Analysis
-
max time kernel
39s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 14:18
Static task
static1
Behavioral task
behavioral1
Sample
40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe
Resource
win10v2004-20220414-en
General
-
Target
40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe
-
Size
466KB
-
MD5
4722771df719a14e07075c90c600c2e1
-
SHA1
c7cb81bdb073c699d4799662fa7203ac33e415f3
-
SHA256
40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c
-
SHA512
0be9a4ee3e0d2b6359c7a26d5f1bcfaed7ece1b20d970c347ccade501e51372e90b3c62f06f51f6df3f8e080b9f908de6d5647197c3ec98b17a46386a6c30877
Malware Config
Extracted
smokeloader
2018
http://migyno.win/
http://migyno.bid/
http://migyno.date/
http://migyno.faith/
http://migyno.loan/
http://migyno.men/
http://migyno.party/
http://migyno.stream/
http://migyno.trade/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\AppID\40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe 40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exepid process 1276 40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe 1276 40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exepid process 1276 40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exepid process 1276 40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exepid process 1276 40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe"C:\Users\Admin\AppData\Local\Temp\40ca7f8289001cc52baa68ed8a251141c3ed68fc7408046cc666c126f82fe20c.exe"1⤵
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1276-54-0x0000000076C01000-0x0000000076C03000-memory.dmpFilesize
8KB
-
memory/1276-55-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/1276-56-0x00000000003F0000-0x00000000003F8000-memory.dmpFilesize
32KB
-
memory/1276-57-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/1276-58-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/1352-59-0x00000000027B0000-0x00000000027C5000-memory.dmpFilesize
84KB