Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-12-2021 02:26
Static task
static1
Behavioral task
behavioral1
Sample
a2e798b4ef4bd02947d4719aab57a296.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
a2e798b4ef4bd02947d4719aab57a296.exe
Resource
win10-en-20211014
General
-
Target
a2e798b4ef4bd02947d4719aab57a296.exe
-
Size
318KB
-
MD5
a2e798b4ef4bd02947d4719aab57a296
-
SHA1
14e6de85ad742a3482aca940170482e9d6c9e535
-
SHA256
4666b3a3039e2dc192d56d4ae00d1935e6b3749e05a7e6cc0342414cea8b546f
-
SHA512
361e242d48ee5b59573ad295f1bb69f431e7194aa05be5d2147db9ea0d64833947fb86a563f7d332dc8575b354d1d6af3bcec1075e6191f2d4a85ead8727427a
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Extracted
raccoon
1.8.3-hotfix
f797145799b7b1b77b35d81de942eee0908da519
-
url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
BB4.exe1028.exe18EF.exepid process 420 BB4.exe 1884 1028.exe 1288 18EF.exe -
Deletes itself 1 IoCs
Processes:
pid process 1220 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a2e798b4ef4bd02947d4719aab57a296.exedescription pid process target process PID 524 set thread context of 1116 524 a2e798b4ef4bd02947d4719aab57a296.exe a2e798b4ef4bd02947d4719aab57a296.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a2e798b4ef4bd02947d4719aab57a296.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a2e798b4ef4bd02947d4719aab57a296.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a2e798b4ef4bd02947d4719aab57a296.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a2e798b4ef4bd02947d4719aab57a296.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a2e798b4ef4bd02947d4719aab57a296.exepid process 1116 a2e798b4ef4bd02947d4719aab57a296.exe 1116 a2e798b4ef4bd02947d4719aab57a296.exe 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1220 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
a2e798b4ef4bd02947d4719aab57a296.exepid process 1116 a2e798b4ef4bd02947d4719aab57a296.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1220 1220 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1220 1220 -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
a2e798b4ef4bd02947d4719aab57a296.exedescription pid process target process PID 524 wrote to memory of 1116 524 a2e798b4ef4bd02947d4719aab57a296.exe a2e798b4ef4bd02947d4719aab57a296.exe PID 524 wrote to memory of 1116 524 a2e798b4ef4bd02947d4719aab57a296.exe a2e798b4ef4bd02947d4719aab57a296.exe PID 524 wrote to memory of 1116 524 a2e798b4ef4bd02947d4719aab57a296.exe a2e798b4ef4bd02947d4719aab57a296.exe PID 524 wrote to memory of 1116 524 a2e798b4ef4bd02947d4719aab57a296.exe a2e798b4ef4bd02947d4719aab57a296.exe PID 524 wrote to memory of 1116 524 a2e798b4ef4bd02947d4719aab57a296.exe a2e798b4ef4bd02947d4719aab57a296.exe PID 524 wrote to memory of 1116 524 a2e798b4ef4bd02947d4719aab57a296.exe a2e798b4ef4bd02947d4719aab57a296.exe PID 524 wrote to memory of 1116 524 a2e798b4ef4bd02947d4719aab57a296.exe a2e798b4ef4bd02947d4719aab57a296.exe PID 1220 wrote to memory of 420 1220 BB4.exe PID 1220 wrote to memory of 420 1220 BB4.exe PID 1220 wrote to memory of 420 1220 BB4.exe PID 1220 wrote to memory of 420 1220 BB4.exe PID 1220 wrote to memory of 1884 1220 1028.exe PID 1220 wrote to memory of 1884 1220 1028.exe PID 1220 wrote to memory of 1884 1220 1028.exe PID 1220 wrote to memory of 1884 1220 1028.exe PID 1220 wrote to memory of 1288 1220 18EF.exe PID 1220 wrote to memory of 1288 1220 18EF.exe PID 1220 wrote to memory of 1288 1220 18EF.exe PID 1220 wrote to memory of 1288 1220 18EF.exe PID 1220 wrote to memory of 1288 1220 18EF.exe PID 1220 wrote to memory of 1288 1220 18EF.exe PID 1220 wrote to memory of 1288 1220 18EF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2e798b4ef4bd02947d4719aab57a296.exe"C:\Users\Admin\AppData\Local\Temp\a2e798b4ef4bd02947d4719aab57a296.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a2e798b4ef4bd02947d4719aab57a296.exe"C:\Users\Admin\AppData\Local\Temp\a2e798b4ef4bd02947d4719aab57a296.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BB4.exeC:\Users\Admin\AppData\Local\Temp\BB4.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1028.exeC:\Users\Admin\AppData\Local\Temp\1028.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\18EF.exeC:\Users\Admin\AppData\Local\Temp\18EF.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1028.exeMD5
bce50d5b17bb88f22f0000511026520d
SHA1599aaed4ee72ec0e0fc4cada844a1c210e332961
SHA25677e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455
SHA512c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536
-
C:\Users\Admin\AppData\Local\Temp\18EF.exeMD5
6c57864471175e42aba4041153247015
SHA199996d5bfd884979c2a2d9440ca5163cd4bad08a
SHA2565edaabdee965463a3d08b92be433986c8c1139d61ba8960aed89633e6d2f5076
SHA5123a76eacf652a66759ae4a9caa05e35a026bc6af137b2a16600599b775555470abf5d5c11a8f10a06e0d9223ab6d4d0a3b60038af4de73e427369e9a82afde889
-
C:\Users\Admin\AppData\Local\Temp\BB4.exeMD5
53bd1244d2c85a2d90856079911eee24
SHA148bb7a1466cae478076e2b64f5761a0ea0bf61af
SHA256dc189a482f8fd5ddd6e8aa505e7911bc6b368bb9ff97de0b05713a97489809d8
SHA51226453d8edfc0d221c9a944b1f8ccd61a8be1b68e540c0ff8550c58ad1b3a5c30a4d130abe8300e98d6683d7c656fb4a995767a232bca83e2c73bdb7d7e82849e
-
memory/420-61-0x0000000000000000-mapping.dmp
-
memory/524-59-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/524-55-0x0000000000568000-0x0000000000579000-memory.dmpFilesize
68KB
-
memory/1116-58-0x0000000074E51000-0x0000000074E53000-memory.dmpFilesize
8KB
-
memory/1116-56-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1116-57-0x0000000000402F47-mapping.dmp
-
memory/1220-60-0x0000000002120000-0x0000000002136000-memory.dmpFilesize
88KB
-
memory/1288-69-0x0000000000000000-mapping.dmp
-
memory/1884-63-0x0000000000000000-mapping.dmp
-
memory/1884-65-0x000000000026B000-0x00000000002BA000-memory.dmpFilesize
316KB
-
memory/1884-68-0x0000000000400000-0x0000000000491000-memory.dmpFilesize
580KB
-
memory/1884-67-0x00000000004A0000-0x000000000052F000-memory.dmpFilesize
572KB