Analysis

  • max time kernel
    151s
  • max time network
    109s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    27-11-2020 19:29

General

  • Target

    161120.exe

  • Size

    340KB

  • MD5

    0a7ab9da9997bf3f75ec4549a9b9daf0

  • SHA1

    d5ffba8afc0cccf2a3194c572db74605dd8879d3

  • SHA256

    1a78aaf6aae3b9d9a32dc6c8cfe9182043f71a3d44e727464ab95a70fc24bbe8

  • SHA512

    3f03bd23458e05469df1623e55a71b6bdad1c7a9af2bf8e7f8750406bd17e759d8b1049ed1531aeee9da503fa86d692bc29ec1a94126be6ff20b647e2840ffbe

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://cent.live/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 899 IoCs
  • Suspicious behavior: MapViewOfSection 31 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 70 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\161120.exe
    "C:\Users\Admin\AppData\Local\Temp\161120.exe"
    1⤵
    • Loads dropped DLL
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1696
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:1296
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:1644
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:816
        • C:\Windows\SysWOW64\explorer.exe
          C:\Windows\SysWOW64\explorer.exe
          1⤵
            PID:1844
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:1512
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:1144
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:1532
                • C:\Windows\explorer.exe
                  C:\Windows\explorer.exe
                  1⤵
                    PID:316
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                      PID:1816
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe
                      1⤵
                        PID:1272
                      • C:\Windows\SysWOW64\explorer.exe
                        C:\Windows\SysWOW64\explorer.exe
                        1⤵
                          PID:1336
                        • C:\Windows\SysWOW64\explorer.exe
                          C:\Windows\SysWOW64\explorer.exe
                          1⤵
                            PID:1636
                          • C:\Windows\SysWOW64\explorer.exe
                            C:\Windows\SysWOW64\explorer.exe
                            1⤵
                              PID:660
                            • C:\Windows\explorer.exe
                              C:\Windows\explorer.exe
                              1⤵
                                PID:1760
                              • C:\Windows\SysWOW64\explorer.exe
                                C:\Windows\SysWOW64\explorer.exe
                                1⤵
                                  PID:1084

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • \Users\Admin\AppData\Local\Temp\554B.tmp

                                  MD5

                                  d124f55b9393c976963407dff51ffa79

                                  SHA1

                                  2c7bbedd79791bfb866898c85b504186db610b5d

                                  SHA256

                                  ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

                                  SHA512

                                  278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

                                • memory/316-445-0x0000000000000000-mapping.dmp

                                • memory/316-447-0x0000000000070000-0x0000000000076000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/316-446-0x0000000000060000-0x000000000006C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/660-741-0x0000000000000000-mapping.dmp

                                • memory/660-743-0x0000000000090000-0x0000000000096000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/660-742-0x0000000000080000-0x000000000008B000-memory.dmp

                                  Filesize

                                  44KB

                                • memory/816-50-0x0000000000090000-0x0000000000094000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/816-48-0x0000000000000000-mapping.dmp

                                • memory/816-49-0x0000000000080000-0x0000000000089000-memory.dmp

                                  Filesize

                                  36KB

                                • memory/1084-908-0x0000000000000000-mapping.dmp

                                • memory/1084-910-0x0000000000080000-0x000000000008B000-memory.dmp

                                  Filesize

                                  44KB

                                • memory/1084-912-0x0000000000090000-0x0000000000098000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/1144-283-0x0000000000000000-mapping.dmp

                                • memory/1144-284-0x0000000000060000-0x000000000006E000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/1144-285-0x0000000000070000-0x0000000000079000-memory.dmp

                                  Filesize

                                  36KB

                                • memory/1248-690-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-685-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-4-0x0000000002B20000-0x0000000002B35000-memory.dmp

                                  Filesize

                                  84KB

                                • memory/1248-907-0x0000000002B60000-0x0000000002B67000-memory.dmp

                                  Filesize

                                  28KB

                                • memory/1248-822-0x0000000002B60000-0x0000000002B66000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/1248-823-0x0000000002B60000-0x0000000002B66000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/1248-105-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-740-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-288-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-294-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-298-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-304-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-308-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-312-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-316-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-320-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-324-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-330-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-334-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-337-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-340-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-342-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-345-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-739-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-348-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-674-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-675-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-328-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-326-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-322-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-318-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-314-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-310-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-306-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-302-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-300-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-296-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-292-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-290-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-444-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-106-0x0000000002B60000-0x0000000002B64000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1248-46-0x0000000002B60000-0x0000000002B67000-memory.dmp

                                  Filesize

                                  28KB

                                • memory/1248-676-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-677-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-678-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-679-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-680-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-681-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-682-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-599-0x0000000002B70000-0x0000000002B7B000-memory.dmp

                                  Filesize

                                  44KB

                                • memory/1248-603-0x0000000002B70000-0x0000000002B7B000-memory.dmp

                                  Filesize

                                  44KB

                                • memory/1248-683-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-684-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-686-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-687-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-688-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-689-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-665-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-666-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-668-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-667-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-669-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-670-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-671-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-672-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-673-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-698-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-697-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-696-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-695-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-694-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-693-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-692-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1248-691-0x0000000002B60000-0x0000000002B65000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1272-579-0x0000000000070000-0x0000000000075000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1272-571-0x0000000000000000-mapping.dmp

                                • memory/1272-576-0x0000000000060000-0x0000000000069000-memory.dmp

                                  Filesize

                                  36KB

                                • memory/1296-5-0x0000000000000000-mapping.dmp

                                • memory/1296-6-0x00000000003C0000-0x000000000042B000-memory.dmp

                                  Filesize

                                  428KB

                                • memory/1296-7-0x0000000000430000-0x00000000004A5000-memory.dmp

                                  Filesize

                                  468KB

                                • memory/1336-606-0x0000000000000000-mapping.dmp

                                • memory/1336-614-0x00000000000F0000-0x0000000000112000-memory.dmp

                                  Filesize

                                  136KB

                                • memory/1336-611-0x00000000000C0000-0x00000000000E7000-memory.dmp

                                  Filesize

                                  156KB

                                • memory/1512-168-0x0000000000110000-0x0000000000117000-memory.dmp

                                  Filesize

                                  28KB

                                • memory/1512-158-0x0000000000000000-mapping.dmp

                                • memory/1512-166-0x0000000000080000-0x000000000008B000-memory.dmp

                                  Filesize

                                  44KB

                                • memory/1532-338-0x0000000000000000-mapping.dmp

                                • memory/1532-344-0x0000000000080000-0x0000000000089000-memory.dmp

                                  Filesize

                                  36KB

                                • memory/1532-347-0x0000000000090000-0x0000000000095000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1636-663-0x00000000000D0000-0x00000000000D5000-memory.dmp

                                  Filesize

                                  20KB

                                • memory/1636-662-0x00000000000C0000-0x00000000000C9000-memory.dmp

                                  Filesize

                                  36KB

                                • memory/1636-661-0x0000000000000000-mapping.dmp

                                • memory/1644-15-0x0000000000060000-0x000000000006C000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/1644-16-0x0000000000070000-0x0000000000077000-memory.dmp

                                  Filesize

                                  28KB

                                • memory/1644-14-0x0000000000000000-mapping.dmp

                                • memory/1696-2-0x0000000006050000-0x0000000006061000-memory.dmp

                                  Filesize

                                  68KB

                                • memory/1760-825-0x0000000000060000-0x000000000006D000-memory.dmp

                                  Filesize

                                  52KB

                                • memory/1760-824-0x0000000000000000-mapping.dmp

                                • memory/1760-826-0x0000000000070000-0x0000000000077000-memory.dmp

                                  Filesize

                                  28KB

                                • memory/1816-516-0x0000000000000000-mapping.dmp

                                • memory/1816-519-0x0000000000080000-0x0000000000089000-memory.dmp

                                  Filesize

                                  36KB

                                • memory/1816-521-0x0000000000090000-0x0000000000094000-memory.dmp

                                  Filesize

                                  16KB

                                • memory/1844-109-0x0000000000090000-0x000000000009A000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/1844-107-0x0000000000000000-mapping.dmp

                                • memory/1844-108-0x0000000000080000-0x000000000008B000-memory.dmp

                                  Filesize

                                  44KB