Analysis

  • max time kernel
    150s
  • max time network
    189s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    16-08-2021 09:12

General

  • Target

    2d62eb793b2649d519f14e3a9447089d.exe

  • Size

    163KB

  • MD5

    2d62eb793b2649d519f14e3a9447089d

  • SHA1

    3015db20b32a0bd68af5b08af8badc0dffc454a2

  • SHA256

    f0bc49d224a52c749f5f68149765b6a1420598013d1bf7456a6ea46faa476aab

  • SHA512

    321a57b63ca8ee150a9f6e56cffc907fb145b7591b0638b9cecff5b5960b67a58126e236fa1eaa506b8eca5c0c9435d87594fd47b36f14eff3e209de02e9bf0a

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d62eb793b2649d519f14e3a9447089d.exe
    "C:\Users\Admin\AppData\Local\Temp\2d62eb793b2649d519f14e3a9447089d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\AppData\Local\Temp\2d62eb793b2649d519f14e3a9447089d.exe
      "C:\Users\Admin\AppData\Local\Temp\2d62eb793b2649d519f14e3a9447089d.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1848

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/468-62-0x00000000001B0000-0x00000000001BA000-memory.dmp
    Filesize

    40KB

  • memory/1200-63-0x00000000039D0000-0x00000000039E6000-memory.dmp
    Filesize

    88KB

  • memory/1848-59-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

  • memory/1848-60-0x0000000000402E1A-mapping.dmp
  • memory/1848-61-0x0000000075051000-0x0000000075053000-memory.dmp
    Filesize

    8KB