Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 13:42
Static task
static1
Behavioral task
behavioral1
Sample
8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe
Resource
win10v2004-20240226-en
General
-
Target
8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe
-
Size
234KB
-
MD5
a6d634a43095c223fc1ccbd146002aa5
-
SHA1
249562af58cfbf6a9953b4f3bad9dbee274ddfa5
-
SHA256
8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc
-
SHA512
d9dc07fc4d8621af2c9db00115bfc1ed1dc1674d5830087a38f8dc5c077a30eee696a5c1420c00460bedb038111f9c41bc6eb3c527d2d06dd22aa1ca7d964e0b
-
SSDEEP
3072:aAPA6euGlmhCD2VmsX+dBZiXhtgsgHGU7PcBkMaSNsifpayHiTl:CtJ4hCajqBkFcGU70eBifpaWiT
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1196 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exepid process 2924 8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe 2924 8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exepid process 2924 8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe"C:\Users\Admin\AppData\Local\Temp\8e97100097043fe89021486d98a7c0d438bd7f24d7d221c6a4d04a5369dfe6fc.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1196-4-0x0000000002950000-0x0000000002966000-memory.dmpFilesize
88KB
-
memory/2924-1-0x0000000000250000-0x0000000000350000-memory.dmpFilesize
1024KB
-
memory/2924-2-0x00000000001B0000-0x00000000001BB000-memory.dmpFilesize
44KB
-
memory/2924-3-0x0000000000400000-0x0000000000857000-memory.dmpFilesize
4.3MB
-
memory/2924-5-0x0000000000400000-0x0000000000857000-memory.dmpFilesize
4.3MB