Analysis
-
max time kernel
91s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 22:26
Static task
static1
Behavioral task
behavioral1
Sample
35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe
Resource
win10v2004-20220414-en
General
-
Target
35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe
-
Size
560KB
-
MD5
6c24e1fd35f2b2430e650ecea3c01f03
-
SHA1
d8585788cc0fb1c70e98287e2123d529ebbc35a3
-
SHA256
35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579
-
SHA512
6b25dda738348d85f6152fc3797c35e6a03f8b95306a1b4a0920bc18cd8e10dc3afeee22a00808886efbff19308b89648f9ab600f9feaeccbf8a06db5f5a071d
Malware Config
Extracted
smokeloader
2018
https://wintoshop.ug/
https://shoptowin.ru/
https://shopandpop.su/
https://shoptofree.ru/
http://googletime.bit/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exedescription pid process target process PID 4596 set thread context of 2340 4596 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe -
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exepid process 2340 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe 2340 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exepid process 4596 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exedescription pid process target process PID 4596 wrote to memory of 2340 4596 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe PID 4596 wrote to memory of 2340 4596 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe PID 4596 wrote to memory of 2340 4596 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe 35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe"C:\Users\Admin\AppData\Local\Temp\35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exeC:\Users\Admin\AppData\Local\Temp\35fc3628ea0d1df64b7ae0ad426047c7af8d283b9b5b5b08dce6db3508a5c579.exe"2⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2340-133-0x0000000000000000-mapping.dmp
-
memory/2340-138-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2340-137-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/2340-139-0x00007FFAC92D0000-0x00007FFAC94C5000-memory.dmpFilesize
2.0MB
-
memory/2340-140-0x0000000077C10000-0x0000000077DB3000-memory.dmpFilesize
1.6MB
-
memory/2340-141-0x0000000000400000-0x000000000048E000-memory.dmpFilesize
568KB
-
memory/2340-143-0x00000000005E0000-0x00000000005E7000-memory.dmpFilesize
28KB
-
memory/2724-142-0x0000000001470000-0x0000000001485000-memory.dmpFilesize
84KB
-
memory/4596-132-0x0000000002210000-0x0000000002217000-memory.dmpFilesize
28KB
-
memory/4596-134-0x0000000002210000-0x0000000002217000-memory.dmpFilesize
28KB
-
memory/4596-135-0x00007FFAC92D0000-0x00007FFAC94C5000-memory.dmpFilesize
2.0MB
-
memory/4596-136-0x0000000077C10000-0x0000000077DB3000-memory.dmpFilesize
1.6MB