Analysis
-
max time kernel
162s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
25-06-2024 10:58
General
-
Target
1.exe
-
Size
227KB
-
MD5
4c2fac8f9227cdb10b5b8056f396629b
-
SHA1
3e84121bee19dd64d74ef41196a09894a6017d73
-
SHA256
496f578f68fcef476f7c8d92322a3536f507e45704b8e1c87c56056e19c1e391
-
SHA512
10297336f66bb57fd6d1d8a563dd507d05b79d63cec50e3069593055b1b21f41c8de10284f7d6d2ece981e68bd3970252f3e7700d0fa3f602867f5f5b95ed3b6
-
SSDEEP
3072:1Jr6zgrn0rzKl3g5hxsrtYvyjIo3T8NAf68hu0nPsZciXcYW43hK:1hnezKl3UstVIo3T8ONhZPKVs
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://movlat.com/tmp/
http://llcbc.org/tmp/
http://lindex24.ru/tmp/
http://qeqei.xyz/tmp/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵
-
C:\Users\Admin\AppData\Roaming\diatbusC:\Users\Admin\AppData\Roaming\diatbus1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\diatbusFilesize
227KB
MD54c2fac8f9227cdb10b5b8056f396629b
SHA13e84121bee19dd64d74ef41196a09894a6017d73
SHA256496f578f68fcef476f7c8d92322a3536f507e45704b8e1c87c56056e19c1e391
SHA51210297336f66bb57fd6d1d8a563dd507d05b79d63cec50e3069593055b1b21f41c8de10284f7d6d2ece981e68bd3970252f3e7700d0fa3f602867f5f5b95ed3b6
-
memory/792-1-0x0000000000640000-0x0000000000740000-memory.dmpFilesize
1024KB
-
memory/792-2-0x0000000000600000-0x000000000060B000-memory.dmpFilesize
44KB
-
memory/792-3-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/792-4-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/792-9-0x0000000000600000-0x000000000060B000-memory.dmpFilesize
44KB
-
memory/792-10-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/792-8-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/3240-5-0x0000000000D70000-0x0000000000D86000-memory.dmpFilesize
88KB
-
memory/3240-18-0x0000000000D90000-0x0000000000DA6000-memory.dmpFilesize
88KB
-
memory/3856-17-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/3856-19-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB