Analysis
-
max time kernel
63s -
max time network
67s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 12:48
Static task
static1
Behavioral task
behavioral1
Sample
sel2.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
sel2.exe
Resource
win10v2004-20241007-en
General
-
Target
sel2.exe
-
Size
13KB
-
MD5
efc5a4c8b73cf57f0608bfc850130c45
-
SHA1
e960e4e1e028c9a72cb9576092c1a827f49bda78
-
SHA256
8fd83c399a67bb90d113c4436d46534ceeaa5fbe890aef5afc7ea8fc85a2c155
-
SHA512
614c17111586bd7c4fa340b2678bb0e0afc1c03e74170ffffe38b694bd7a5ca694827224b0e81c0c5b89a58b3d2d6ef028323c2f4d90ecf990b2b56d3554be83
-
SSDEEP
192:vBAlEMZWAY5nCtCY61l40CMvPSohzWLz5xWfgOQ/muu/d5THm4OtOONo:JAnLAXNy/m3/bTKOONo
Malware Config
Extracted
smokeloader
2017
http://dogewareservice.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum sel2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 sel2.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2616 2716 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sel2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe 3092 sel2.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 3092 sel2.exe 3092 sel2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3092 wrote to memory of 2716 3092 sel2.exe 92 PID 3092 wrote to memory of 2716 3092 sel2.exe 92 PID 3092 wrote to memory of 2716 3092 sel2.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\sel2.exe"C:\Users\Admin\AppData\Local\Temp\sel2.exe"1⤵
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 12443⤵
- Program crash
PID:2616
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2716 -ip 27161⤵PID:4640