Overview

overview

10

Static

static

3

3460da28a0...37.exe

windows7-x64

10

3460da28a0...37.exe

windows10-2004-x64

10

Resubmissions

26-04-2024 19:08

240426-xtafqaab73 10

25-04-2024 12:49

240425-p2pavaah66 10

24-04-2024 19:16

240424-xyt1xsfg57 10

Analysis

  • max time kernel
    126s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-04-2024 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe

  • Size

    263KB

  • MD5

    f572d2cf74a7897bebb459dc08a45411

  • SHA1

    9a6bc0b9670cf1e5ea21876c1a71bafdec32017f

  • SHA256

    3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37

  • SHA512

    d75df9d31d36776841854c3708727219380cd8731d0669fd18be634047b7526299bd5e5fa561385e7dce458edee417f08ed779b3a590dc9a71450f6ef3557a33

  • SSDEEP

    3072:Y2e/zGhApVVIbW+UHPiXQGDL5mc4IRKU1uhIrueTi21TE7idvqjfyJ+dELqPtPe:OzCbWeQmLomRTVxT4O87dEL4t

Score
10/10
smokeloaderpub1backdoortrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe
    "C:\Users\Admin\AppData\Local\Temp\3460da28a0587dedb4be574e4b26f25c807d42816562e2abdf61a34c1ac68b37.exe"
    1⤵
    • Checks SCSI registry key(s)
    PID:212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 356
      2⤵
      • Program crash
      PID:396
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 212 -ip 212
    1⤵
      PID:840
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:408
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3532
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
        PID:2296
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3432

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\~DFEE9B98DD1D796F62.TMP
        Filesize

        16KB

        MD5

        fda751ee15fa9c735734a76c9f5e1bc6

        SHA1

        45b8a0d94e8e08fd11953dcbca9ffa27846fd5e8

        SHA256

        a40e6e97b2fe1947c6db841149789fc1dfa0ddbf4a6c4d2d9bc8b200561ed7a8

        SHA512

        1ef73bdfa3c70b74a671f9d82e0b114f213352667d28db8e0756699a148c2c3ce27d72a8fd6df4dfffc0accae18fe0790f69d3a6006c50ced73daa6de5f5e25d

        Download Submit
      • memory/212-1-0x0000000004060000-0x0000000004160000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/212-2-0x0000000004630000-0x000000000463B000-memory.dmp
        Filesize

        44KB

        Download
      • memory/212-4-0x0000000000400000-0x0000000004033000-memory.dmp
        Filesize

        60.2MB

        Download