Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-12-2021 11:02
Static task
static1
Behavioral task
behavioral1
Sample
65d0653f5eec54a9a01b4d76c35c6c74.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
65d0653f5eec54a9a01b4d76c35c6c74.exe
Resource
win10-en-20211104
General
-
Target
65d0653f5eec54a9a01b4d76c35c6c74.exe
-
Size
319KB
-
MD5
65d0653f5eec54a9a01b4d76c35c6c74
-
SHA1
10ac383cdad3a41f09ee9ac8c36365224ea6f826
-
SHA256
757387e6946c157cc37f67cf0a0e94af671b4a4bd498291390d878cc04cfa790
-
SHA512
64061718229cba439c7fd3795112b436375c70865d7ec23370693863410079ac6e5dbf2ef09c366878e712b8c4ecf20a797cd1c9bddfd12d34710f5ed6998eb1
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
F2B8.exepid process 1820 F2B8.exe -
Deletes itself 1 IoCs
Processes:
pid process 1380 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
65d0653f5eec54a9a01b4d76c35c6c74.exedescription pid process target process PID 1888 set thread context of 240 1888 65d0653f5eec54a9a01b4d76c35c6c74.exe 65d0653f5eec54a9a01b4d76c35c6c74.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
65d0653f5eec54a9a01b4d76c35c6c74.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 65d0653f5eec54a9a01b4d76c35c6c74.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 65d0653f5eec54a9a01b4d76c35c6c74.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 65d0653f5eec54a9a01b4d76c35c6c74.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
65d0653f5eec54a9a01b4d76c35c6c74.exepid process 240 65d0653f5eec54a9a01b4d76c35c6c74.exe 240 65d0653f5eec54a9a01b4d76c35c6c74.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1380 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
65d0653f5eec54a9a01b4d76c35c6c74.exepid process 240 65d0653f5eec54a9a01b4d76c35c6c74.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1380 1380 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1380 1380 -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
65d0653f5eec54a9a01b4d76c35c6c74.exedescription pid process target process PID 1888 wrote to memory of 240 1888 65d0653f5eec54a9a01b4d76c35c6c74.exe 65d0653f5eec54a9a01b4d76c35c6c74.exe PID 1888 wrote to memory of 240 1888 65d0653f5eec54a9a01b4d76c35c6c74.exe 65d0653f5eec54a9a01b4d76c35c6c74.exe PID 1888 wrote to memory of 240 1888 65d0653f5eec54a9a01b4d76c35c6c74.exe 65d0653f5eec54a9a01b4d76c35c6c74.exe PID 1888 wrote to memory of 240 1888 65d0653f5eec54a9a01b4d76c35c6c74.exe 65d0653f5eec54a9a01b4d76c35c6c74.exe PID 1888 wrote to memory of 240 1888 65d0653f5eec54a9a01b4d76c35c6c74.exe 65d0653f5eec54a9a01b4d76c35c6c74.exe PID 1888 wrote to memory of 240 1888 65d0653f5eec54a9a01b4d76c35c6c74.exe 65d0653f5eec54a9a01b4d76c35c6c74.exe PID 1888 wrote to memory of 240 1888 65d0653f5eec54a9a01b4d76c35c6c74.exe 65d0653f5eec54a9a01b4d76c35c6c74.exe PID 1380 wrote to memory of 1820 1380 F2B8.exe PID 1380 wrote to memory of 1820 1380 F2B8.exe PID 1380 wrote to memory of 1820 1380 F2B8.exe PID 1380 wrote to memory of 1820 1380 F2B8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65d0653f5eec54a9a01b4d76c35c6c74.exe"C:\Users\Admin\AppData\Local\Temp\65d0653f5eec54a9a01b4d76c35c6c74.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\65d0653f5eec54a9a01b4d76c35c6c74.exe"C:\Users\Admin\AppData\Local\Temp\65d0653f5eec54a9a01b4d76c35c6c74.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F2B8.exeC:\Users\Admin\AppData\Local\Temp\F2B8.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\F2B8.exeMD5
fd9fc94584fb5ac78a730d4949954558
SHA11f64cab1b889016aca4e11fbaa0367ab21dc2911
SHA2568a55a056761f76c48027e1c2f7a4146f451d36908d84f83ef9b95051d35b9f44
SHA512af47179ed313cb5791c59118b79a831313f1a9995e6b3f57a88c1928ba248cfc6d38bbd916ab35bd368627a08a5eda961f0e91396173f615860d088d382bf981
-
memory/240-56-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/240-57-0x0000000000402F47-mapping.dmp
-
memory/240-58-0x0000000075981000-0x0000000075983000-memory.dmpFilesize
8KB
-
memory/1380-60-0x0000000002640000-0x0000000002656000-memory.dmpFilesize
88KB
-
memory/1820-61-0x0000000000000000-mapping.dmp
-
memory/1888-55-0x0000000000308000-0x0000000000319000-memory.dmpFilesize
68KB
-
memory/1888-59-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB