Analysis
-
max time kernel
139s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 14:46
Static task
static1
Behavioral task
behavioral1
Sample
cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b.exe
Resource
win10v2004-20240412-en
General
-
Target
cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b.exe
-
Size
240KB
-
MD5
f289b12b7bd6cc6d1fc9e09d792a5b79
-
SHA1
e08c148d0fb6b68679082500d62685d442dff7d8
-
SHA256
cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b
-
SHA512
b41f90eecaa68bdf7bc9a209cc94497f53b6f7d49e519e67b3d3f7f13e72ac08ccebb1a0108361d87c1d780595de9a0dbdb53293f166e2c504a9151a73456477
-
SSDEEP
3072:L2YieatVPczJaKr9+7bQKcEdvRAtEo0kDticievIxHbrAFC74izRwZwM9f10UzVM:L2YiRtN97bkZicexHbrp74izRFyd1
Malware Config
Extracted
smokeloader
pub1
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4624 4368 WerFault.exe cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b.exe"C:\Users\Admin\AppData\Local\Temp\cb509d8ab6bd2420904a66d6485419a6847da6d7c52e0eff4e8878c30423492b.exe"1⤵
- Checks SCSI registry key(s)
PID:4368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 3522⤵
- Program crash
PID:4624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4368 -ip 43681⤵PID:4788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4368-1-0x00000000006A0000-0x00000000007A0000-memory.dmpFilesize
1024KB
-
memory/4368-2-0x00000000008B0000-0x00000000008BB000-memory.dmpFilesize
44KB
-
memory/4368-3-0x0000000000400000-0x0000000000441000-memory.dmpFilesize
260KB
-
memory/4368-5-0x00000000006A0000-0x00000000007A0000-memory.dmpFilesize
1024KB