Analysis
-
max time kernel
151s -
max time network
132s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 18:20
Static task
static1
Behavioral task
behavioral1
Sample
5cd77b95_extracted.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5cd77b95_extracted.exe
Resource
win10v20201028
General
-
Target
5cd77b95_extracted.exe
-
Size
34KB
-
MD5
e21003354956dac75332fe47f41edce3
-
SHA1
2c24803bc69bc42d4cc04e8e238b88706a0e9fa7
-
SHA256
464998f5bf7c3490936b638d9b6431813aebc947080efe2dc6eb5a495588abab
-
SHA512
f4bf4fde08a2dbc12399c20131a24f656a71774674ac74b9a79911d67423b903fff0b35da19a0ff544f3145169f7a5ac378d706d1aa3ec364fd2237743feb679
Malware Config
Extracted
smokeloader
2020
http://lookupsky.net/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1196 -
Loads dropped DLL 1 IoCs
Processes:
5cd77b95_extracted.exepid process 324 5cd77b95_extracted.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
5cd77b95_extracted.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cd77b95_extracted.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cd77b95_extracted.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5cd77b95_extracted.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5cd77b95_extracted.exepid process 324 5cd77b95_extracted.exe 324 5cd77b95_extracted.exe 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 1196 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
5cd77b95_extracted.exepid process 324 5cd77b95_extracted.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1196 1196 1196 1196 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1196 1196 1196 1196
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\44DA.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/324-2-0x00000000766C1000-0x00000000766C3000-memory.dmpFilesize
8KB
-
memory/1196-4-0x0000000003E50000-0x0000000003E66000-memory.dmpFilesize
88KB