Analysis
-
max time kernel
151s -
max time network
105s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-12-2020 12:49
Static task
static1
Behavioral task
behavioral1
Sample
rv223.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
rv223.exe
Resource
win10v20201028
General
-
Target
rv223.exe
-
Size
251KB
-
MD5
dd567d0e96f65f9d3ad4f2104a916afe
-
SHA1
b1746857545bddb127d31a9d9330267518b890d6
-
SHA256
26b4090ea03cb2f43a604a162c3784ad904262add41a51117dd7e5e4ccb188de
-
SHA512
6e1536e5f492496b6ac63f91feab723a18510978fee15ef3655155e527f4202903c74a928b7a8c3f1d24328ab8ca9023bd1e867bcbf658ce8af6f47d2a381c9e
Malware Config
Extracted
smokeloader
2020
http://etasuklavish.today/
http://mragyzmachnobesdi.today/
http://kimchinikuzims.today/
http://slacvostinrius.today/
http://straponuliusyn.today/
http://grammmdinss.today/
http://viprasputinsd.chimkent.su/
http://lupadypa.dagestan.su/
http://stoknolimchin.exnet.su/
http://musaroprovadnikov.live/
http://teemforyourexprensiti.life/
http://stolkgolmishutich.termez.su/
http://roompampamgandish.wtf/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1264 -
Loads dropped DLL 1 IoCs
Processes:
rv223.exepid process 1204 rv223.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
rv223.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rv223.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rv223.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rv223.exe -
Suspicious behavior: EnumeratesProcesses 771 IoCs
Processes:
rv223.exepid process 1204 rv223.exe 1204 rv223.exe 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rv223.exepid process 1204 rv223.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1264 1264 1264 1264 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1264 1264 1264 1264
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\2F6.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/1204-2-0x0000000005329000-0x000000000532A000-memory.dmpFilesize
4KB
-
memory/1204-3-0x0000000005410000-0x0000000005421000-memory.dmpFilesize
68KB
-
memory/1264-5-0x0000000002920000-0x0000000002936000-memory.dmpFilesize
88KB