Analysis
-
max time kernel
155s -
max time network
128s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
25-11-2020 10:45
General
-
Target
0x000300000001ac99-126.exe
-
Size
300KB
-
MD5
ca58d4cf4a5e0725f844c8eae3f8ae67
-
SHA1
fbce92619ce23f4594846f2f789e513dab9f3239
-
SHA256
0e3774d65577253a820f1ee272d7a0c96e4c6a869ef8f749fe7f83d2fc49f054
-
SHA512
32bdfc2e72fff79c075d5f9ead8268f1e9e0648635fd977f6d8db62358c48d5451b64e639b1853bd87220a1157e74754e1109b3f1797f98ef02d5151fb09f4a9
Malware Config
Extracted
smokeloader
2020
http://vintrsi.com/upload/
http://woatdert.com/upload/
http://waruse.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 759 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000300000001ac99-126.exe"C:\Users\Admin\AppData\Local\Temp\0x000300000001ac99-126.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/1248-2-0x0000000003C30000-0x0000000003C46000-memory.dmpFilesize
88KB
-
memory/1688-0-0x0000000005F30000-0x0000000005F41000-memory.dmpFilesize
68KB