Analysis
-
max time kernel
156s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
07-12-2021 15:28
Static task
static1
Behavioral task
behavioral1
Sample
f369fcbe630e461a8ba482db48f0dbbf.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
f369fcbe630e461a8ba482db48f0dbbf.exe
Resource
win10-en-20211104
General
-
Target
f369fcbe630e461a8ba482db48f0dbbf.exe
-
Size
319KB
-
MD5
f369fcbe630e461a8ba482db48f0dbbf
-
SHA1
6c0e71df40a976c484e20711e9f97abcf2cb4240
-
SHA256
8b01dbcf5224873f79aa338e6f50c3cfefc41a1345d9eb5e4a5566f5a190586a
-
SHA512
03947a4ba6751ac73d20c80477009d67daf491012949d840cb8a87c300a648f04fc1f4dee0ce0ba9ae3acd53559c5ad2929028560745d8d9c7ec68f239c7dac0
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
CD4D.exeCD4D.exepid process 432 CD4D.exe 1660 CD4D.exe -
Deletes itself 1 IoCs
Processes:
pid process 1220 -
Loads dropped DLL 1 IoCs
Processes:
CD4D.exepid process 432 CD4D.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f369fcbe630e461a8ba482db48f0dbbf.exeCD4D.exedescription pid process target process PID 764 set thread context of 1380 764 f369fcbe630e461a8ba482db48f0dbbf.exe f369fcbe630e461a8ba482db48f0dbbf.exe PID 432 set thread context of 1660 432 CD4D.exe CD4D.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
CD4D.exef369fcbe630e461a8ba482db48f0dbbf.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CD4D.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f369fcbe630e461a8ba482db48f0dbbf.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f369fcbe630e461a8ba482db48f0dbbf.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f369fcbe630e461a8ba482db48f0dbbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CD4D.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI CD4D.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f369fcbe630e461a8ba482db48f0dbbf.exepid process 1380 f369fcbe630e461a8ba482db48f0dbbf.exe 1380 f369fcbe630e461a8ba482db48f0dbbf.exe 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 1220 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1220 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
f369fcbe630e461a8ba482db48f0dbbf.exeCD4D.exepid process 1380 f369fcbe630e461a8ba482db48f0dbbf.exe 1660 CD4D.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1220 1220 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1220 1220 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
f369fcbe630e461a8ba482db48f0dbbf.exeCD4D.exedescription pid process target process PID 764 wrote to memory of 1380 764 f369fcbe630e461a8ba482db48f0dbbf.exe f369fcbe630e461a8ba482db48f0dbbf.exe PID 764 wrote to memory of 1380 764 f369fcbe630e461a8ba482db48f0dbbf.exe f369fcbe630e461a8ba482db48f0dbbf.exe PID 764 wrote to memory of 1380 764 f369fcbe630e461a8ba482db48f0dbbf.exe f369fcbe630e461a8ba482db48f0dbbf.exe PID 764 wrote to memory of 1380 764 f369fcbe630e461a8ba482db48f0dbbf.exe f369fcbe630e461a8ba482db48f0dbbf.exe PID 764 wrote to memory of 1380 764 f369fcbe630e461a8ba482db48f0dbbf.exe f369fcbe630e461a8ba482db48f0dbbf.exe PID 764 wrote to memory of 1380 764 f369fcbe630e461a8ba482db48f0dbbf.exe f369fcbe630e461a8ba482db48f0dbbf.exe PID 764 wrote to memory of 1380 764 f369fcbe630e461a8ba482db48f0dbbf.exe f369fcbe630e461a8ba482db48f0dbbf.exe PID 1220 wrote to memory of 432 1220 CD4D.exe PID 1220 wrote to memory of 432 1220 CD4D.exe PID 1220 wrote to memory of 432 1220 CD4D.exe PID 1220 wrote to memory of 432 1220 CD4D.exe PID 432 wrote to memory of 1660 432 CD4D.exe CD4D.exe PID 432 wrote to memory of 1660 432 CD4D.exe CD4D.exe PID 432 wrote to memory of 1660 432 CD4D.exe CD4D.exe PID 432 wrote to memory of 1660 432 CD4D.exe CD4D.exe PID 432 wrote to memory of 1660 432 CD4D.exe CD4D.exe PID 432 wrote to memory of 1660 432 CD4D.exe CD4D.exe PID 432 wrote to memory of 1660 432 CD4D.exe CD4D.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f369fcbe630e461a8ba482db48f0dbbf.exe"C:\Users\Admin\AppData\Local\Temp\f369fcbe630e461a8ba482db48f0dbbf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f369fcbe630e461a8ba482db48f0dbbf.exe"C:\Users\Admin\AppData\Local\Temp\f369fcbe630e461a8ba482db48f0dbbf.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\CD4D.exeC:\Users\Admin\AppData\Local\Temp\CD4D.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CD4D.exeC:\Users\Admin\AppData\Local\Temp\CD4D.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CD4D.exeMD5
61667aba094e35950f45d5d627952663
SHA155b3df527f7fda353f8ff0a30ff9ae9fd97d7ff3
SHA2566a48349ee2b3ea08a4a5a51aaaa9eef19ce3e5c63289d1d4b50435112e049248
SHA512cff031eb5f4cd91858f5af3d068acaa69b88de581ef9c02f23144ff82950b03562325a4f8c9d8c1df175675f41d0dd56d3ad67837a145960acc393a9c55a345e
-
C:\Users\Admin\AppData\Local\Temp\CD4D.exeMD5
61667aba094e35950f45d5d627952663
SHA155b3df527f7fda353f8ff0a30ff9ae9fd97d7ff3
SHA2566a48349ee2b3ea08a4a5a51aaaa9eef19ce3e5c63289d1d4b50435112e049248
SHA512cff031eb5f4cd91858f5af3d068acaa69b88de581ef9c02f23144ff82950b03562325a4f8c9d8c1df175675f41d0dd56d3ad67837a145960acc393a9c55a345e
-
C:\Users\Admin\AppData\Local\Temp\CD4D.exeMD5
61667aba094e35950f45d5d627952663
SHA155b3df527f7fda353f8ff0a30ff9ae9fd97d7ff3
SHA2566a48349ee2b3ea08a4a5a51aaaa9eef19ce3e5c63289d1d4b50435112e049248
SHA512cff031eb5f4cd91858f5af3d068acaa69b88de581ef9c02f23144ff82950b03562325a4f8c9d8c1df175675f41d0dd56d3ad67837a145960acc393a9c55a345e
-
\Users\Admin\AppData\Local\Temp\CD4D.exeMD5
61667aba094e35950f45d5d627952663
SHA155b3df527f7fda353f8ff0a30ff9ae9fd97d7ff3
SHA2566a48349ee2b3ea08a4a5a51aaaa9eef19ce3e5c63289d1d4b50435112e049248
SHA512cff031eb5f4cd91858f5af3d068acaa69b88de581ef9c02f23144ff82950b03562325a4f8c9d8c1df175675f41d0dd56d3ad67837a145960acc393a9c55a345e
-
memory/432-61-0x0000000000000000-mapping.dmp
-
memory/432-63-0x0000000000698000-0x00000000006A9000-memory.dmpFilesize
68KB
-
memory/764-55-0x00000000006B8000-0x00000000006C9000-memory.dmpFilesize
68KB
-
memory/764-56-0x0000000000020000-0x0000000000029000-memory.dmpFilesize
36KB
-
memory/1220-60-0x0000000002120000-0x0000000002136000-memory.dmpFilesize
88KB
-
memory/1220-70-0x0000000002B50000-0x0000000002B66000-memory.dmpFilesize
88KB
-
memory/1380-59-0x0000000074E51000-0x0000000074E53000-memory.dmpFilesize
8KB
-
memory/1380-58-0x0000000000402F47-mapping.dmp
-
memory/1380-57-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1660-67-0x0000000000402F47-mapping.dmp