571d73a5171bad022afd2f5af3d65c03d6f7db873703a34f3373a21e7f6f3719e7f94ea804242a892fdeaddfd4a78279b4c9c198a4fee7adf3e2b6f8ef5f
-
SSDEEP
3072:mbCmsbFfEXfrFELTMYgUENwRdixdtpVsPH:cqRC2LjKwrixYf
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2020
http://x-100new.com/upload/
http://goo0g2.xyz/upload/
http://j-20.best/upload/
http://japan-semui.xyz/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 3524 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 1976 75cde21e312b2027780644fff8bd18f0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75cde21e312b2027780644fff8bd18f0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75cde21e312b2027780644fff8bd18f0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 75cde21e312b2027780644fff8bd18f0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1976 75cde21e312b2027780644fff8bd18f0.exe 1976 75cde21e312b2027780644fff8bd18f0.exe 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found 3524 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1976 75cde21e312b2027780644fff8bd18f0.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3524 Process not Found -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD54f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219