Analysis
-
max time kernel
91s -
max time network
99s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-05-2024 19:00
Static task
static1
Behavioral task
behavioral1
Sample
207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
Resource
win11-20240426-en
General
-
Target
207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
-
Size
3.0MB
-
MD5
6d847896c20eb21cf6dc6a924138ef32
-
SHA1
c254273ecdb71e8d9097f726739036a94dd84a90
-
SHA256
207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd
-
SHA512
92074de4057f7519cae0eded975479dce2021088b6560f30be8a673fd79c0db4384ff6c09ae81cdba9b61c34415a839a089f6ef05636215ccaf9fc2400d42bf6
-
SSDEEP
98304:sfUbPHsTPGQE5rSKvY7FPmCOAJC+v6jJcmDcaS:sfUITl4YthO+Ca6VcmcL
Malware Config
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 3 IoCs
pid Process 1824 207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe 2104 RttHlp.exe 1188 RttHlp.exe -
Loads dropped DLL 8 IoCs
pid Process 1824 207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe 2104 RttHlp.exe 2104 RttHlp.exe 1188 RttHlp.exe 1188 RttHlp.exe 1188 RttHlp.exe 1188 RttHlp.exe 2120 UBA_control.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1188 set thread context of 3156 1188 RttHlp.exe 85 PID 3156 set thread context of 2120 3156 cmd.exe 87 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2104 RttHlp.exe 1188 RttHlp.exe 1188 RttHlp.exe 3156 cmd.exe 3156 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1188 RttHlp.exe 3156 cmd.exe 3156 cmd.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4188 wrote to memory of 1824 4188 207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe 80 PID 4188 wrote to memory of 1824 4188 207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe 80 PID 4188 wrote to memory of 1824 4188 207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe 80 PID 1824 wrote to memory of 2104 1824 207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe 83 PID 1824 wrote to memory of 2104 1824 207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe 83 PID 1824 wrote to memory of 2104 1824 207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe 83 PID 2104 wrote to memory of 1188 2104 RttHlp.exe 84 PID 2104 wrote to memory of 1188 2104 RttHlp.exe 84 PID 2104 wrote to memory of 1188 2104 RttHlp.exe 84 PID 1188 wrote to memory of 3156 1188 RttHlp.exe 85 PID 1188 wrote to memory of 3156 1188 RttHlp.exe 85 PID 1188 wrote to memory of 3156 1188 RttHlp.exe 85 PID 1188 wrote to memory of 3156 1188 RttHlp.exe 85 PID 3156 wrote to memory of 2120 3156 cmd.exe 87 PID 3156 wrote to memory of 2120 3156 cmd.exe 87 PID 3156 wrote to memory of 2120 3156 cmd.exe 87 PID 3156 wrote to memory of 2120 3156 cmd.exe 87 PID 3156 wrote to memory of 2120 3156 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe"C:\Users\Admin\AppData\Local\Temp\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\Temp\{6702FAB7-A74C-4EA6-A3C8-20AB3D65BC40}\.cr\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe"C:\Windows\Temp\{6702FAB7-A74C-4EA6-A3C8-20AB3D65BC40}\.cr\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe" -burn.filehandle.attached=564 -burn.filehandle.self=5722⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\RttHlp.exe"C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\RttHlp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Roaming\AgentNotepad_beta\RttHlp.exeC:\Users\Admin\AppData\Roaming\AgentNotepad_beta\RttHlp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\UBA_control.exeC:\Users\Admin\AppData\Local\Temp\UBA_control.exe6⤵
- Loads dropped DLL
PID:2120
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
750KB
MD5f87c00cd3e195bd349822ec387b2ade0
SHA1ecf8832c8b6e00334022830f45c59697537f5bea
SHA256009c26fab58834fdef7a0b0e0ead05dd3edc7345426f725df81c51ea484743f6
SHA51220a43d948a773cd99df3fc3c64570334439277047935b61d9e0064d02bc61712eace62a51d35928c46594cd2d582c8538dae52c79fb1013c8c90d713e0336ab4
-
Filesize
301KB
MD568cefdfbd2e1a35e8c4f144e37d77a76
SHA10a6637d5eb3c958a0136358d0290514c7309af73
SHA256c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8
SHA51288d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6
-
C:\Windows\Temp\{6702FAB7-A74C-4EA6-A3C8-20AB3D65BC40}\.cr\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
Filesize2.7MB
MD551c6396f186485cc5c7b78c0b12c6080
SHA1b8adf225ef1652010c0b14df9e60810dc2cc5071
SHA25608a3ac79c87241a486bd486c417f336f801515ae196d0d4457c572bffce95086
SHA51243fff91d6a3fb6c1a846de9f5e10ee4cff92a8afab4b922c7342edcc09ca766972ec74e384d987bd0b8f76cd3001165c4ce4a25ade7f0c5e2552a5923e088947
-
Filesize
268KB
MD5152d2e72616204365c774410ba243126
SHA1e1f7edbc74e17a3d2de83273b54f71f36906c05c
SHA2569d62de209a15955ac366e251c25afc69b6d420b88fd90522efeaeae72712a4ca
SHA512e60e2c99db99e5839f8825a4db98157d2f20cdc6d4692d031d325d9c230459d14748b466bb7344cdbd724a2fa7bf12dcd157bd1c2645d58490a4e42105f271f9
-
Filesize
1.0MB
MD540b9628354ef4e6ef3c87934575545f4
SHA18fb5da182dea64c842953bf72fc573a74adaa155
SHA256372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
SHA51202b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641
-
Filesize
135KB
MD5a2d70fbab5181a509369d96b682fc641
SHA122afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA2568aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
-
Filesize
37KB
MD5b6500c7d86f28103ce38a101463935e7
SHA1caca60dab0231fecfbea90e6bd3b66e6aae147a5
SHA256bf896e89241141126c6e1060287d6ddbbcf4b4eecb0069a158e9260f2a1c8c89
SHA512fbd25f24a04b5afc19bc8d5e247c90835fb277bc8fd160b2b7bc6b0bc15acc9d5db67d63a6f6a9d2f2a6b89ec10828383bff66997017aed6fe3ee4333e423a5f
-
Filesize
506KB
MD570027836924f5aa4475aa017bce9073e
SHA1eae3b0e38812b09180dda8ae5a1fe02636e42c1a
SHA256aa515331c99449c42be52bfd4505dbe0a5fee6937e49e473b1f0c3052f160c51
SHA512b8cbb2dc42620ee8b9aea0ed87bed068cda19d83786a136ef2b4f716c0ab5fa762e408151d6b606cdaed0f007baf098a6a96d24fa2293acb0900b33d0726aeec
-
Filesize
1.1MB
MD5b96b64ed4307558b37759450672f7143
SHA17e2ebae7cc2eb573cb1ed7207544e10f4ae5aec1
SHA25669b12de013dea740730d777bcc7cc3ac561d583a2eb6a853524ff03057a430cf
SHA512d1c2663138b1b3c480cc923aab0337e316a4d0e58e2900099f78d4733851c0f3954e1165475361e790124cc9f7e0a5d8067e9f266bc0e3a29527591f2258a3c5
-
Filesize
1.9MB
MD5c594d746ff6c99d140b5e8da97f12fd4
SHA1f21742707c5f3fee776f98641f36bd755e24a7b0
SHA256572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec
SHA51233b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b