Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
07-12-2021 04:02
Static task
static1
Behavioral task
behavioral1
Sample
341e8df98aa2e6212e2866aafafd573f.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
341e8df98aa2e6212e2866aafafd573f.exe
Resource
win10-en-20211014
General
-
Target
341e8df98aa2e6212e2866aafafd573f.exe
-
Size
318KB
-
MD5
341e8df98aa2e6212e2866aafafd573f
-
SHA1
4199a4b1363f53a406116af39f0f562c195454d7
-
SHA256
192602e7e46bd1a921c2312cdf2f8bb2d571aac70c22b0546be3d45df7692ff7
-
SHA512
8a0a523b08cb8482e188f5453974a05c8b1c20470dc94fdc14af4a6914459bbff2be65537fbf5f18259564fa3ac87db40d5cf049ab70d535532ca5c906a0be25
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
3E19.exepid process 1980 3E19.exe -
Deletes itself 1 IoCs
Processes:
pid process 1412 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
341e8df98aa2e6212e2866aafafd573f.exedescription pid process target process PID 1932 set thread context of 748 1932 341e8df98aa2e6212e2866aafafd573f.exe 341e8df98aa2e6212e2866aafafd573f.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
341e8df98aa2e6212e2866aafafd573f.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 341e8df98aa2e6212e2866aafafd573f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 341e8df98aa2e6212e2866aafafd573f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 341e8df98aa2e6212e2866aafafd573f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
341e8df98aa2e6212e2866aafafd573f.exepid process 748 341e8df98aa2e6212e2866aafafd573f.exe 748 341e8df98aa2e6212e2866aafafd573f.exe 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1412 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
341e8df98aa2e6212e2866aafafd573f.exepid process 748 341e8df98aa2e6212e2866aafafd573f.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1412 1412 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1412 1412 -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
341e8df98aa2e6212e2866aafafd573f.exedescription pid process target process PID 1932 wrote to memory of 748 1932 341e8df98aa2e6212e2866aafafd573f.exe 341e8df98aa2e6212e2866aafafd573f.exe PID 1932 wrote to memory of 748 1932 341e8df98aa2e6212e2866aafafd573f.exe 341e8df98aa2e6212e2866aafafd573f.exe PID 1932 wrote to memory of 748 1932 341e8df98aa2e6212e2866aafafd573f.exe 341e8df98aa2e6212e2866aafafd573f.exe PID 1932 wrote to memory of 748 1932 341e8df98aa2e6212e2866aafafd573f.exe 341e8df98aa2e6212e2866aafafd573f.exe PID 1932 wrote to memory of 748 1932 341e8df98aa2e6212e2866aafafd573f.exe 341e8df98aa2e6212e2866aafafd573f.exe PID 1932 wrote to memory of 748 1932 341e8df98aa2e6212e2866aafafd573f.exe 341e8df98aa2e6212e2866aafafd573f.exe PID 1932 wrote to memory of 748 1932 341e8df98aa2e6212e2866aafafd573f.exe 341e8df98aa2e6212e2866aafafd573f.exe PID 1412 wrote to memory of 1980 1412 3E19.exe PID 1412 wrote to memory of 1980 1412 3E19.exe PID 1412 wrote to memory of 1980 1412 3E19.exe PID 1412 wrote to memory of 1980 1412 3E19.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\341e8df98aa2e6212e2866aafafd573f.exe"C:\Users\Admin\AppData\Local\Temp\341e8df98aa2e6212e2866aafafd573f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\341e8df98aa2e6212e2866aafafd573f.exe"C:\Users\Admin\AppData\Local\Temp\341e8df98aa2e6212e2866aafafd573f.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\3E19.exeC:\Users\Admin\AppData\Local\Temp\3E19.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3E19.exeMD5
341e8df98aa2e6212e2866aafafd573f
SHA14199a4b1363f53a406116af39f0f562c195454d7
SHA256192602e7e46bd1a921c2312cdf2f8bb2d571aac70c22b0546be3d45df7692ff7
SHA5128a0a523b08cb8482e188f5453974a05c8b1c20470dc94fdc14af4a6914459bbff2be65537fbf5f18259564fa3ac87db40d5cf049ab70d535532ca5c906a0be25
-
memory/748-57-0x0000000000402F47-mapping.dmp
-
memory/748-56-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/748-58-0x0000000075901000-0x0000000075903000-memory.dmpFilesize
8KB
-
memory/1412-60-0x0000000002990000-0x00000000029A6000-memory.dmpFilesize
88KB
-
memory/1932-55-0x0000000000618000-0x0000000000629000-memory.dmpFilesize
68KB
-
memory/1932-59-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1980-61-0x0000000000000000-mapping.dmp