Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 04:50
Static task
static1
Behavioral task
behavioral1
Sample
fs110_cr14.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
fs110_cr14.exe
Resource
win10v2004-20220414-en
General
-
Target
fs110_cr14.exe
-
Size
334KB
-
MD5
a6ec44d1405343f99f9c003f219070f9
-
SHA1
4b98b7a064d84d7caece6044fe43a0b916696325
-
SHA256
cc162b9bd661591e17f6f0e5281362a5ce48ca53d57ca6bab4aaa45300f44f30
-
SHA512
aff3d8ba8f47e07140e22c88283182b59ffa2bb89fdbf2f52b413c98cd920835481cc55b1b4c65b382ef6908a364ecfcba6336cd008805b56e16cad89c752f3b
Malware Config
Extracted
smokeloader
2018
http://159.89.109.130/
http://cdvfrt5.com/
http://43trfdsds.com/
http://2344t554ddfr.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
fs110_cr14.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum fs110_cr14.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 fs110_cr14.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fs110_cr14.exepid process 4884 fs110_cr14.exe 4884 fs110_cr14.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
fs110_cr14.exepid process 4884 fs110_cr14.exe 4884 fs110_cr14.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
fs110_cr14.exepid process 4884 fs110_cr14.exe 4884 fs110_cr14.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
fs110_cr14.exepid process 4884 fs110_cr14.exe 4884 fs110_cr14.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
fs110_cr14.exepid process 4884 fs110_cr14.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fs110_cr14.exe"C:\Users\Admin\AppData\Local\Temp\fs110_cr14.exe"1⤵
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3036-133-0x00000000034A0000-0x00000000034B5000-memory.dmpFilesize
84KB
-
memory/4884-130-0x0000000002320000-0x00000000023A0000-memory.dmpFilesize
512KB
-
memory/4884-131-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/4884-132-0x0000000000400000-0x000000000045A000-memory.dmpFilesize
360KB
-
memory/4884-134-0x0000000002320000-0x00000000023A0000-memory.dmpFilesize
512KB