Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
17-04-2024 13:38
General
-
Target
dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe
-
Size
267KB
-
MD5
8d497ad51a5e074060134dcb2d49786c
-
SHA1
a2519bbfcd1c1c4f5558df52caa038ce4cb97448
-
SHA256
dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483
-
SHA512
994ab1bcee306c42a7bcefa2c0f4747e5fb62359d2fc292084b370269ebaa2eb7fd37643d2b024dd8684ada4f8d1ec80110b219a8ab626a20ded2c82dc3cf84c
-
SSDEEP
3072:LBhoLytqNiryGxcInMp3/ZaBesq5GBrPKWZlhy8paIYWLXfag5Z34zT+yx:IERryGfnC/sM5irPK6hjtYCyQ34zT
Malware Config
Extracted
smokeloader
pub3
Extracted
smokeloader
2022
http://kamsmad.com/tmp/index.php
http://souzhensil.ru/tmp/index.php
http://teplokub.com.ua/tmp/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe"C:\Users\Admin\AppData\Local\Temp\dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {18CCC33E-BEAE-4C73-9177-35B18B6E7BA4} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\hbfhievC:\Users\Admin\AppData\Roaming\hbfhiev2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\hbfhievFilesize
267KB
MD58d497ad51a5e074060134dcb2d49786c
SHA1a2519bbfcd1c1c4f5558df52caa038ce4cb97448
SHA256dd412095728977133073e98b5d8d6b09ba65f6f7843f495663d9af1391a18483
SHA512994ab1bcee306c42a7bcefa2c0f4747e5fb62359d2fc292084b370269ebaa2eb7fd37643d2b024dd8684ada4f8d1ec80110b219a8ab626a20ded2c82dc3cf84c
-
memory/1140-4-0x00000000024A0000-0x00000000024B6000-memory.dmpFilesize
88KB
-
memory/1140-16-0x00000000024D0000-0x00000000024E6000-memory.dmpFilesize
88KB
-
memory/2604-14-0x0000000001B40000-0x0000000001C40000-memory.dmpFilesize
1024KB
-
memory/2604-15-0x0000000000400000-0x0000000001A2F000-memory.dmpFilesize
22.2MB
-
memory/2604-19-0x0000000000400000-0x0000000001A2F000-memory.dmpFilesize
22.2MB
-
memory/2896-1-0x0000000001B40000-0x0000000001C40000-memory.dmpFilesize
1024KB
-
memory/2896-2-0x0000000000220000-0x000000000022B000-memory.dmpFilesize
44KB
-
memory/2896-3-0x0000000000400000-0x0000000001A2F000-memory.dmpFilesize
22.2MB
-
memory/2896-5-0x0000000000400000-0x0000000001A2F000-memory.dmpFilesize
22.2MB