Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
307s -
max time network
378s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 10:08
General
-
Target
2019-09-02_22-41-10.exe
Score
10/10
Malware Config
Extracted
Family
smokeloader
Version
2019
C2
http://advertserv25.world/logstatx77/
http://mailstatm74.club/logstatx77/
http://kxservx7zx.club/logstatx77/
http://dsmail977sx.xyz/logstatx77/
http://fdmail709.club/logstatx77/
http://servicestar751.club/logstatx77/
http://staradvert9075.club/logstatx77/
http://staradvert1883.club/logstatx77/
rc4.i32
rc4.i32
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\D47F.tmp
-
memory/816-0-0x0000000000B86000-0x0000000000B98000-memory.dmpFilesize
72KB
-
memory/816-1-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/1500-2-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1500-3-0x0000000000402CED-mapping.dmp
-
memory/1500-5-0x0000000000560000-0x0000000000576000-memory.dmpFilesize
88KB
-
memory/3048-7-0x0000000000600000-0x0000000000601000-memory.dmpFilesize
4KB