Analysis

  • max time kernel
    91s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    08-07-2022 02:56

General

  • Target

    4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe

  • Size

    191KB

  • MD5

    35adb5e0a91179cad8d0acaf73e51734

  • SHA1

    047d2f48079d7ebcb2f6443feb45c54d17b5bf0a

  • SHA256

    4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5

  • SHA512

    e16e453845381e2b90381d7102fb747c0bd9201f5fcfc0cad8638062b8027673e7abbe81a8f560dd867458bddfd9253a4021a3af7800cd9abbcea6808aa69fd5

Malware Config

Extracted

Family

smokeloader

Version

2018

C2

http://mailcdn-office365.io/

http://update-vmware-service.com/

http://rocket365.to/

rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Loads dropped DLL 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe
    "C:\Users\Admin\AppData\Local\Temp\4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Users\Admin\AppData\Local\Temp\4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe
      "C:\Users\Admin\AppData\Local\Temp\4250c697811711cd0f8419be1454bc5f7dceec469f21e4d3cab307998c6c88b5.exe"
      2⤵
      • Maps connected drives based on registry
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2116

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

3
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lections.dll
    Filesize

    176KB

    MD5

    bfdcf917b33d33d6cd1d1756434bdb3d

    SHA1

    5e13218621cedcdedb573afdec4f8e49eec2409e

    SHA256

    22d8ca9544e5cce73da49acaa6b6ff39e683b110c33c12d51ce7bf3eb221716f

    SHA512

    e715527e2540e5f7c3934d2e81d639f8c19244b3d7b06cdb7192f9add55e7a9099ebf0219426028562d38718ebe87305d8cf434faac30ce0dcf30109e8a9698c

  • C:\Users\Admin\AppData\Local\Temp\nslBE07.tmp\System.dll
    Filesize

    11KB

    MD5

    75ed96254fbf894e42058062b4b4f0d1

    SHA1

    996503f1383b49021eb3427bc28d13b5bbd11977

    SHA256

    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    SHA512

    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

  • memory/2116-132-0x0000000000000000-mapping.dmp
  • memory/2116-133-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

  • memory/2116-134-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

  • memory/2832-135-0x0000000002E30000-0x0000000002E45000-memory.dmp
    Filesize

    84KB