Analysis
-
max time kernel
90s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 02:47
Static task
static1
Behavioral task
behavioral1
Sample
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe
Resource
win10v2004-20220414-en
General
-
Target
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe
-
Size
210KB
-
MD5
4a664f5bfd63570f209fa6cf42467eaf
-
SHA1
bd61a99af933bde5d4c341520e30b62034139c7c
-
SHA256
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27
-
SHA512
62c17b99f91ede151fbd328ff7203efdc4cee1f11207f029b85065bacc426c9c585a4f7fd3fb970d1ff679367852cedff8fe2f7641873bf9ed43d9144a95b232
Malware Config
Extracted
smokeloader
2018
http://proxy-exe.bit/2/
http://kiyanka.club/2/
http://d3s1.me/2/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exepid process 4732 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe 4732 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exedescription pid process target process PID 4732 wrote to memory of 4140 4732 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe splwow64.exe PID 4732 wrote to memory of 4140 4732 425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe splwow64.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe"C:\Users\Admin\AppData\Local\Temp\425b9cd4f233bf9c68bf2f965717e36348911ea057d3792ebc862caea077bf27.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/796-133-0x0000000000C00000-0x0000000000C15000-memory.dmpFilesize
84KB
-
memory/4140-130-0x0000000000000000-mapping.dmp
-
memory/4732-131-0x0000000000500000-0x0000000000509000-memory.dmpFilesize
36KB
-
memory/4732-132-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB