Analysis
-
max time kernel
23s -
max time network
25s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28-12-2020 17:52
Static task
static1
Behavioral task
behavioral1
Sample
eb928f21280095b1fd218c00e31a1231.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
eb928f21280095b1fd218c00e31a1231.exe
Resource
win10v20201028
General
-
Target
eb928f21280095b1fd218c00e31a1231.exe
-
Size
154KB
-
MD5
eb928f21280095b1fd218c00e31a1231
-
SHA1
cb26a64b6df40eaa0f2fb770efc489b3f6cebe10
-
SHA256
def3ea13d6bea242eceb7a032076e4127b463f83acab8e78bb60ba4ca4ae2709
-
SHA512
e01c9f42711aad46f8657817fa6f809bc68d638602f3b0eee485832be3bb269128a0994e7bec73646b0f6bd68a61b8200a50d3aa19e6d988bc0c46dae7246bc9
Malware Config
Extracted
smokeloader
2020
http://vtdilet.com/upload/
http://netvxi.com/upload/
http://tinnys.monster/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 2260 -
Loads dropped DLL 1 IoCs
Processes:
eb928f21280095b1fd218c00e31a1231.exepid process 3932 eb928f21280095b1fd218c00e31a1231.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
eb928f21280095b1fd218c00e31a1231.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eb928f21280095b1fd218c00e31a1231.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eb928f21280095b1fd218c00e31a1231.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eb928f21280095b1fd218c00e31a1231.exe -
Suspicious behavior: EnumeratesProcesses 302 IoCs
Processes:
eb928f21280095b1fd218c00e31a1231.exepid process 3932 eb928f21280095b1fd218c00e31a1231.exe 3932 eb928f21280095b1fd218c00e31a1231.exe 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 2260 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
eb928f21280095b1fd218c00e31a1231.exepid process 3932 eb928f21280095b1fd218c00e31a1231.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/2260-5-0x0000000000630000-0x0000000000646000-memory.dmpFilesize
88KB
-
memory/3932-2-0x0000000004F66000-0x0000000004F67000-memory.dmpFilesize
4KB
-
memory/3932-3-0x0000000005420000-0x0000000005421000-memory.dmpFilesize
4KB