Analysis

  • max time kernel
    56s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    17-06-2020 16:17

General

  • Target

    2c99759a02ca32d1a7e8afa09130633f.exe

  • Size

    237KB

  • MD5

    2c99759a02ca32d1a7e8afa09130633f

  • SHA1

    ddf98971664eb7b554c86b4ab2e2ba7d469f893c

  • SHA256

    b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40

  • SHA512

    89df4e78c583f409beb3dde03a4e439ba52676dc8ecacd02271d2c30e3fc151c677446652cb7ec7a080c4c00dfc80d63fbdfb369b25deace1752d77b93310dcc

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://ukcompany.me/

http://ukcompany.pw/

http://ukcompany.top/

rc4.i32
rc4.i32

Signatures

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c99759a02ca32d1a7e8afa09130633f.exe
    "C:\Users\Admin\AppData\Local\Temp\2c99759a02ca32d1a7e8afa09130633f.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Maps connected drives based on registry
    PID:240

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/240-0-0x0000000000290000-0x00000000002A5000-memory.dmp
    Filesize

    84KB

  • memory/1208-2-0x0000000004D60000-0x0000000004D61000-memory.dmp
    Filesize

    4KB