Overview

overview

10

Static

static

3

1.exe

windows7-x64

10

1.exe

windows10-1703-x64

10

1.exe

windows10-2004-x64

10

1.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    210KB

  • MD5

    4e44bde7f6f84e7ce196f0e50c1e7f92

  • SHA1

    eaeef05bdb27936123080a9f7d40f463676be208

  • SHA256

    19cd5aee7659c7f0acede05ea290754cc649e72929f66b9c6903fa2c8da0d1cd

  • SHA512

    06f9ca3d6c6a928a586f5b09c5cfe13c5348c45dbbb047da7fb60caf8a6b710ec3dfd5854b3e1a29b777cca2c573b261f7716edbc5d495b56542d014e4715b14

  • SSDEEP

    3072:quWoMdlOhv3B1lvqWRSFbr4ZDvuWwvE4lXihNWoH2pA8:ydlO5nliH4oWwBiM

Score
10/10
smokeloaderpub1backdoortrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

C2

http://evilos.cc/tmp/index.php

http://gebeus.ru/tmp/index.php

http://office-techs.biz/tmp/index.php

http://cx5519.com/tmp/index.php
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes itself 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4048
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3836 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:556

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3360-6-0x0000000002FE0000-0x0000000002FF6000-memory.dmp
      Filesize

      88KB

      Download
    • memory/4048-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/4048-2-0x0000000002D90000-0x0000000002D9B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/4048-4-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/4048-3-0x0000000000400000-0x0000000002BEE000-memory.dmp
      Filesize

      39.9MB

      Download
    • memory/4048-5-0x0000000000400000-0x0000000002BEE000-memory.dmp
      Filesize

      39.9MB

      Download
    • memory/4048-11-0x0000000000400000-0x000000000040B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/4048-10-0x0000000002D90000-0x0000000002D9B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/4048-7-0x0000000000400000-0x0000000002BEE000-memory.dmp
      Filesize

      39.9MB

      Download