Overview

overview

10

Static

static

9edd0c32df...b0.exe

windows7_x64

10

9edd0c32df...b0.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    04-12-2021 10:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9edd0c32df4680a4e55c73b43e0900b0.exe

  • Size

    249KB

  • MD5

    9edd0c32df4680a4e55c73b43e0900b0

  • SHA1

    38a7e4e7c359391d844b67e329fba51f5bb6de71

  • SHA256

    58674ac34f75b675fa37d2f837107a70780df7b81de872b518963a00de501a4b

  • SHA512

    9cf7b309a75a4e463d8200f7c9ffc23e43f622d51e236a589ef537d5f841a674fe60fcfbbaf3f6c9402ce00227b2f5610e8cc641c182998d1804b90377f3366d

Score
10/10
smokeloaderbackdoorsuricatatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9edd0c32df4680a4e55c73b43e0900b0.exe
    "C:\Users\Admin\AppData\Local\Temp\9edd0c32df4680a4e55c73b43e0900b0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Users\Admin\AppData\Local\Temp\9edd0c32df4680a4e55c73b43e0900b0.exe
      "C:\Users\Admin\AppData\Local\Temp\9edd0c32df4680a4e55c73b43e0900b0.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:728
  • C:\Users\Admin\AppData\Local\Temp\770.exe
    C:\Users\Admin\AppData\Local\Temp\770.exe
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\770.exe
    MD5

    df13fac0d8b182e4d8b9a02ba87a9571

    SHA1

    b2187debc6fde96e08d5014ce4f1af5cf568bce5

    SHA256

    af64f5b2b6c4cc63b0ca4bb48f369eba1629886d85e289a469a5c9612c4a5ee3

    SHA512

    bc842a80509bda8afff6e12f5b5c64ccf7f1d7360f99f63cebbc1f21936a15487ec16bde3c2acff22c49ebcedf5c426621d6f69503f4968aacc8e75611e3a816

    Download Submit
  • memory/728-56-0x0000000000400000-0x0000000000409000-memory.dmp
    Filesize

    36KB

    Download
  • memory/728-57-0x0000000000402F47-mapping.dmp
    Download
  • memory/728-58-0x0000000075D31000-0x0000000075D33000-memory.dmp
    Filesize

    8KB

    Download
  • memory/956-61-0x0000000000000000-mapping.dmp
    Download
  • memory/956-65-0x0000000000230000-0x0000000000239000-memory.dmp
    Filesize

    36KB

    Download
  • memory/956-64-0x0000000000220000-0x0000000000229000-memory.dmp
    Filesize

    36KB

    Download
  • memory/956-66-0x0000000000400000-0x0000000002B64000-memory.dmp
    Filesize

    39.4MB

    Download
  • memory/1352-60-0x0000000001DD0000-0x0000000001DE6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1352-67-0x0000000003960000-0x0000000003976000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1424-55-0x00000000005BB000-0x00000000005C4000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1424-59-0x0000000000220000-0x0000000000229000-memory.dmp
    Filesize

    36KB

    Download