Analysis
-
max time kernel
300s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
11-04-2024 22:28
General
-
Target
6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe
-
Size
281KB
-
MD5
fd385f55d814e14ee5a47b21479b3611
-
SHA1
22420004b06d236f1598f8c01775d9d0d0b5bf98
-
SHA256
6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa
-
SHA512
3986c8fb73edee8cdd628f5927f91b31754cc577a76fc125d9e174f0b68ddf88c873c7e5fbcd8b2bf0e7f815d4da89a15b644cb1948329dafc02419b36c9d430
-
SSDEEP
3072:/DbcvhZNvsVC80q+C+KU9iOJR86TL5eWMIxxe/b2oO:/cvBvsVlAAU9iODnTVfdxe/
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe"C:\Users\Admin\AppData\Local\Temp\6f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {8BE63D86-5987-46B7-BE3A-5745CBD92AD3} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gudawvhC:\Users\Admin\AppData\Roaming\gudawvh2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\gudawvhFilesize
281KB
MD5fd385f55d814e14ee5a47b21479b3611
SHA122420004b06d236f1598f8c01775d9d0d0b5bf98
SHA2566f875483575533ad197bcacb284a148a28430e22e59fffcc32504858b08620aa
SHA5123986c8fb73edee8cdd628f5927f91b31754cc577a76fc125d9e174f0b68ddf88c873c7e5fbcd8b2bf0e7f815d4da89a15b644cb1948329dafc02419b36c9d430
-
memory/1240-4-0x0000000002950000-0x0000000002966000-memory.dmpFilesize
88KB
-
memory/1240-16-0x0000000003710000-0x0000000003726000-memory.dmpFilesize
88KB
-
memory/1944-14-0x0000000000270000-0x0000000000370000-memory.dmpFilesize
1024KB
-
memory/1944-15-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/1944-19-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2332-1-0x00000000004F0000-0x00000000005F0000-memory.dmpFilesize
1024KB
-
memory/2332-3-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB
-
memory/2332-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2332-5-0x0000000000400000-0x0000000000455000-memory.dmpFilesize
340KB