Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 13:43
Static task
static1
Behavioral task
behavioral1
Sample
2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe
Resource
win10v2004-20240412-en
General
-
Target
2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe
-
Size
289KB
-
MD5
d36332be897a501db1745c49e24f54e2
-
SHA1
bb840897f9d6cb92ed7e56585f507c8ce5b3410f
-
SHA256
2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d
-
SHA512
2f5b7994bd44a412632af073b12592b22f7672cbb77a4671778dad120e6f111f05fb4d4a5d12257fc2d3f4fd3b5925fb6494cb1e21d302c195367116d3b91230
-
SSDEEP
3072:y+hYvpQawiypIiIlrePe4hMh1u7LQggGaT9J0irfUoAou9ZxKZZti6LJS7ae:y9Ga/ykhehteZvXcBou8XQ61A
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://nidoe.org/tmp/index.php
http://sodez.ru/tmp/index.php
http://uama.com.ua/tmp/index.php
http://talesofpirates.net/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1192 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exepid process 2168 2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe 2168 2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 1192 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exepid process 2168 2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe"C:\Users\Admin\AppData\Local\Temp\2ab7e6e873e7c7b1bde654551484678ea53b4ec4a20a5058a7508fc254e2146d.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2168
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1192-4-0x00000000021E0000-0x00000000021F6000-memory.dmpFilesize
88KB
-
memory/2168-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2168-1-0x00000000008E0000-0x00000000009E0000-memory.dmpFilesize
1024KB
-
memory/2168-3-0x0000000000400000-0x0000000000722000-memory.dmpFilesize
3.1MB
-
memory/2168-8-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2168-5-0x0000000000400000-0x0000000000722000-memory.dmpFilesize
3.1MB