Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10Resubmissions
12-11-2021 18:04
211112-wnzb8aahhm 1019-11-2020 10:08
201119-rhwlt38jrx 1018-11-2020 17:26
201118-htd4fq29va 10Analysis
-
max time kernel
307s -
max time network
378s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 10:08
Static task
static1
Behavioral task
behavioral1
Sample
1.bin/1.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
2019-09-02_22-41-10.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
31.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v20201028
Behavioral task
behavioral6
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral8
Sample
CVWSHSetup[1].bin/WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
HYDRA.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Keygen.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Lonelyscreen.1.2.9.keygen.by.Paradox/Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
LtHv0O2KZDK4M637.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
Magic_File_v3_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
OnlineInstaller.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.exe
Resource
win10v20201028
Behavioral task
behavioral18
Sample
SecurityTaskManager_Setup.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
WSHSetup[1].exe
Resource
win10v20201028
Behavioral task
behavioral22
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral23
Sample
___ _ _____ __ ___/전산 및 비전산자료 보존 요청서/전산 및 비전산자료 보존 요.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
amtemu.v0.9.2.win-painter_edited.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral26
Sample
default.exe
Resource
win10v20201028
Behavioral task
behavioral27
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral28
Sample
good.exe
Resource
win10v20201028
Behavioral task
behavioral29
Sample
infected dot net installer.exe
Resource
win10v20201028
Behavioral task
behavioral30
Sample
oof.exe
Resource
win10v20201028
Behavioral task
behavioral31
Sample
ou55sg33s_1.exe
Resource
win10v20201028
General
-
Target
2019-09-02_22-41-10.exe
Malware Config
Extracted
smokeloader
2019
http://advertserv25.world/logstatx77/
http://mailstatm74.club/logstatx77/
http://kxservx7zx.club/logstatx77/
http://dsmail977sx.xyz/logstatx77/
http://fdmail709.club/logstatx77/
http://servicestar751.club/logstatx77/
http://staradvert9075.club/logstatx77/
http://staradvert1883.club/logstatx77/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Loads dropped DLL 1 IoCs
Processes:
2019-09-02_22-41-10.exepid process 1500 2019-09-02_22-41-10.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2019-09-02_22-41-10.exedescription pid process target process PID 816 set thread context of 1500 816 2019-09-02_22-41-10.exe 2019-09-02_22-41-10.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2019-09-02_22-41-10.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2019-09-02_22-41-10.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2019-09-02_22-41-10.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2019-09-02_22-41-10.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
2019-09-02_22-41-10.exepid process 1500 2019-09-02_22-41-10.exe 1500 2019-09-02_22-41-10.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2019-09-02_22-41-10.exedescription pid process target process PID 816 wrote to memory of 1500 816 2019-09-02_22-41-10.exe 2019-09-02_22-41-10.exe PID 816 wrote to memory of 1500 816 2019-09-02_22-41-10.exe 2019-09-02_22-41-10.exe PID 816 wrote to memory of 1500 816 2019-09-02_22-41-10.exe 2019-09-02_22-41-10.exe PID 816 wrote to memory of 1500 816 2019-09-02_22-41-10.exe 2019-09-02_22-41-10.exe PID 816 wrote to memory of 1500 816 2019-09-02_22-41-10.exe 2019-09-02_22-41-10.exe PID 816 wrote to memory of 1500 816 2019-09-02_22-41-10.exe 2019-09-02_22-41-10.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1500