Analysis
-
max time kernel
151s -
max time network
7s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-11-2020 13:37
Static task
static1
Behavioral task
behavioral1
Sample
w5ossf6nf.exe
Resource
win7v20201028
General
-
Target
w5ossf6nf.exe
-
Size
360KB
-
MD5
c966ec47c0480c3a6be2a1231a83c8a1
-
SHA1
b15e12449be1ea174dfd224935fa6d78e1c58f5a
-
SHA256
4b1f2c18b149fd0e878c362ffba50bb553d7bea93a795b33e398d032dc0b7663
-
SHA512
35b3b6e9aebaa447f2cbf6a9fb7d24985475870285c6ea1bde7b8ccfd3ea956761691e44103d391ec89d8af6f43d73627a09c1c36b19f24caeab1453edd69f5e
Malware Config
Extracted
smokeloader
2020
http://penodux.com/xsmkld/index.php
http://tommusikirtyur.com/xsmkld/index.php
http://ploaernysannyer.com/xsmkld/index.php
http://dersmasfannyer.com/xsmkld/index.php
http://derdsgdannyer.com/xsmkld/index.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Loads dropped DLL 1 IoCs
Processes:
w5ossf6nf.exepid process 1668 w5ossf6nf.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
w5ossf6nf.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI w5ossf6nf.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI w5ossf6nf.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI w5ossf6nf.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
w5ossf6nf.exepid process 1668 w5ossf6nf.exe 1668 w5ossf6nf.exe 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 1312 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1312 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
w5ossf6nf.exepid process 1668 w5ossf6nf.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\45E1.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/1312-1-0x0000000002560000-0x0000000002576000-memory.dmpFilesize
88KB