Overview

overview

10

Static

static

381b289daa...37.exe

windows7_x64

10

381b289daa...37.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 21:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37.exe

  • Size

    176KB

  • MD5

    436189fbd2fa4bac4e15fb3c20a9594d

  • SHA1

    fde79f57d1f23603dd5dbba1c8736919d182dae7

  • SHA256

    381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37

  • SHA512

    91e106d1b3311daca2b16d152f326e489e39adbdc877c25da41c3904183e9631fce88d736d8ea51f9a083438e2ed3ee8c9d4d46d149dbd50f66c8a7dc7638cee

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://mailcdn-office365.io/

http://update-vmware-service.com/

http://rocket365.to/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Loads dropped DLL 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37.exe
    "C:\Users\Admin\AppData\Local\Temp\381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1496
    • C:\Users\Admin\AppData\Local\Temp\381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37.exe
      "C:\Users\Admin\AppData\Local\Temp\381b289daadbf888d7db6c3854ba4320e55e4dcbd61e7c1461ece771660a1d37.exe"
      2⤵
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\combustors.dll
    Filesize

    104KB

    MD5

    6939243f32fa5776e4a2b13de2a22919

    SHA1

    41426882f8ff79fbdcaefc0aa30016931fc56de3

    SHA256

    e6ae5ab90739f8a84442bb538ef185943c507c842a4ef1a6133b0b59beb52b11

    SHA512

    1836e21ebdf42519e54ae028179e8180fa105e46f7930b4af8176116b5687806a57108ecf5da4923cf19b604cad3ac1eb7dc9213c6cbc995085dcca58026fb7e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nskBB47.tmp\System.dll
    Filesize

    11KB

    MD5

    75ed96254fbf894e42058062b4b4f0d1

    SHA1

    996503f1383b49021eb3427bc28d13b5bbd11977

    SHA256

    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    SHA512

    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    Download Submit
  • memory/1128-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1128-133-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1128-134-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2604-135-0x0000000000560000-0x0000000000575000-memory.dmp
    Filesize

    84KB

    Download