Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
07-12-2021 02:22
Static task
static1
Behavioral task
behavioral1
Sample
53bd1244d2c85a2d90856079911eee24.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
53bd1244d2c85a2d90856079911eee24.exe
Resource
win10-en-20211104
General
-
Target
53bd1244d2c85a2d90856079911eee24.exe
-
Size
318KB
-
MD5
53bd1244d2c85a2d90856079911eee24
-
SHA1
48bb7a1466cae478076e2b64f5761a0ea0bf61af
-
SHA256
dc189a482f8fd5ddd6e8aa505e7911bc6b368bb9ff97de0b05713a97489809d8
-
SHA512
26453d8edfc0d221c9a944b1f8ccd61a8be1b68e540c0ff8550c58ad1b3a5c30a4d130abe8300e98d6683d7c656fb4a995767a232bca83e2c73bdb7d7e82849e
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
189F.exepid process 968 189F.exe -
Deletes itself 1 IoCs
Processes:
pid process 1380 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
53bd1244d2c85a2d90856079911eee24.exedescription pid process target process PID 1552 set thread context of 848 1552 53bd1244d2c85a2d90856079911eee24.exe 53bd1244d2c85a2d90856079911eee24.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
53bd1244d2c85a2d90856079911eee24.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 53bd1244d2c85a2d90856079911eee24.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 53bd1244d2c85a2d90856079911eee24.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 53bd1244d2c85a2d90856079911eee24.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
53bd1244d2c85a2d90856079911eee24.exepid process 848 53bd1244d2c85a2d90856079911eee24.exe 848 53bd1244d2c85a2d90856079911eee24.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1380 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
53bd1244d2c85a2d90856079911eee24.exepid process 848 53bd1244d2c85a2d90856079911eee24.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1380 1380 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1380 1380 -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
53bd1244d2c85a2d90856079911eee24.exedescription pid process target process PID 1552 wrote to memory of 848 1552 53bd1244d2c85a2d90856079911eee24.exe 53bd1244d2c85a2d90856079911eee24.exe PID 1552 wrote to memory of 848 1552 53bd1244d2c85a2d90856079911eee24.exe 53bd1244d2c85a2d90856079911eee24.exe PID 1552 wrote to memory of 848 1552 53bd1244d2c85a2d90856079911eee24.exe 53bd1244d2c85a2d90856079911eee24.exe PID 1552 wrote to memory of 848 1552 53bd1244d2c85a2d90856079911eee24.exe 53bd1244d2c85a2d90856079911eee24.exe PID 1552 wrote to memory of 848 1552 53bd1244d2c85a2d90856079911eee24.exe 53bd1244d2c85a2d90856079911eee24.exe PID 1552 wrote to memory of 848 1552 53bd1244d2c85a2d90856079911eee24.exe 53bd1244d2c85a2d90856079911eee24.exe PID 1552 wrote to memory of 848 1552 53bd1244d2c85a2d90856079911eee24.exe 53bd1244d2c85a2d90856079911eee24.exe PID 1380 wrote to memory of 968 1380 189F.exe PID 1380 wrote to memory of 968 1380 189F.exe PID 1380 wrote to memory of 968 1380 189F.exe PID 1380 wrote to memory of 968 1380 189F.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53bd1244d2c85a2d90856079911eee24.exe"C:\Users\Admin\AppData\Local\Temp\53bd1244d2c85a2d90856079911eee24.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\53bd1244d2c85a2d90856079911eee24.exe"C:\Users\Admin\AppData\Local\Temp\53bd1244d2c85a2d90856079911eee24.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\189F.exeC:\Users\Admin\AppData\Local\Temp\189F.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\189F.exeMD5
53bd1244d2c85a2d90856079911eee24
SHA148bb7a1466cae478076e2b64f5761a0ea0bf61af
SHA256dc189a482f8fd5ddd6e8aa505e7911bc6b368bb9ff97de0b05713a97489809d8
SHA51226453d8edfc0d221c9a944b1f8ccd61a8be1b68e540c0ff8550c58ad1b3a5c30a4d130abe8300e98d6683d7c656fb4a995767a232bca83e2c73bdb7d7e82849e
-
memory/848-57-0x0000000000402F47-mapping.dmp
-
memory/848-56-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/848-58-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/968-61-0x0000000000000000-mapping.dmp
-
memory/1380-60-0x0000000002600000-0x0000000002616000-memory.dmpFilesize
88KB
-
memory/1552-55-0x0000000000618000-0x0000000000629000-memory.dmpFilesize
68KB
-
memory/1552-59-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB