Analysis
-
max time kernel
15s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 02:56
Static task
static1
Behavioral task
behavioral1
Sample
4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe
Resource
win10v2004-20220414-en
General
-
Target
4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe
-
Size
191KB
-
MD5
35adb5e0a91179cad8d0acaf73e51734
-
SHA1
047d2f48079d7ebcb2f6443feb45c54d17b5bf0a
-
SHA256
4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5
-
SHA512
e16e453845381e2b90381d7102fb747c0bd9201f5fcfc0cad8638062b8027673e7abbe81a8f560dd867458bddfd9253a4021a3af7800cd9abbcea6808aa69fd5
Malware Config
Extracted
smokeloader
2018
http://mailcdn-office365.io/
http://update-vmware-service.com/
http://rocket365.to/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Loads dropped DLL 2 IoCs
Processes:
4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exepid process 2016 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe 2016 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exedescription pid process target process PID 2016 set thread context of 948 2016 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 2 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exepid process 948 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe 948 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exedescription pid process target process PID 2016 wrote to memory of 948 2016 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe PID 2016 wrote to memory of 948 2016 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe PID 2016 wrote to memory of 948 2016 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe PID 2016 wrote to memory of 948 2016 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe PID 2016 wrote to memory of 948 2016 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe PID 2016 wrote to memory of 948 2016 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe PID 2016 wrote to memory of 948 2016 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe 4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe"C:\Users\Admin\AppData\Local\Temp\4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe"C:\Users\Admin\AppData\Local\Temp\4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe"2⤵
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\lections.dllFilesize
176KB
MD5bfdcf917b33d33d6cd1d1756434bdb3d
SHA15e13218621cedcdedb573afdec4f8e49eec2409e
SHA25622d8ca9544e5cce73da49acaa6b6ff39e683b110c33c12d51ce7bf3eb221716f
SHA512e715527e2540e5f7c3934d2e81d639f8c19244b3d7b06cdb7192f9add55e7a9099ebf0219426028562d38718ebe87305d8cf434faac30ce0dcf30109e8a9698c
-
\Users\Admin\AppData\Local\Temp\nsy5100.tmp\System.dllFilesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
memory/948-57-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/948-58-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/948-61-0x0000000000402B47-mapping.dmp
-
memory/948-60-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/948-63-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/1232-64-0x0000000002120000-0x0000000002135000-memory.dmpFilesize
84KB
-
memory/2016-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB