Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
04-04-2024 22:49
General
-
Target
3a2dc64e10511ab0ac7ca573f7542506ac46d65671b14311ea87b389ecf07ef6.exe
-
Size
267KB
-
MD5
0e14a277922e7dfd198d5040a4f91378
-
SHA1
1c4935915171149d8cca51ec724b4de82220a4a3
-
SHA256
3a2dc64e10511ab0ac7ca573f7542506ac46d65671b14311ea87b389ecf07ef6
-
SHA512
7becf133e14279a3a0c91384e9ad4b690db76104b8a938043c4f316950b80a2a7e284fc866f0ef4c864a26e6de57650082112dd4689c651b15142e90c02033ec
-
SSDEEP
3072:cwnnqrJp8/jZQ7Xv93PMFvsRJF/IZ+PW2aeeUWYOKKs6vg33qG:cMqrJp8/juT1DIYzgUqPg33q
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a2dc64e10511ab0ac7ca573f7542506ac46d65671b14311ea87b389ecf07ef6.exe"C:\Users\Admin\AppData\Local\Temp\3a2dc64e10511ab0ac7ca573f7542506ac46d65671b14311ea87b389ecf07ef6.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\rttashhC:\Users\Admin\AppData\Roaming\rttashh1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\rttashhFilesize
267KB
MD50e14a277922e7dfd198d5040a4f91378
SHA11c4935915171149d8cca51ec724b4de82220a4a3
SHA2563a2dc64e10511ab0ac7ca573f7542506ac46d65671b14311ea87b389ecf07ef6
SHA5127becf133e14279a3a0c91384e9ad4b690db76104b8a938043c4f316950b80a2a7e284fc866f0ef4c864a26e6de57650082112dd4689c651b15142e90c02033ec
-
memory/788-1-0x0000000002E30000-0x0000000002F30000-memory.dmpFilesize
1024KB
-
memory/788-2-0x0000000002E10000-0x0000000002E1B000-memory.dmpFilesize
44KB
-
memory/788-3-0x0000000000400000-0x0000000002B6C000-memory.dmpFilesize
39.4MB
-
memory/788-5-0x0000000000400000-0x0000000002B6C000-memory.dmpFilesize
39.4MB
-
memory/788-9-0x0000000002E10000-0x0000000002E1B000-memory.dmpFilesize
44KB
-
memory/3156-4-0x0000000007CD0000-0x0000000007CE6000-memory.dmpFilesize
88KB
-
memory/3156-18-0x0000000002C20000-0x0000000002C36000-memory.dmpFilesize
88KB
-
memory/4828-16-0x0000000002B90000-0x0000000002C90000-memory.dmpFilesize
1024KB
-
memory/4828-17-0x0000000000400000-0x0000000002B6C000-memory.dmpFilesize
39.4MB
-
memory/4828-21-0x0000000000400000-0x0000000002B6C000-memory.dmpFilesize
39.4MB