Analysis
-
max time kernel
149s -
max time network
24s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 23:40
General
-
Target
e82a74fe0732ee10589a80df730a19a4.exe
-
Size
284KB
-
MD5
e82a74fe0732ee10589a80df730a19a4
-
SHA1
437f86aa7b19eb3e700885d1ec94827ce55c012e
-
SHA256
08652e620baff815f8d1c1b10889d2407da4a79b264925efeeeb90a89070ff80
-
SHA512
74bc1b0993036d9f2f6d23733d5a5ed06d562d42314d74547fb9ba8a1a15e9deb9a6e98dcae3550211626d39c67b12ef6faeb19cddffaa6661915142f1b2535a
Malware Config
Extracted
smokeloader
2020
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Loads dropped DLL 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e82a74fe0732ee10589a80df730a19a4.exe"C:\Users\Admin\AppData\Local\Temp\e82a74fe0732ee10589a80df730a19a4.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\1105.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/1112-53-0x0000000000CF8000-0x0000000000D09000-memory.dmpFilesize
68KB
-
memory/1112-54-0x00000000751A1000-0x00000000751A3000-memory.dmpFilesize
8KB
-
memory/1112-56-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1112-57-0x0000000000400000-0x0000000000877000-memory.dmpFilesize
4.5MB
-
memory/1400-58-0x0000000002580000-0x0000000002596000-memory.dmpFilesize
88KB