Analysis
-
max time kernel
74s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 07:49
Static task
static1
Behavioral task
behavioral1
Sample
3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exe
Resource
win10v2004-20220414-en
General
-
Target
3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exe
-
Size
112KB
-
MD5
bf4b557875c4ca58d7d52316c97d229e
-
SHA1
b58d8922d7e9f71bc7907ccdcd1f236ab1922f63
-
SHA256
3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140
-
SHA512
f0a60ae1d22cb1bff89f4c3355f68bbbaa1dfe8d76f41f2cee4f3158b559415b968eb6bd20a94aa3ddfca2326643f86e4244580a2ee3f96377a0e0e2d3d4a69a
Malware Config
Extracted
smokeloader
2018
http://andersenavoidably.bid/
http://cindyarrest.bid/
http://armoringchildlessnesss.bid/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exepid process 4236 3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exe 4236 3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exe"C:\Users\Admin\AppData\Local\Temp\3c56ab9f14f390d86b2453d144704c6775990b6a31b28fcb0ae43dc0fb996140.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection