smokeloader | 1fe7b1173849114448eca5f4fe5e1d02ba49df20f466519a700a8765f4774979

Analysis

max time kernel
75s
max time network
136s
platform
windows10_x64
resource
win10
submitted
17-06-2020 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c99759a02ca32d1a7e8afa09130633f.exe
Size

237KB
MD5

2c99759a02ca32d1a7e8afa09130633f
SHA1

ddf98971664eb7b554c86b4ab2e2ba7d469f893c
SHA256

b65806521aa662bff2c655c8a7a3b6c8e598d709e35f3390df880a70c3fded40
SHA512

89df4e78c583f409beb3dde03a4e439ba52676dc8ecacd02271d2c30e3fc151c677446652cb7ec7a080c4c00dfc80d63fbdfb369b25deace1752d77b93310dcc

Score

10^/10

trojan backdoor smokeloader

Malware Config

Extracted

Family

smokeloader

Version

2018

http://ukcompany.me/

http://ukcompany.pw/

http://ukcompany.top/

rc4.i32

Signatures

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

2c99759a02ca32d1a7e8afa09130633f.exe

pid process

3060 2c99759a02ca32d1a7e8afa09130633f.exe
3060 2c99759a02ca32d1a7e8afa09130633f.exe

pid	process
3060	2c99759a02ca32d1a7e8afa09130633f.exe
3060	2c99759a02ca32d1a7e8afa09130633f.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2c99759a02ca32d1a7e8afa09130633f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	2c99759a02ca32d1a7e8afa09130633f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	2c99759a02ca32d1a7e8afa09130633f.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

C:\Users\Admin\AppData\Local\Temp\2c99759a02ca32d1a7e8afa09130633f.exe
"C:\Users\Admin\AppData\Local\Temp\2c99759a02ca32d1a7e8afa09130633f.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Maps connected drives based on registry
PID:3060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3016-1-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/3060-0-0x0000000000A20000-0x0000000000A35000-memory.dmp

Filesize
84KB

Download