Overview

overview

10

Static

static

3

3a658a682d...80.exe

windows7-x64

10

3a658a682d...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    56s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2024 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a658a682d7961b370dde9b8e65aba80.exe

  • Size

    227KB

  • MD5

    3a658a682d7961b370dde9b8e65aba80

  • SHA1

    1c6dec6db75e49fe3bc0be4fec093d2ebc7b12d2

  • SHA256

    cd9dfd76dbfc11d9c6dd279b346cca489591b551bba392ade52486ee95918430

  • SHA512

    18d96158025e9c3ec10bcf12751361630c59751d8c5063560eb799fc683cd2b6ae1dba44f3c66ad25a398d8df8fd0682c90c7505d4851a48a723e137392f953e

  • SSDEEP

    3072:JG1se/J24L9letmyKn4whMtuuONm9r9opAS9uUHbnx7XkAs9DeBrmu:JG1se/JFIq3Mt0NmILThXkA

Score
10/10
smokeloaderpub1backdoortrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://gxutc2c.com/tmp/index.php

http://proekt8.ru/tmp/index.php

http://mth.com.ua/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a658a682d7961b370dde9b8e65aba80.exe
    "C:\Users\Admin\AppData\Local\Temp\3a658a682d7961b370dde9b8e65aba80.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2616
  • C:\Users\Admin\AppData\Local\Temp\198E.exe
    C:\Users\Admin\AppData\Local\Temp\198E.exe
    1⤵
    • Drops startup file
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
      "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      PID:5036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 636
      2⤵
      • Program crash
      PID:780
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4724 -ip 4724
    1⤵
      PID:1748

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\198E.exe
      Filesize

      128KB

      MD5

      cc348dd3915d654b0c2d93e5d3d74fcc

      SHA1

      94ac66571a7d9868ebb6dbfbe6b02172838e3eee

      SHA256

      78e6ab68dde1b36457f4c35e9f9cf00ce0a2359ff8a0f1fecdae86726b7ff1c4

      SHA512

      b53d3dd6a7dd115eb42eb654a6c312e458bbfcd7e6c3602744554c6c18127029197a4ebac3cf6592e5ff092cb22f6c71ea0f8feeb039944033d10caeb6f4b1af

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\198E.exe
      Filesize

      116KB

      MD5

      084ea529b69955a96e29cb6bae308a4b

      SHA1

      8564e5c4f9dd29949197115da535a45e3bf8f39e

      SHA256

      841b0dc0ca2d3cc6c61b1a0810363217833aa8263bf07a002c523ea3d295d883

      SHA512

      5f0f1877208aeb63c898fa601303f0690366506cabe314ff6523201726f5999373382ce237135132b08d75a5d4e28eac3fb3f9ddb4c1ece0860947d0dffc29b6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
      Filesize

      424KB

      MD5

      32cd0059c664e20eae3bfe67b3beca4b

      SHA1

      c8bd6e17063789f5ae7017b52c1dfa5f630603b7

      SHA256

      ca6fd29dbfecd00177a28aea95f0dee385afae11ce24d0c821cfa6a75b85b6c6

      SHA512

      3862807ff4705f058ada95e365101cfccd0139ab184890930a46f745d22861a8a2b17f5465d12798f25e7fdcff5749c0a4bd342e73366647bb3c969232d9f392

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
      Filesize

      417KB

      MD5

      ab2fc1352799e6ae7e38b665793bf0d8

      SHA1

      7a69b89b7d2d93af32fee42214d591331dbc2429

      SHA256

      68d7940bea29dff695262fb730837b21a9e9c7b9cfd00f91c0a04de4f1736efa

      SHA512

      aa2d6bc6452ac8b765f7e22544c8ca4ec979332bf309b305c79f169f6c1f94753ee1bae28b0a4fc87614e4f8b5e6b888dcf12600311bc0bec12a2a8a91d08c8f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
      Filesize

      389KB

      MD5

      ffcb0f2d254da33b2e67da3961bf520b

      SHA1

      be52f1c216ab6a278271767a3cb549ec16e1311d

      SHA256

      6be5f7c34209c400085a13669a7f1fb0300c4cb460ee527b54c1f01f51d11b96

      SHA512

      fd58242059fd460fab38dfb2cf260d18ffd41384073315155ff2d6180bc4ebc9873392f7b90b64ad3b64de8f17554226bacc4148e37b2be7ace290ed8552b2cb

      Download Submit

    • memory/2616-2-0x0000000000590000-0x000000000059B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2616-1-0x00000000007C0000-0x00000000008C0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2616-5-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2616-3-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/3452-4-0x0000000002710000-0x0000000002726000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4724-16-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/4724-17-0x0000000004790000-0x0000000004821000-memory.dmp

      Filesize

      580KB

      Download

    • memory/4724-26-0x0000000000400000-0x0000000002B72000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/4724-27-0x0000000000400000-0x0000000002B72000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/4724-28-0x0000000004790000-0x0000000004821000-memory.dmp

      Filesize

      580KB

      Download

    • memory/5036-29-0x0000000002E30000-0x0000000002F30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/5036-30-0x0000000000400000-0x0000000002B72000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/5036-33-0x0000000002E30000-0x0000000002F30000-memory.dmp

      Filesize

      1024KB

      Download