Behavioral Report

Resubmissions

01-11-2020 15:20

201101-6gnva6fyd2 10

01-11-2020 15:16

201101-dvbselbzxx 10

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7v20201028
submitted
01-11-2020 15:16

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

2020-11-01_21-26-29.bin.exe
Size

234KB
MD5

dd22d3a34781601ebbe3020b7cd33356
SHA1

567dd97232f0cf9ecec13f82ff894d9c9ee0d013
SHA256

33fe9bbda8cc1dbaa70e85a203fb6a0ec2a82ce2edb0c5ac585be620e8b8a1b0
SHA512

c6c4d353a76b1a0c35791c58935ec426d3d67c2133cffb5332c5ab71c5424f5ba1acf398fd210285676f5b838646192791f67a8edceddfa7e4b0722cbef39316

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family	smokeloader
Version	2020
C2	http://etasuklavish.today/ http://mragyzmachnobesdi.today/ http://kimchinikuzims.today/ http://slacvostinrius.today/ http://straponuliusyn.today/ http://grammmdinss.today/ http://viprasputinsd.chimkent.su/ http://lupadypa.dagestan.su/ http://stoknolimchin.exnet.su/ http://musaroprovadnikov.live/ http://teemforyourexprensiti.life/ http://stolkgolmishutich.termez.su/ http://roompampamgandish.wtf/ http://etasuklavish.today/ http://mragyzmachnobesdi.today/ http://kimchinikuzims.today/ http://slacvostinrius.today/ http://straponuliusyn.today/ http://grammmdinss.today/ http://viprasputinsd.chimkent.su/ http://lupadypa.dagestan.su/ http://stoknolimchin.exnet.su/ http://musaroprovadnikov.live/ http://teemforyourexprensiti.life/ http://stolkgolmishutich.termez.su/ http://roompampamgandish.wtf/
rc4.i32
rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE ⋅ 1 IoCs

Processes:

F9D9.tmp.exe

pid process

1612 F9D9.tmp.exe
Deletes itself ⋅ 1 IoCs

Processes:

pid process

1272
Loads dropped DLL ⋅ 1 IoCs

Processes:

2020-11-01_21-26-29.bin.exe

pid process

1640 2020-11-01_21-26-29.bin.exe

pid	process
1612	F9D9.tmp.exe

pid	process
1272

Checks SCSI registry key(s) ⋅ 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

TTPs:

Query Registry Peripheral Device Discovery System Information Discovery

Processes:

2020-11-01_21-26-29.bin.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2020-11-01_21-26-29.bin.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2020-11-01_21-26-29.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2020-11-01_21-26-29.bin.exe

Suspicious behavior: EnumeratesProcesses ⋅ 698 IoCs

Processes:

2020-11-01_21-26-29.bin.exe

pid	process
1640	2020-11-01_21-26-29.bin.exe
1640	2020-11-01_21-26-29.bin.exe
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272
1272

Suspicious behavior: GetForegroundWindowSpam ⋅ 1 IoCs

Processes:

pid process

1272
Suspicious behavior: MapViewOfSection ⋅ 1 IoCs

Processes:

2020-11-01_21-26-29.bin.exe

pid process

1640 2020-11-01_21-26-29.bin.exe
Suspicious use of AdjustPrivilegeToken ⋅ 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 1272
Token: SeShutdownPrivilege 1272
Suspicious use of FindShellTrayWindow ⋅ 4 IoCs

Processes:

pid process

1272
1272
1272
1272
Suspicious use of SendNotifyMessage ⋅ 7 IoCs

Processes:

pid process

1272
1272
1272
1272
1272
1272
1272

pid	process
1272

description	pid	process
Token: SeShutdownPrivilege	1272
Token: SeShutdownPrivilege	1272

pid	process
1272
1272
1272
1272

pid	process
1272
1272
1272
1272
1272
1272
1272

Suspicious use of WriteProcessMemory ⋅ 4 IoCs

Processes:

description	pid	target process
PID 1272 wrote to memory of 1612	1272	F9D9.tmp.exe
PID 1272 wrote to memory of 1612	1272	F9D9.tmp.exe
PID 1272 wrote to memory of 1612	1272	F9D9.tmp.exe
PID 1272 wrote to memory of 1612	1272	F9D9.tmp.exe

C:\Users\Admin\AppData\Local\Temp\2020-11-01_21-26-29.bin.exe

"C:\Users\Admin\AppData\Local\Temp\2020-11-01_21-26-29.bin.exe"

Loads dropped DLL
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection

PID:1640

C:\Users\Admin\AppData\Local\Temp\F9D9.tmp.exe

C:\Users\Admin\AppData\Local\Temp\F9D9.tmp.exe

Executes dropped EXE

PID:1612

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\F9D9.tmp.exe
MD5
379a349d07c3868fdaadc8e3ec12b599

SHA1
8d2baed856232fc0f52a3ba30109aeac50034ed7

SHA256
1546dcf0f1d4721adc53ddeb7b66dbe800f21050621972afb975577f49e7bff4

SHA512
954840bfbb391e6f7f3f672a723b335124c73eb93fe4cf738866175bfd6e5167e3206a6cb5a0039a1ccca9e6a2519b3e1eb761dcc85ffccf6e20864e6385159a

Download Submit
\Users\Admin\AppData\Local\Temp\2F6.tmp
MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
memory/1272-3-0x0000000002990000-0x00000000029A6000-memory.dmp

Download
memory/1612-4-0x0000000000000000-mapping.dmp

Download
memory/1612-6-0x00000000024E9000-0x00000000024EA000-memory.dmp

Download
memory/1612-7-0x0000000003CE0000-0x0000000003CF1000-memory.dmp

Download
memory/1640-0-0x0000000002419000-0x000000000241A000-memory.dmp

Download
memory/1640-1-0x0000000003C30000-0x0000000003C41000-memory.dmp

Download