Analysis
-
max time kernel
152s -
max time network
71s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
22-10-2021 18:44
General
-
Target
ade97ee2d8365bac817b0ce3c933cd8d.exe
-
Size
408KB
-
MD5
ade97ee2d8365bac817b0ce3c933cd8d
-
SHA1
3c01c46b6f14a5e752b78c7bd7916cfea7cb81ef
-
SHA256
8d5b572415a417017f3cac4151ee47381999a7826c09553160512310314aec68
-
SHA512
77e5d1c56ce91c9650b6c5aa70b7d887214aa4a5228fbc31a283ea6f2900dbdbfa4e84dcd5051f58023f4e369dbe0050c23970daf7ea284ae0d9d72910706d13
Malware Config
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ade97ee2d8365bac817b0ce3c933cd8d.exe"C:\Users\Admin\AppData\Local\Temp\ade97ee2d8365bac817b0ce3c933cd8d.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Program Files\Common Files\System\symsrv.dllMD5
7574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
memory/1120-54-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-55-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-56-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-57-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-58-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-60-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-59-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-61-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-62-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-63-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-64-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-65-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-66-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-67-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-68-0x0000000002F80000-0x0000000002F91000-memory.dmpFilesize
68KB
-
memory/1120-69-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1120-70-0x00000000002E0000-0x00000000002E9000-memory.dmpFilesize
36KB
-
memory/1120-71-0x0000000075C11000-0x0000000075C13000-memory.dmpFilesize
8KB
-
memory/1120-72-0x0000000000400000-0x0000000002DAA000-memory.dmpFilesize
41.7MB
-
memory/1384-73-0x00000000025A0000-0x00000000025B6000-memory.dmpFilesize
88KB