Resubmissions

04-10-2024 16:44

241004-t8yv3syhpd 10

27-09-2024 16:54

240927-vepkzsvbre 10

27-09-2024 16:44

240927-t86wpavard 10

04-08-2024 18:04

240804-wnq1vawbpg 10

03-08-2024 17:26

240803-vzvbzazekn 10

03-08-2024 16:14

240803-tpp4tsshqa 10

03-08-2024 15:52

240803-tbarzsseqc 10

31-07-2024 19:40

240731-ydk3yszdpq 10

31-07-2024 10:53

240731-my145atfmf 10

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-07-2024 10:53

General

  • Target

    15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71.exe

  • Size

    150KB

  • MD5

    022f5345cfab4ef75476ffc7f708fcfe

  • SHA1

    81802b0a5f738b7333a60eece96441c1bca19792

  • SHA256

    15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71

  • SHA512

    6595ef6e3e0b65afd0a4f7d5bd5650466a4299df8284180b48ff0e30a537a42616a98c530fa4d39fdbe30eb1cc6c72fd749a98551890a0b488f04fd164b49f53

  • SSDEEP

    1536:YyuipsAiJm4cJI7CweL+eX9kEnOCGzJoQL2VwEeYIsUE4KvVf+boJPtgm4qeYwqN:FlpYU6vqXRPE2VyYIsf4K9ffFSqe72

Malware Config

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71.exe
    "C:\Users\Admin\AppData\Local\Temp\15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Users\Admin\AppData\Local\Temp\15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71.exe
      "C:\Users\Admin\AppData\Local\Temp\15aeb8380c7b5b50ed1e2ff29c342cfe5c29a26554020001f7f9f1449f996e71.exe"
      2⤵
      • Checks SCSI registry key(s)
      PID:4264

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    20.177.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.177.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    103.169.127.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    103.169.127.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    20.177.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    20.177.190.20.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    103.169.127.40.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    103.169.127.40.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4264-2-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4264-3-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4264-4-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/4396-0-0x00000000004B0000-0x00000000004B8000-memory.dmp

    Filesize

    32KB

  • memory/4396-1-0x0000000002040000-0x0000000002049000-memory.dmp

    Filesize

    36KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.