Resubmissions
27-08-2020 15:47
200827-m1jren2nas 10Analysis
-
max time kernel
129s -
max time network
154s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
27-08-2020 15:47
General
-
Target
7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe
-
Size
181KB
-
MD5
80d3605d4b180cdd2fef6cb6312942bd
-
SHA1
12386eee0db55c3c612c92b7912d6f5eceaaffdc
-
SHA256
7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91
-
SHA512
cfb0f5785978586aeaec6a832f0dfae13039c07f977f0afb63fcdbb27981b7bc95ecaf202c7a5ddfec9b47bbf1c5c00c2cfdbc471035311b2458dec6a2e65fd9
Malware Config
Extracted
smokeloader
2020
http://rexstat35x.xyz/statweb955/
http://dexspot2x.xyz/statweb955/
http://atxspot20x.xyz/statweb955/
http://rexspot7x.xyz/statweb955/
http://fdmail85.club/statweb955/
http://servicem977x.xyz/statweb955/
http://advertxman7x.xyz/statweb955/
http://starxpush7x.xyz/statweb955/
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 5 IoCs
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 256 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 636 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 8 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe"C:\Users\Admin\AppData\Local\Temp\7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe"C:\Users\Admin\AppData\Local\Temp\7c9eba57cb8262a908dc10929cf38b8e4e0af9f5a3f69bdf226b151761580e91.exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\A248.exeC:\Users\Admin\AppData\Local\Temp\A248.exe1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Users\Admin\AppData\Local\Temp\A362.exeC:\Users\Admin\AppData\Local\Temp\A362.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\A778.exeC:\Users\Admin\AppData\Local\Temp\A778.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\AB11.exeC:\Users\Admin\AppData\Local\Temp\AB11.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ACF6.exeC:\Users\Admin\AppData\Local\Temp\ACF6.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
68KB
-
-
Filesize
68KB
-
Filesize
4KB
-
-
Filesize
40KB
-
-
-
Filesize
68KB
-
-
Filesize
4KB