Analysis

  • max time kernel
    75s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    17-06-2020 16:17

General

  • Target

    2c99759a02ca32d1a7e8afa09130633f.exe

  • Size

    237KB

  • MD5

    2c99759a02ca32d1a7e8afa09130633f

  • SHA1

    ddf98971664eb7b554c86b4ab2e2ba7d469f893c

  • SHA256

    b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40

  • SHA512

    89df4e78c583f409beb3dde03a4e439ba52676dc8ecacd02271d2c30e3fc151c677446652cb7ec7a080c4c00dfc80d63fbdfb369b25deace1752d77b93310dcc

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://ukcompany.me/

http://ukcompany.pw/

http://ukcompany.top/

rc4.i32
rc4.i32

Signatures

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c99759a02ca32d1a7e8afa09130633f.exe
    "C:\Users\Admin\AppData\Local\Temp\2c99759a02ca32d1a7e8afa09130633f.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Maps connected drives based on registry
    PID:3060

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3016-1-0x0000000000F50000-0x0000000000F51000-memory.dmp

    Filesize

    4KB

  • memory/3060-0-0x0000000000A20000-0x0000000000A35000-memory.dmp

    Filesize

    84KB