Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25-07-2024 03:36

General

  • Target

    2644-0-0x0000000000400000-0x000000000040B000-memory.exe

  • Size

    44KB

  • MD5

    9a8e35e64a1eef9901de5f532ffa1e50

  • SHA1

    18d143a439721f9fead500d364efe9f6995f3e6e

  • SHA256

    b5def31c7a9aaa76a5da266743d3a2efdd93d9daa568e5c1f43794f8ca99cfd9

  • SHA512

    1bfef3d00898b7aa4cf2177fc4bf2c656da9aff81e499f70e65de9b753dcad7d81d0c6ae6ae7b8a878ae663df88f39b5b0978e720cd60d9e81a7808e1df5f24c

  • SSDEEP

    768:o1rG+Sx0ruYuRyscrK+2Ohm7rDtHqnZzl1xP5SusjSLun9hQ++Kd:o5G+Sx0tz4vxkzHxP5Nsj8khQ+v

Malware Config

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2644-0-0x0000000000400000-0x000000000040B000-memory.exe
    "C:\Users\Admin\AppData\Local\Temp\2644-0-0x0000000000400000-0x000000000040B000-memory.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 36
      2⤵
      • Program crash
      PID:1032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1952-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB