Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 12:41
Static task
static1
Behavioral task
behavioral1
Sample
1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral2
Sample
1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688.exe
Resource
win11-20240508-en
General
-
Target
1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688.exe
-
Size
211KB
-
MD5
1409b5a7ac2a6be45fa954730b058da4
-
SHA1
00eab66887ff6ff4d6325d8a0e74adb624faf6de
-
SHA256
1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688
-
SHA512
af224d8fda6b8c6df5aae108dc5d300fef45deab525109fc8d61498714d8b037bb63f2276e163c7997566c336fe6ed884b70282986e6ebab22bfbbe6071d5642
-
SSDEEP
3072:SIJoMdlOBVvu8OnD7F7CE4BOe3uqHh+JJGmkx8:/dlOrvg0E4wQQJ2
Malware Config
Extracted
smokeloader
pub2
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3028 3044 WerFault.exe 1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688.exe"C:\Users\Admin\AppData\Local\Temp\1e7fb39c52ba502920d98374e0cdf8a2447c737bd0b88c06839e81be3a751688.exe"1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 3522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3044 -ip 30441⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3044-3-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB
-
memory/3044-2-0x0000000002E50000-0x0000000002E5B000-memory.dmpFilesize
44KB
-
memory/3044-1-0x0000000002F10000-0x0000000003010000-memory.dmpFilesize
1024KB
-
memory/3044-4-0x0000000000400000-0x0000000002BEE000-memory.dmpFilesize
39.9MB