Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
02-12-2021 00:51
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe
Resource
win10-en-20211104
General
-
Target
SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe
-
Size
333KB
-
MD5
0304d0f07c5d299493461497f1e9aec3
-
SHA1
ba9a5b39e6dda9ccf29228b8572bcd7572702a21
-
SHA256
ccdebe6b7d714001fcaffcb3fb7ed5751dfd23b764f041e90fd884149ea8994b
-
SHA512
e613f648588a080bba6982e7914545347ec3e477c3e4d6cef9a41628d92d1297d28b223fa2aeb9a2ca0d3b8b0103ddd1012341231ddc0f786e6ff70337cd07c1
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1300 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exedescription pid process target process PID 944 set thread context of 516 944 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exepid process 516 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe 516 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 1300 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1300 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exepid process 516 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1300 1300 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1300 1300 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exedescription pid process target process PID 944 wrote to memory of 516 944 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe PID 944 wrote to memory of 516 944 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe PID 944 wrote to memory of 516 944 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe PID 944 wrote to memory of 516 944 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe PID 944 wrote to memory of 516 944 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe PID 944 wrote to memory of 516 944 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe PID 944 wrote to memory of 516 944 SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.11145.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/516-56-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/516-58-0x00000000758C1000-0x00000000758C3000-memory.dmpFilesize
8KB
-
memory/516-57-0x0000000000402F47-mapping.dmp
-
memory/944-55-0x0000000000588000-0x0000000000599000-memory.dmpFilesize
68KB
-
memory/944-59-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1300-60-0x0000000002200000-0x0000000002216000-memory.dmpFilesize
88KB