Overview

overview

10

Static

static

3

0314c3cf58...62.exe

windows10-2004-x64

10

142ed11f80...59.exe

windows10-2004-x64

10

1f54336cee...4f.exe

windows10-2004-x64

10

2470f02746...37.exe

windows10-2004-x64

10

357dca1dd0...e2.exe

windows7-x64

10

357dca1dd0...e2.exe

windows10-2004-x64

10

367729c840...03.exe

windows10-2004-x64

10

3ae8cc733e...e3.exe

windows10-2004-x64

10

3ff87c5bd0...30.exe

windows10-2004-x64

10

4157cda315...a6.exe

windows10-2004-x64

10

5f318080c6...ea.exe

windows10-2004-x64

10

620f9ee1b4...8f.exe

windows10-2004-x64

10

6817354347...3a.exe

windows10-2004-x64

10

753cdc12b9...91.exe

windows10-2004-x64

10

a4215d26b6...74.exe

windows10-2004-x64

10

a4375e040f...82.exe

windows10-2004-x64

10

a619ae77d5...2e.exe

windows10-2004-x64

10

aaab139650...12.exe

windows10-2004-x64

10

aefec08eba...49.exe

windows10-2004-x64

10

d12f5fa25c...70.exe

windows10-2004-x64

7

e5b42981fd...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea.exe

  • Size

    2.3MB

  • MD5

    665d982ca7f55392948abb118b2c6b3d

  • SHA1

    76b7c096dae1f20041e7e55e3d863ec35cb4fd2d

  • SHA256

    5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea

  • SHA512

    8f7d99ef72b0fff0c0a758f28a948b9c4c2387f5e9a9b7f0ac3a8971d963d457d58cbd8368bc55809196c21daea956dc1a6eba664efa2b91567057ad22a19723

  • SSDEEP

    49152:tsOzsGwNJp72gr0XQZ/8VM+giH+pmGj1DrGpc85Rwxh:9fwnEg4hVvNCm6GpR5Rw

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea.exe
    "C:\Users\Admin\AppData\Local\Temp\5f318080c6c0aef583c575f49bd61e9b4e8b6784f4c52b512e9c07090e4cedea.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2mP7389.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2mP7389.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4744
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5qy6iJ1.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5qy6iJ1.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      PID:3844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2mP7389.exe
    Filesize

    3.2MB

    MD5

    b4e9b48f2882fa518797b2d69f2faaf4

    SHA1

    0f428f7939bec2446ec26474e7d8192440c1fd4c

    SHA256

    284effd5d250c1d301fef647dc72eaaa87500b3439a9b5b3233738791d51f78d

    SHA512

    99ba19388d8efb4a5afe2084f8e1f58c1cc805044ad9752cd5435ced2f70849b153974e71b9eaafcbcba88d958959d9f1d347f0c35645f4638288f833641ef6d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5qy6iJ1.exe
    Filesize

    36KB

    MD5

    1276d91cd5a4797ce3c8c16330d1ad20

    SHA1

    cdc3ac3606ac6e2fbf11f853e70adcc4c4fe5370

    SHA256

    3b4dce446671afb5059f0ffc8b468c8ed84c672d525c4748b237f643d8667ee3

    SHA512

    5241c621af7211c81ba0a66b8eaa373a015efcd390cef74d4f24b789785159a1154503e529387f003b0d7ea87a9b3e5a8c5de62292e4e1dd4b26c856e8e389f2

    Download Submit

  • memory/3844-22-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3844-20-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4744-11-0x0000000005820000-0x000000000582A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4744-12-0x00000000743C0000-0x0000000074B70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4744-10-0x0000000005840000-0x00000000058D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4744-13-0x0000000006BB0000-0x0000000006D64000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4744-14-0x00000000743CE000-0x00000000743CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4744-15-0x00000000743C0000-0x0000000074B70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4744-17-0x00000000743C0000-0x0000000074B70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4744-9-0x0000000005D50000-0x00000000062F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4744-8-0x0000000000A90000-0x0000000000DCC000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/4744-7-0x00000000743CE000-0x00000000743CF000-memory.dmp

    Filesize

    4KB

    Download