Analysis
-
max time kernel
42s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 02:47
Static task
static1
Behavioral task
behavioral1
Sample
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe
Resource
win10v2004-20220414-en
General
-
Target
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe
-
Size
210KB
-
MD5
4a664f5bfd63570f209fa6cf42467eaf
-
SHA1
bd61a99af933bde5d4c341520e30b62034139c7c
-
SHA256
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27
-
SHA512
62c17b99f91ede151fbd328ff7203efdc4cee1f11207f029b85065bacc426c9c585a4f7fd3fb970d1ff679367852cedff8fe2f7641873bf9ed43d9144a95b232
Malware Config
Extracted
smokeloader
2018
http://proxy-exe.bit/2/
http://kiyanka.club/2/
http://d3s1.me/2/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exepid process 388 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe 388 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exedescription pid process target process PID 388 wrote to memory of 556 388 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe splwow64.exe PID 388 wrote to memory of 556 388 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe splwow64.exe PID 388 wrote to memory of 556 388 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe splwow64.exe PID 388 wrote to memory of 556 388 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe"C:\Users\Admin\AppData\Local\Temp\425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/388-55-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/388-56-0x00000000002F0000-0x00000000002F9000-memory.dmpFilesize
36KB
-
memory/388-57-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/556-54-0x0000000000000000-mapping.dmp
-
memory/1272-58-0x00000000021A0000-0x00000000021B5000-memory.dmpFilesize
84KB