Analysis
-
max time kernel
150s -
max time network
194s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-08-2021 11:49
Static task
static1
Behavioral task
behavioral1
Sample
51d84ec7f9fd6f9cc4ed1c491a6419df.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
51d84ec7f9fd6f9cc4ed1c491a6419df.exe
Resource
win10v20210410
General
-
Target
51d84ec7f9fd6f9cc4ed1c491a6419df.exe
-
Size
182KB
-
MD5
51d84ec7f9fd6f9cc4ed1c491a6419df
-
SHA1
fa21e010d7e6d52484ace0722d6e20dbc2c964f8
-
SHA256
fdacbb575b9ae8cba7286e562abd4d3547089e0ea17b4885b3a4a738b83831fb
-
SHA512
212333b42e76fee070dbaadf67602a6fa4c5492823cd61034706b6b43f63f52b0dc26997976051178204c70a9bd9881ac10556bf96d4effd8a32d4e82f68363b
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1200 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
51d84ec7f9fd6f9cc4ed1c491a6419df.exedescription pid process target process PID 628 set thread context of 1736 628 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
51d84ec7f9fd6f9cc4ed1c491a6419df.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51d84ec7f9fd6f9cc4ed1c491a6419df.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51d84ec7f9fd6f9cc4ed1c491a6419df.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 51d84ec7f9fd6f9cc4ed1c491a6419df.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
51d84ec7f9fd6f9cc4ed1c491a6419df.exepid process 1736 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 1736 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 1200 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1200 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
51d84ec7f9fd6f9cc4ed1c491a6419df.exepid process 1736 51d84ec7f9fd6f9cc4ed1c491a6419df.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
51d84ec7f9fd6f9cc4ed1c491a6419df.exedescription pid process target process PID 628 wrote to memory of 1736 628 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 628 wrote to memory of 1736 628 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 628 wrote to memory of 1736 628 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 628 wrote to memory of 1736 628 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 628 wrote to memory of 1736 628 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 628 wrote to memory of 1736 628 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe PID 628 wrote to memory of 1736 628 51d84ec7f9fd6f9cc4ed1c491a6419df.exe 51d84ec7f9fd6f9cc4ed1c491a6419df.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"C:\Users\Admin\AppData\Local\Temp\51d84ec7f9fd6f9cc4ed1c491a6419df.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1736
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/628-62-0x0000000000240000-0x000000000024A000-memory.dmpFilesize
40KB
-
memory/1200-63-0x0000000003970000-0x0000000003986000-memory.dmpFilesize
88KB
-
memory/1736-61-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB
-
memory/1736-60-0x0000000000402E1A-mapping.dmp
-
memory/1736-59-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB