Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 16:29
Static task
static1
Behavioral task
behavioral1
Sample
aacd3ed57307a8b44476f58d2acb4049.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
aacd3ed57307a8b44476f58d2acb4049.exe
Resource
win10v2004-20241007-en
General
-
Target
aacd3ed57307a8b44476f58d2acb4049.exe
-
Size
265KB
-
MD5
aacd3ed57307a8b44476f58d2acb4049
-
SHA1
45ef04a77e25e37245932c9a5a2815b6d1a4e57d
-
SHA256
f9b85d398c1e35b6da62ca02a435465e87fc3d30ab6a668e93cb06e8576d6f4d
-
SHA512
634c29fcce76a23e598be3a8a79833c2755c414ab7c34a3c0c1d7dce253ce9eff5abdfabe3c4c6a4a887bb8e25d4180dbcdae62e7f01576dcac7b91195b7b7ce
-
SSDEEP
6144:xhFj6Y0DHeNTP2z1cMdiKGher+dKzqZU:nFz0D+NTP2z5gKAer+Li
Malware Config
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Program crash 1 IoCs
pid pid_target Process procid_target 2124 1732 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aacd3ed57307a8b44476f58d2acb4049.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2124 1732 aacd3ed57307a8b44476f58d2acb4049.exe 30 PID 1732 wrote to memory of 2124 1732 aacd3ed57307a8b44476f58d2acb4049.exe 30 PID 1732 wrote to memory of 2124 1732 aacd3ed57307a8b44476f58d2acb4049.exe 30 PID 1732 wrote to memory of 2124 1732 aacd3ed57307a8b44476f58d2acb4049.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\aacd3ed57307a8b44476f58d2acb4049.exe"C:\Users\Admin\AppData\Local\Temp\aacd3ed57307a8b44476f58d2acb4049.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1362⤵
- Program crash
PID:2124
-