Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-12-2020 07:35
General
-
Target
dc7c1bf583939fef10df9f038b60fc24.exe
-
Size
136KB
-
MD5
dc7c1bf583939fef10df9f038b60fc24
-
SHA1
137b8059a231dba8c654771b09db028a9e72f20c
-
SHA256
430ff3dba43b7a63c4a04a52bf6794044a86c0084843c9f115118e789982bed6
-
SHA512
8950ed2fd5f76e23158cb39e48dd2502bec75cb8297731406a10ff787cc8ed4811caae0b022921c929250bdefaf0534ec9836e106a346cce7391f6989c37d1c1
Malware Config
Extracted
smokeloader
2020
http://vtdilet.com/upload/
http://netvxi.com/upload/
http://tinnys.monster/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 2627 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc7c1bf583939fef10df9f038b60fc24.exe"C:\Users\Admin\AppData\Local\Temp\dc7c1bf583939fef10df9f038b60fc24.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\seiuragC:\Users\Admin\AppData\Roaming\seiurag1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 2402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
C:\Users\Admin\AppData\Roaming\seiuragMD5
dc7c1bf583939fef10df9f038b60fc24
SHA1137b8059a231dba8c654771b09db028a9e72f20c
SHA256430ff3dba43b7a63c4a04a52bf6794044a86c0084843c9f115118e789982bed6
SHA5128950ed2fd5f76e23158cb39e48dd2502bec75cb8297731406a10ff787cc8ed4811caae0b022921c929250bdefaf0534ec9836e106a346cce7391f6989c37d1c1
-
C:\Users\Admin\AppData\Roaming\seiuragMD5
dc7c1bf583939fef10df9f038b60fc24
SHA1137b8059a231dba8c654771b09db028a9e72f20c
SHA256430ff3dba43b7a63c4a04a52bf6794044a86c0084843c9f115118e789982bed6
SHA5128950ed2fd5f76e23158cb39e48dd2502bec75cb8297731406a10ff787cc8ed4811caae0b022921c929250bdefaf0534ec9836e106a346cce7391f6989c37d1c1
-
\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/988-2-0x00000000050C6000-0x00000000050C7000-memory.dmpFilesize
4KB
-
memory/988-3-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/1376-11-0x00000000041E0000-0x00000000041E1000-memory.dmpFilesize
4KB
-
memory/1376-12-0x00000000041E0000-0x00000000041E1000-memory.dmpFilesize
4KB
-
memory/2704-8-0x0000000004F16000-0x0000000004F17000-memory.dmpFilesize
4KB
-
memory/2704-9-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/3128-5-0x00000000011C0000-0x00000000011D6000-memory.dmpFilesize
88KB