Analysis
-
max time kernel
151s -
max time network
109s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
27-11-2020 19:29
Static task
static1
Behavioral task
behavioral1
Sample
161120.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
161120.exe
Resource
win10v20201028
General
-
Target
161120.exe
-
Size
340KB
-
MD5
0a7ab9da9997bf3f75ec4549a9b9daf0
-
SHA1
d5ffba8afc0cccf2a3194c572db74605dd8879d3
-
SHA256
1a78aaf6aae3b9d9a32dc6c8cfe9182043f71a3d44e727464ab95a70fc24bbe8
-
SHA512
3f03bd23458e05469df1623e55a71b6bdad1c7a9af2bf8e7f8750406bd17e759d8b1049ed1531aeee9da503fa86d692bc29ec1a94126be6ff20b647e2840ffbe
Malware Config
Extracted
smokeloader
2020
http://cent.live/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1248 -
Loads dropped DLL 1 IoCs
Processes:
161120.exepid process 1696 161120.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
161120.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 161120.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 161120.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 161120.exe -
Suspicious behavior: EnumeratesProcesses 899 IoCs
Processes:
161120.exepid process 1696 161120.exe 1696 161120.exe 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
161120.exepid process 1696 161120.exe 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 1248 -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
pid process 1248 1248 1248 1248 1248 1248 -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
pid process 1248 1248 1248 1248 1248 1248 -
Suspicious use of WriteProcessMemory 70 IoCs
Processes:
description pid process target process PID 1248 wrote to memory of 1296 1248 explorer.exe PID 1248 wrote to memory of 1296 1248 explorer.exe PID 1248 wrote to memory of 1296 1248 explorer.exe PID 1248 wrote to memory of 1296 1248 explorer.exe PID 1248 wrote to memory of 1296 1248 explorer.exe PID 1248 wrote to memory of 1644 1248 explorer.exe PID 1248 wrote to memory of 1644 1248 explorer.exe PID 1248 wrote to memory of 1644 1248 explorer.exe PID 1248 wrote to memory of 1644 1248 explorer.exe PID 1248 wrote to memory of 816 1248 explorer.exe PID 1248 wrote to memory of 816 1248 explorer.exe PID 1248 wrote to memory of 816 1248 explorer.exe PID 1248 wrote to memory of 816 1248 explorer.exe PID 1248 wrote to memory of 816 1248 explorer.exe PID 1248 wrote to memory of 1844 1248 explorer.exe PID 1248 wrote to memory of 1844 1248 explorer.exe PID 1248 wrote to memory of 1844 1248 explorer.exe PID 1248 wrote to memory of 1844 1248 explorer.exe PID 1248 wrote to memory of 1844 1248 explorer.exe PID 1248 wrote to memory of 1512 1248 explorer.exe PID 1248 wrote to memory of 1512 1248 explorer.exe PID 1248 wrote to memory of 1512 1248 explorer.exe PID 1248 wrote to memory of 1512 1248 explorer.exe PID 1248 wrote to memory of 1512 1248 explorer.exe PID 1248 wrote to memory of 1144 1248 explorer.exe PID 1248 wrote to memory of 1144 1248 explorer.exe PID 1248 wrote to memory of 1144 1248 explorer.exe PID 1248 wrote to memory of 1144 1248 explorer.exe PID 1248 wrote to memory of 1532 1248 explorer.exe PID 1248 wrote to memory of 1532 1248 explorer.exe PID 1248 wrote to memory of 1532 1248 explorer.exe PID 1248 wrote to memory of 1532 1248 explorer.exe PID 1248 wrote to memory of 1532 1248 explorer.exe PID 1248 wrote to memory of 316 1248 explorer.exe PID 1248 wrote to memory of 316 1248 explorer.exe PID 1248 wrote to memory of 316 1248 explorer.exe PID 1248 wrote to memory of 316 1248 explorer.exe PID 1248 wrote to memory of 1816 1248 explorer.exe PID 1248 wrote to memory of 1816 1248 explorer.exe PID 1248 wrote to memory of 1816 1248 explorer.exe PID 1248 wrote to memory of 1816 1248 explorer.exe PID 1248 wrote to memory of 1816 1248 explorer.exe PID 1248 wrote to memory of 1272 1248 explorer.exe PID 1248 wrote to memory of 1272 1248 explorer.exe PID 1248 wrote to memory of 1272 1248 explorer.exe PID 1248 wrote to memory of 1272 1248 explorer.exe PID 1248 wrote to memory of 1336 1248 explorer.exe PID 1248 wrote to memory of 1336 1248 explorer.exe PID 1248 wrote to memory of 1336 1248 explorer.exe PID 1248 wrote to memory of 1336 1248 explorer.exe PID 1248 wrote to memory of 1336 1248 explorer.exe PID 1248 wrote to memory of 1636 1248 explorer.exe PID 1248 wrote to memory of 1636 1248 explorer.exe PID 1248 wrote to memory of 1636 1248 explorer.exe PID 1248 wrote to memory of 1636 1248 explorer.exe PID 1248 wrote to memory of 1636 1248 explorer.exe PID 1248 wrote to memory of 660 1248 explorer.exe PID 1248 wrote to memory of 660 1248 explorer.exe PID 1248 wrote to memory of 660 1248 explorer.exe PID 1248 wrote to memory of 660 1248 explorer.exe PID 1248 wrote to memory of 660 1248 explorer.exe PID 1248 wrote to memory of 1760 1248 explorer.exe PID 1248 wrote to memory of 1760 1248 explorer.exe PID 1248 wrote to memory of 1760 1248 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\161120.exe"C:\Users\Admin\AppData\Local\Temp\161120.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1696
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1296
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1644
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:816
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1844
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1512
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1144
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1532
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:316
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1816
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1272
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1336
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1636
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:660
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1760
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1084
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06