Analysis
-
max time kernel
151s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25-01-2022 12:10
Static task
static1
Behavioral task
behavioral1
Sample
816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe
Resource
win10-en-20211208
General
-
Target
816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe
-
Size
329KB
-
MD5
d795100a35b890a342479fe347fc50c6
-
SHA1
9023f733a2fca66c2f6f1a5b12deff1ccd3aa372
-
SHA256
816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128
-
SHA512
24a9b300c777f0f026e92e0f6f5521e0b54fdc5fef580726c575f9af256efb73521aaab38517620c7e4d1dbc50a120e0cee42398c3fcb7c9427c6bd56fa28200
Malware Config
Extracted
smokeloader
2020
https://olobus.casa/feedback.php
https://trusho.online/feedback.php
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1360 -
Loads dropped DLL 1 IoCs
Processes:
816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exepid process 760 816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exepid process 760 816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe 760 816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1360 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exepid process 760 816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1360 1360 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1360 1360
Processes
-
C:\Users\Admin\AppData\Local\Temp\816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe"C:\Users\Admin\AppData\Local\Temp\816e7acf20d964819c03b1acaf844029c12933f508e7dd116ad5d6949c7b9128.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\5C1B.tmpMD5
d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
memory/760-53-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/760-55-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/760-56-0x0000000000110000-0x000000000011A000-memory.dmpFilesize
40KB
-
memory/760-57-0x0000000000120000-0x000000000012A000-memory.dmpFilesize
40KB
-
memory/1360-58-0x0000000002160000-0x0000000002176000-memory.dmpFilesize
88KB