Analysis
-
max time kernel
151s -
max time network
179s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-08-2021 09:50
Static task
static1
Behavioral task
behavioral1
Sample
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
Resource
win10v20210408
General
-
Target
x2BFjy8SRtdIV0VKlMSL7WDQ.exe
-
Size
194KB
-
MD5
ced17a3bd52eab4a5105c0e58945b9de
-
SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5
-
SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486
-
SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e
Malware Config
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
Processes:
avsieduavsiedupid process 624 avsiedu 676 avsiedu -
Deletes itself 1 IoCs
Processes:
pid process 1212 -
Suspicious use of SetThreadContext 2 IoCs
Processes:
x2BFjy8SRtdIV0VKlMSL7WDQ.exeavsiedudescription pid process target process PID 1240 set thread context of 1976 1240 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 624 set thread context of 676 624 avsiedu avsiedu -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
avsiedux2BFjy8SRtdIV0VKlMSL7WDQ.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avsiedu Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avsiedu Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI avsiedu Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI x2BFjy8SRtdIV0VKlMSL7WDQ.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI x2BFjy8SRtdIV0VKlMSL7WDQ.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI x2BFjy8SRtdIV0VKlMSL7WDQ.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
x2BFjy8SRtdIV0VKlMSL7WDQ.exepid process 1976 x2BFjy8SRtdIV0VKlMSL7WDQ.exe 1976 x2BFjy8SRtdIV0VKlMSL7WDQ.exe 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 1212 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1212 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
x2BFjy8SRtdIV0VKlMSL7WDQ.exeavsiedupid process 1976 x2BFjy8SRtdIV0VKlMSL7WDQ.exe 676 avsiedu -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
pid process 1212 1212 1212 1212 -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
pid process 1212 1212 1212 1212 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
x2BFjy8SRtdIV0VKlMSL7WDQ.exetaskeng.exeavsiedudescription pid process target process PID 1240 wrote to memory of 1976 1240 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 1240 wrote to memory of 1976 1240 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 1240 wrote to memory of 1976 1240 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 1240 wrote to memory of 1976 1240 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 1240 wrote to memory of 1976 1240 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 1240 wrote to memory of 1976 1240 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 1240 wrote to memory of 1976 1240 x2BFjy8SRtdIV0VKlMSL7WDQ.exe x2BFjy8SRtdIV0VKlMSL7WDQ.exe PID 276 wrote to memory of 624 276 taskeng.exe avsiedu PID 276 wrote to memory of 624 276 taskeng.exe avsiedu PID 276 wrote to memory of 624 276 taskeng.exe avsiedu PID 276 wrote to memory of 624 276 taskeng.exe avsiedu PID 624 wrote to memory of 676 624 avsiedu avsiedu PID 624 wrote to memory of 676 624 avsiedu avsiedu PID 624 wrote to memory of 676 624 avsiedu avsiedu PID 624 wrote to memory of 676 624 avsiedu avsiedu PID 624 wrote to memory of 676 624 avsiedu avsiedu PID 624 wrote to memory of 676 624 avsiedu avsiedu PID 624 wrote to memory of 676 624 avsiedu avsiedu
Processes
-
C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"C:\Users\Admin\AppData\Local\Temp\x2BFjy8SRtdIV0VKlMSL7WDQ.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1976
-
C:\Windows\system32\taskeng.exetaskeng.exe {5A22CB79-F073-4F41-AF66-DD6C3809BF99} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Users\Admin\AppData\Roaming\avsieduC:\Users\Admin\AppData\Roaming\avsiedu2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Roaming\avsieduC:\Users\Admin\AppData\Roaming\avsiedu3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:676
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\avsieduMD5
ced17a3bd52eab4a5105c0e58945b9de
SHA18a49a9f44a9940f768f3c6c23fe568b9c56554c5
SHA2564580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486
SHA5124ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e
-
C:\Users\Admin\AppData\Roaming\avsieduMD5
ced17a3bd52eab4a5105c0e58945b9de
SHA18a49a9f44a9940f768f3c6c23fe568b9c56554c5
SHA2564580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486
SHA5124ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e
-
C:\Users\Admin\AppData\Roaming\avsieduMD5
ced17a3bd52eab4a5105c0e58945b9de
SHA18a49a9f44a9940f768f3c6c23fe568b9c56554c5
SHA2564580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486
SHA5124ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e
-
memory/624-66-0x0000000000000000-mapping.dmp
-
memory/676-69-0x0000000000402E1A-mapping.dmp
-
memory/1212-64-0x0000000003840000-0x0000000003856000-memory.dmpFilesize
88KB
-
memory/1212-72-0x0000000003AD0000-0x0000000003AE6000-memory.dmpFilesize
88KB
-
memory/1240-63-0x0000000000230000-0x000000000023A000-memory.dmpFilesize
40KB
-
memory/1976-62-0x0000000074D91000-0x0000000074D93000-memory.dmpFilesize
8KB
-
memory/1976-61-0x0000000000402E1A-mapping.dmp
-
memory/1976-60-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB