Analysis
-
max time kernel
129s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-08-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe
Resource
win10v2004-20240802-en
General
-
Target
80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe
-
Size
469KB
-
MD5
793a58e683a54d24d3c6bae96df29d65
-
SHA1
09e7bdc6a52fa3290fa7e9ee0471c0d1e445a2ce
-
SHA256
80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce
-
SHA512
f9d6a7d6bdcdfcc3507c55de2e2273e8681f5e8002cffd543bd664064c7e96c35137323f21a742bb00a6cadfc66e06084ddab3ba68207e97cbfa55fc7ec83e42
-
SSDEEP
12288:QvIGc227fgEH/ZnTzlyi3EV/189JhnuYfW9akuz:Ax27Jf9Txye6CJRGDu
Malware Config
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1768 set thread context of 3748 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1768 wrote to memory of 3676 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 87 PID 1768 wrote to memory of 3676 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 87 PID 1768 wrote to memory of 3676 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 87 PID 1768 wrote to memory of 3748 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 88 PID 1768 wrote to memory of 3748 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 88 PID 1768 wrote to memory of 3748 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 88 PID 1768 wrote to memory of 3748 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 88 PID 1768 wrote to memory of 3748 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 88 PID 1768 wrote to memory of 3748 1768 80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe"C:\Users\Admin\AppData\Local\Temp\80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe"C:\Users\Admin\AppData\Local\Temp\80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe"2⤵PID:3676
-
-
C:\Users\Admin\AppData\Local\Temp\80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe"C:\Users\Admin\AppData\Local\Temp\80f14f5249c49d21ea607b34fa793d523e03acda8298b1ab1ae8a3d55428c6ce.exe"2⤵
- Checks SCSI registry key(s)
PID:3748
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Requestg.bing.comIN A
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.86.106.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTRResponse81.144.22.2.in-addr.arpaIN PTRa2-22-144-81deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request81.144.22.2.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request68.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request71.159.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTR
-
2.0kB 92 B 10 2
-
156 B 3
-
156 B 3
-
261 B 132 B 3 3
-
196 B 132 B 4 3
-
198 B 90 B 3 1
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
8.8.8.8.in-addr.arpa
-
168 B 148 B 3 1
DNS Request
g.bing.com
DNS Request
g.bing.com
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
365 B 5
DNS Request
217.106.137.52.in-addr.arpa
DNS Request
217.106.137.52.in-addr.arpa
DNS Request
217.106.137.52.in-addr.arpa
DNS Request
217.106.137.52.in-addr.arpa
DNS Request
217.106.137.52.in-addr.arpa
-
360 B 5
DNS Request
10.28.171.150.in-addr.arpa
DNS Request
10.28.171.150.in-addr.arpa
DNS Request
10.28.171.150.in-addr.arpa
DNS Request
10.28.171.150.in-addr.arpa
DNS Request
10.28.171.150.in-addr.arpa
-
198 B 90 B 3 1
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
8.8.8.8.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
13.86.106.20.in-addr.arpa
DNS Request
13.86.106.20.in-addr.arpa
-
142 B 157 B 2 1
DNS Request
26.35.223.20.in-addr.arpa
DNS Request
26.35.223.20.in-addr.arpa
-
140 B 133 B 2 1
DNS Request
81.144.22.2.in-addr.arpa
DNS Request
81.144.22.2.in-addr.arpa
-
146 B 144 B 2 1
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
68.159.190.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
288 B 158 B 4 1
DNS Request
71.159.190.20.in-addr.arpa
DNS Request
71.159.190.20.in-addr.arpa
DNS Request
71.159.190.20.in-addr.arpa
DNS Request
71.159.190.20.in-addr.arpa
-
355 B 157 B 5 1
DNS Request
0.159.190.20.in-addr.arpa
DNS Request
0.159.190.20.in-addr.arpa
DNS Request
0.159.190.20.in-addr.arpa
DNS Request
0.159.190.20.in-addr.arpa
DNS Request
0.159.190.20.in-addr.arpa