Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 12:48
Static task
static1
Behavioral task
behavioral1
Sample
sel2.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
sel2.exe
Resource
win10v2004-20241007-en
General
-
Target
sel2.exe
-
Size
13KB
-
MD5
efc5a4c8b73cf57f0608bfc850130c45
-
SHA1
e960e4e1e028c9a72cb9576092c1a827f49bda78
-
SHA256
8fd83c399a67bb90d113c4436d46534ceeaa5fbe890aef5afc7ea8fc85a2c155
-
SHA512
614c17111586bd7c4fa340b2678bb0e0afc1c03e74170ffffe38b694bd7a5ca694827224b0e81c0c5b89a58b3d2d6ef028323c2f4d90ecf990b2b56d3554be83
-
SSDEEP
192:vBAlEMZWAY5nCtCY61l40CMvPSohzWLz5xWfgOQ/muu/d5THm4OtOONo:JAnLAXNy/m3/bTKOONo
Malware Config
Extracted
smokeloader
2017
http://dogewareservice.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Program crash 1 IoCs
pid pid_target Process procid_target 300 1796 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sel2.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1796 sel2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1796 wrote to memory of 300 1796 sel2.exe 30 PID 1796 wrote to memory of 300 1796 sel2.exe 30 PID 1796 wrote to memory of 300 1796 sel2.exe 30 PID 1796 wrote to memory of 300 1796 sel2.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\sel2.exe"C:\Users\Admin\AppData\Local\Temp\sel2.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1796 -s 2602⤵
- Program crash
PID:300
-