Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
17-04-2024 14:56
General
-
Target
1749c2de6125b6a38e42dd557b64b2d07abec025eb50f23743394136f655cf35.exe
-
Size
202KB
-
MD5
88db6b5d0b618c25d79c4bd58947f751
-
SHA1
cebebb5b9c4a919208e19555a5e5f0ac0c3b8c52
-
SHA256
1749c2de6125b6a38e42dd557b64b2d07abec025eb50f23743394136f655cf35
-
SHA512
93ac48110b6260cc29aa4a6d6d1d4eef41a8e03bb4217539dcb69f360cc877af0d525d394a82639c1678e419cc85ee9b60a8f81d0c725519acf2717276007fbc
-
SSDEEP
3072:xARO2LoVS5fgevom6PJiMrt+NqaDXF6KBQ0Q2hTZMgsNKId16zxZRU5JnD:G3LofGMT3KBk2hSfNKny5h
Malware Config
Extracted
smokeloader
up3
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1749c2de6125b6a38e42dd557b64b2d07abec025eb50f23743394136f655cf35.exe"C:\Users\Admin\AppData\Local\Temp\1749c2de6125b6a38e42dd557b64b2d07abec025eb50f23743394136f655cf35.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1749c2de6125b6a38e42dd557b64b2d07abec025eb50f23743394136f655cf35.exe"C:\Users\Admin\AppData\Local\Temp\1749c2de6125b6a38e42dd557b64b2d07abec025eb50f23743394136f655cf35.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\B3D5.exeC:\Users\Admin\AppData\Local\Temp\B3D5.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\B7DB.exeC:\Users\Admin\AppData\Local\Temp\B7DB.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\B3D5.exeFilesize
5.0MB
MD510ef283264e5050eb40f465feabeea60
SHA15c2b60ad7c2089db827532fed6069bdf74b505f8
SHA2566d45d61463e3521aa6d3d31bd7e953d38c6381c0e1b526dcb28c7f2786669eb6
SHA512c4e4080840991a829b05c76a55f6da6bffc9f618c7a1214d4d0b84e6e714d7b0e5646a99a5d92188f71801e6b7269069728f328d3a3b3fda577191372f399080
-
C:\Users\Admin\AppData\Local\Temp\B7DB.exeFilesize
385KB
MD5bdbfccc2b71c0d7f9de70aba81597b52
SHA1ebb97f2a7fe51ff607a1d1b7557c995dd1cc275a
SHA256082e8792e48e6ae0b16330f6bde833c42158ba2c9b75fad31ebc3d939f8a0042
SHA512fba755745e82b6acd1e74e15ce9bc729a9b0e85bbb1975959c1b5d7ab1e6859efc715de87c3f4b6ef4bb21a25d9246142e96323cfc5d732ae6007b4690dcd417
-
memory/1220-8-0x0000000002A00000-0x0000000002A16000-memory.dmpFilesize
88KB
-
memory/2228-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2228-5-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2228-6-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2228-7-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2228-9-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2232-1-0x00000000005F0000-0x00000000006F0000-memory.dmpFilesize
1024KB
-
memory/2232-2-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/3052-27-0x0000000000010000-0x0000000000076000-memory.dmpFilesize
408KB
-
memory/3052-30-0x0000000000010000-0x0000000000076000-memory.dmpFilesize
408KB