Analysis
-
max time kernel
150s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 09:02
Static task
static1
Behavioral task
behavioral1
Sample
30e58538e3ddab70cc1edda521bfbba6.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
30e58538e3ddab70cc1edda521bfbba6.exe
Resource
win10v20210410
General
-
Target
30e58538e3ddab70cc1edda521bfbba6.exe
-
Size
233KB
-
MD5
30e58538e3ddab70cc1edda521bfbba6
-
SHA1
862591b95d16216f74b6b197de4f4740a881ccb8
-
SHA256
879f63c384febbffc5845be57df9c7ef33234b584f8059a38a3f4aafa2bc37e9
-
SHA512
08de8cf30f6061c3f4057d617e2e8bc4be5e24a1b5a339d29bfa9655682f0f7f07301866436309a368a0af8efc4f6682d63532105ec62aff4b96c73504d26703
Malware Config
Extracted
smokeloader
2020
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1700 -
Loads dropped DLL 1 IoCs
Processes:
30e58538e3ddab70cc1edda521bfbba6.exepid process 2772 30e58538e3ddab70cc1edda521bfbba6.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
30e58538e3ddab70cc1edda521bfbba6.exedescription pid process target process PID 4092 set thread context of 2772 4092 30e58538e3ddab70cc1edda521bfbba6.exe 30e58538e3ddab70cc1edda521bfbba6.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
30e58538e3ddab70cc1edda521bfbba6.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 30e58538e3ddab70cc1edda521bfbba6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 30e58538e3ddab70cc1edda521bfbba6.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 30e58538e3ddab70cc1edda521bfbba6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
30e58538e3ddab70cc1edda521bfbba6.exepid process 2772 30e58538e3ddab70cc1edda521bfbba6.exe 2772 30e58538e3ddab70cc1edda521bfbba6.exe 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 1700 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1700 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
30e58538e3ddab70cc1edda521bfbba6.exepid process 2772 30e58538e3ddab70cc1edda521bfbba6.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 1700 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
30e58538e3ddab70cc1edda521bfbba6.exedescription pid process target process PID 4092 wrote to memory of 2772 4092 30e58538e3ddab70cc1edda521bfbba6.exe 30e58538e3ddab70cc1edda521bfbba6.exe PID 4092 wrote to memory of 2772 4092 30e58538e3ddab70cc1edda521bfbba6.exe 30e58538e3ddab70cc1edda521bfbba6.exe PID 4092 wrote to memory of 2772 4092 30e58538e3ddab70cc1edda521bfbba6.exe 30e58538e3ddab70cc1edda521bfbba6.exe PID 4092 wrote to memory of 2772 4092 30e58538e3ddab70cc1edda521bfbba6.exe 30e58538e3ddab70cc1edda521bfbba6.exe PID 4092 wrote to memory of 2772 4092 30e58538e3ddab70cc1edda521bfbba6.exe 30e58538e3ddab70cc1edda521bfbba6.exe PID 4092 wrote to memory of 2772 4092 30e58538e3ddab70cc1edda521bfbba6.exe 30e58538e3ddab70cc1edda521bfbba6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe"C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe"C:\Users\Admin\AppData\Local\Temp\30e58538e3ddab70cc1edda521bfbba6.exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\AE30.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
memory/1700-118-0x0000000000F20000-0x0000000000F37000-memory.dmpFilesize
92KB
-
memory/2772-115-0x0000000000402F68-mapping.dmp
-
memory/2772-114-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4092-117-0x00000000001E0000-0x00000000001EC000-memory.dmpFilesize
48KB