Analysis

  • max time kernel
    91s
  • max time network
    99s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-05-2024 19:00

General

  • Target

    207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe

  • Size

    3.0MB

  • MD5

    6d847896c20eb21cf6dc6a924138ef32

  • SHA1

    c254273ecdb71e8d9097f726739036a94dd84a90

  • SHA256

    207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd

  • SHA512

    92074de4057f7519cae0eded975479dce2021088b6560f30be8a673fd79c0db4384ff6c09ae81cdba9b61c34415a839a089f6ef05636215ccaf9fc2400d42bf6

  • SSDEEP

    98304:sfUbPHsTPGQE5rSKvY7FPmCOAJC+v6jJcmDcaS:sfUITl4YthO+Ca6VcmcL

Malware Config

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
    "C:\Users\Admin\AppData\Local\Temp\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4188
    • C:\Windows\Temp\{6702FAB7-A74C-4EA6-A3C8-20AB3D65BC40}\.cr\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe
      "C:\Windows\Temp\{6702FAB7-A74C-4EA6-A3C8-20AB3D65BC40}\.cr\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe" -burn.filehandle.attached=564 -burn.filehandle.self=572
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\RttHlp.exe
        "C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\RttHlp.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Users\Admin\AppData\Roaming\AgentNotepad_beta\RttHlp.exe
          C:\Users\Admin\AppData\Roaming\AgentNotepad_beta\RttHlp.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1188
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:3156
            • C:\Users\Admin\AppData\Local\Temp\UBA_control.exe
              C:\Users\Admin\AppData\Local\Temp\UBA_control.exe
              6⤵
              • Loads dropped DLL
              PID:2120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\59d6e8fc

    Filesize

    750KB

    MD5

    f87c00cd3e195bd349822ec387b2ade0

    SHA1

    ecf8832c8b6e00334022830f45c59697537f5bea

    SHA256

    009c26fab58834fdef7a0b0e0ead05dd3edc7345426f725df81c51ea484743f6

    SHA512

    20a43d948a773cd99df3fc3c64570334439277047935b61d9e0064d02bc61712eace62a51d35928c46594cd2d582c8538dae52c79fb1013c8c90d713e0336ab4

  • C:\Users\Admin\AppData\Local\Temp\UBA_control.exe

    Filesize

    301KB

    MD5

    68cefdfbd2e1a35e8c4f144e37d77a76

    SHA1

    0a6637d5eb3c958a0136358d0290514c7309af73

    SHA256

    c50bffbef786eb689358c63fc0585792d174c5e281499f12035afa1ce2ce19c8

    SHA512

    88d79115a6a0c487bd39a00a202f2467f4e05991da780f29f33cfc1ca53d2c6489104d5fbbe7e70167eb20c958b0322690454aec9ab1776d265ab8c558e971f6

  • C:\Windows\Temp\{6702FAB7-A74C-4EA6-A3C8-20AB3D65BC40}\.cr\207042a4dfd4d096e220b218e4969fc819afecca1dbda192991357896ffd28dd.exe

    Filesize

    2.7MB

    MD5

    51c6396f186485cc5c7b78c0b12c6080

    SHA1

    b8adf225ef1652010c0b14df9e60810dc2cc5071

    SHA256

    08a3ac79c87241a486bd486c417f336f801515ae196d0d4457c572bffce95086

    SHA512

    43fff91d6a3fb6c1a846de9f5e10ee4cff92a8afab4b922c7342edcc09ca766972ec74e384d987bd0b8f76cd3001165c4ce4a25ade7f0c5e2552a5923e088947

  • C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\Country.dll

    Filesize

    268KB

    MD5

    152d2e72616204365c774410ba243126

    SHA1

    e1f7edbc74e17a3d2de83273b54f71f36906c05c

    SHA256

    9d62de209a15955ac366e251c25afc69b6d420b88fd90522efeaeae72712a4ca

    SHA512

    e60e2c99db99e5839f8825a4db98157d2f20cdc6d4692d031d325d9c230459d14748b466bb7344cdbd724a2fa7bf12dcd157bd1c2645d58490a4e42105f271f9

  • C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\Register.dll

    Filesize

    1.0MB

    MD5

    40b9628354ef4e6ef3c87934575545f4

    SHA1

    8fb5da182dea64c842953bf72fc573a74adaa155

    SHA256

    372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

    SHA512

    02b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641

  • C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\RttHlp.exe

    Filesize

    135KB

    MD5

    a2d70fbab5181a509369d96b682fc641

    SHA1

    22afcdc180400c4d2b9e5a6db2b8a26bff54dd38

    SHA256

    8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473

    SHA512

    219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

  • C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\aesthete.tar

    Filesize

    37KB

    MD5

    b6500c7d86f28103ce38a101463935e7

    SHA1

    caca60dab0231fecfbea90e6bd3b66e6aae147a5

    SHA256

    bf896e89241141126c6e1060287d6ddbbcf4b4eecb0069a158e9260f2a1c8c89

    SHA512

    fbd25f24a04b5afc19bc8d5e247c90835fb277bc8fd160b2b7bc6b0bc15acc9d5db67d63a6f6a9d2f2a6b89ec10828383bff66997017aed6fe3ee4333e423a5f

  • C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\coronal.html

    Filesize

    506KB

    MD5

    70027836924f5aa4475aa017bce9073e

    SHA1

    eae3b0e38812b09180dda8ae5a1fe02636e42c1a

    SHA256

    aa515331c99449c42be52bfd4505dbe0a5fee6937e49e473b1f0c3052f160c51

    SHA512

    b8cbb2dc42620ee8b9aea0ed87bed068cda19d83786a136ef2b4f716c0ab5fa762e408151d6b606cdaed0f007baf098a6a96d24fa2293acb0900b33d0726aeec

  • C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\rtl120.bpl

    Filesize

    1.1MB

    MD5

    b96b64ed4307558b37759450672f7143

    SHA1

    7e2ebae7cc2eb573cb1ed7207544e10f4ae5aec1

    SHA256

    69b12de013dea740730d777bcc7cc3ac561d583a2eb6a853524ff03057a430cf

    SHA512

    d1c2663138b1b3c480cc923aab0337e316a4d0e58e2900099f78d4733851c0f3954e1165475361e790124cc9f7e0a5d8067e9f266bc0e3a29527591f2258a3c5

  • C:\Windows\Temp\{EE5BA147-2F78-4DD3-AA07-42A6AAB4D1CE}\.ba\vcl120.bpl

    Filesize

    1.9MB

    MD5

    c594d746ff6c99d140b5e8da97f12fd4

    SHA1

    f21742707c5f3fee776f98641f36bd755e24a7b0

    SHA256

    572edb7d630e9b03f93bd15135d2ca360176c1232051293663ec5b75c2428aec

    SHA512

    33b9902b2cf1154d850779cd012c0285882e158b9d1422c54ea9400ca348686773b6bacb760171060d1a0e620f8ff4a26ecd889dea3c454e8fc5fa59b173832b

  • memory/1188-48-0x0000000074310000-0x000000007448D000-memory.dmp

    Filesize

    1.5MB

  • memory/1188-46-0x0000000074310000-0x000000007448D000-memory.dmp

    Filesize

    1.5MB

  • memory/1188-47-0x00007FFA64280000-0x00007FFA64489000-memory.dmp

    Filesize

    2.0MB

  • memory/2104-44-0x0000000050120000-0x000000005030D000-memory.dmp

    Filesize

    1.9MB

  • memory/2104-43-0x0000000050000000-0x0000000050116000-memory.dmp

    Filesize

    1.1MB

  • memory/2104-36-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

  • memory/2104-24-0x00007FFA64280000-0x00007FFA64489000-memory.dmp

    Filesize

    2.0MB

  • memory/2104-23-0x0000000074310000-0x000000007448D000-memory.dmp

    Filesize

    1.5MB

  • memory/2120-59-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/2120-60-0x0000000072FF0000-0x0000000074307000-memory.dmp

    Filesize

    19.1MB

  • memory/2120-68-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/2120-65-0x00007FFA64280000-0x00007FFA64489000-memory.dmp

    Filesize

    2.0MB

  • memory/3156-54-0x00007FFA64280000-0x00007FFA64489000-memory.dmp

    Filesize

    2.0MB

  • memory/3156-56-0x0000000074310000-0x000000007448D000-memory.dmp

    Filesize

    1.5MB