Analysis
-
max time kernel
165s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 05:05
Static task
static1
Behavioral task
behavioral1
Sample
3a7ac1ac60baac512bf45e412aacb90c.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
3a7ac1ac60baac512bf45e412aacb90c.exe
Resource
win10-en-20210920
General
-
Target
3a7ac1ac60baac512bf45e412aacb90c.exe
-
Size
311KB
-
MD5
3a7ac1ac60baac512bf45e412aacb90c
-
SHA1
d579493a2190a8f6f44a9094148a494c5368cdc7
-
SHA256
5c88ec7f348d5b457a2f155bbd9b0353c1cb840e0e971013c0ebc58aaee3b715
-
SHA512
08c3a3861a092eb7e39f6aa7255b36e2bf54b1f7a15b7fb76ac5f94269e7879e3a27187af2ee11f7215f5796e35ecd9146d04744ab4a4e01fb29a137589963b9
Malware Config
Extracted
smokeloader
2020
http://linavanandr11.club/
http://iselaharty12.club/
http://giovaninardo13.club/
http://zayneliann14.club/
http://zorinosali15.club/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3028 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3a7ac1ac60baac512bf45e412aacb90c.exedescription pid process target process PID 1576 set thread context of 4000 1576 3a7ac1ac60baac512bf45e412aacb90c.exe 3a7ac1ac60baac512bf45e412aacb90c.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3a7ac1ac60baac512bf45e412aacb90c.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3a7ac1ac60baac512bf45e412aacb90c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3a7ac1ac60baac512bf45e412aacb90c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3a7ac1ac60baac512bf45e412aacb90c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3a7ac1ac60baac512bf45e412aacb90c.exepid process 4000 3a7ac1ac60baac512bf45e412aacb90c.exe 4000 3a7ac1ac60baac512bf45e412aacb90c.exe 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 3028 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3028 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3a7ac1ac60baac512bf45e412aacb90c.exepid process 4000 3a7ac1ac60baac512bf45e412aacb90c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3a7ac1ac60baac512bf45e412aacb90c.exedescription pid process target process PID 1576 wrote to memory of 4000 1576 3a7ac1ac60baac512bf45e412aacb90c.exe 3a7ac1ac60baac512bf45e412aacb90c.exe PID 1576 wrote to memory of 4000 1576 3a7ac1ac60baac512bf45e412aacb90c.exe 3a7ac1ac60baac512bf45e412aacb90c.exe PID 1576 wrote to memory of 4000 1576 3a7ac1ac60baac512bf45e412aacb90c.exe 3a7ac1ac60baac512bf45e412aacb90c.exe PID 1576 wrote to memory of 4000 1576 3a7ac1ac60baac512bf45e412aacb90c.exe 3a7ac1ac60baac512bf45e412aacb90c.exe PID 1576 wrote to memory of 4000 1576 3a7ac1ac60baac512bf45e412aacb90c.exe 3a7ac1ac60baac512bf45e412aacb90c.exe PID 1576 wrote to memory of 4000 1576 3a7ac1ac60baac512bf45e412aacb90c.exe 3a7ac1ac60baac512bf45e412aacb90c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c.exe"C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c.exe"C:\Users\Admin\AppData\Local\Temp\3a7ac1ac60baac512bf45e412aacb90c.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1576-116-0x00000000019D6000-0x00000000019E6000-memory.dmpFilesize
64KB
-
memory/1576-117-0x0000000001820000-0x0000000001829000-memory.dmpFilesize
36KB
-
memory/3028-120-0x0000000000E90000-0x0000000000EA6000-memory.dmpFilesize
88KB
-
memory/4000-119-0x0000000000402DF8-mapping.dmp
-
memory/4000-118-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB