Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 18:19
Static task
static1
Behavioral task
behavioral1
Sample
dab5cb3a_extracted.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
dab5cb3a_extracted.exe
Resource
win10v20201028
General
-
Target
dab5cb3a_extracted.exe
-
Size
13KB
-
MD5
d32944081c256e418c96f098cf3ba2a1
-
SHA1
1b9ca30b52daefe9a289ca2fdf4ec6eeca4c4053
-
SHA256
1f617db02129529020fcb97ddceab04c9234ba4339f1d27e24679e0ea708aa2d
-
SHA512
9b37fd264633116e1f9dfd665d58c7fe218c5bcd68ecbd6604ccaaef206ef2b3b0b84b4aee7f66c2b9b8f6c18899aeda627798f244fee2922025c3b72ef1243a
Malware Config
Extracted
smokeloader
2017
http://dogewareservice.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
explorer.exepid process 1576 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netscape = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\cgasstic\\wdevftfh.exe" explorer.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
dab5cb3a_extracted.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum dab5cb3a_extracted.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 dab5cb3a_extracted.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dab5cb3a_extracted.exepid process 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
dab5cb3a_extracted.exepid process 3008 dab5cb3a_extracted.exe 3008 dab5cb3a_extracted.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
dab5cb3a_extracted.exedescription pid process target process PID 3008 wrote to memory of 1576 3008 dab5cb3a_extracted.exe explorer.exe PID 3008 wrote to memory of 1576 3008 dab5cb3a_extracted.exe explorer.exe PID 3008 wrote to memory of 1576 3008 dab5cb3a_extracted.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dab5cb3a_extracted.exe"C:\Users\Admin\AppData\Local\Temp\dab5cb3a_extracted.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe2⤵
- Deletes itself
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1576-3-0x0000000000000000-mapping.dmp
-
memory/1576-5-0x0000000002DC0000-0x0000000002DCA000-memory.dmpFilesize
40KB
-
memory/1576-4-0x0000000000810000-0x0000000000C4F000-memory.dmpFilesize
4.2MB
-
memory/3008-2-0x0000000000100000-0x000000000010A000-memory.dmpFilesize
40KB