Analysis
-
max time kernel
318s -
max time network
319s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-04-2024 22:31
Static task
static1
Behavioral task
behavioral1
Sample
45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe
Resource
win10-20240404-en
General
-
Target
45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe
-
Size
200KB
-
MD5
fc846c506998587bc4e8cd630d5d49a0
-
SHA1
a74e9f9c26360886b64e8da795c246f79ca7edb9
-
SHA256
45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19
-
SHA512
4820b4d24c0b7440fc5e293436c5ce0be0f186c1960291f1d1473ed1413aa105939ed067908e30f315c2f5c6da1d30d1f7de6876382fe419babf2c31072f504d
-
SSDEEP
3072:sMgGq31SQxXEy8H/QtWP4lTY09q9VeXbzVQQWFSSg8epaof9hJ:sMy31SQxX/8HW/9YV+beQQVPIf9
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1400 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exepid process 2500 45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe 2500 45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 1400 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exepid process 2500 45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1400 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe"C:\Users\Admin\AppData\Local\Temp\45cde5310498c957f5120a4ab74c2ff666ac4fda9bcc0bc905047665d208bd19.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1400-4-0x00000000029A0000-0x00000000029B6000-memory.dmpFilesize
88KB
-
memory/2500-1-0x0000000000710000-0x0000000000810000-memory.dmpFilesize
1024KB
-
memory/2500-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2500-3-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB
-
memory/2500-5-0x0000000000400000-0x0000000000536000-memory.dmpFilesize
1.2MB