Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 09:57
Static task
static1
Behavioral task
behavioral1
Sample
ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
Resource
win10-en-20211208
General
-
Target
ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
-
Size
317KB
-
MD5
72107e63998474995c0f78051ccce035
-
SHA1
ec3141bc5957149ff0aa67482295856a7cb3821b
-
SHA256
ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59
-
SHA512
0b503af0733040b2df5ce117065bc6c00f7475a9082782bc6e6911396ee3746d6de31736fdc9acd5a4d292ff98a14541d452c7ff6695f950e72ec34a214a35ca
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3032 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exedescription pid process target process PID 2512 set thread context of 3156 2512 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exepid process 3156 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe 3156 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3032 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exepid process 3156 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exedescription pid process target process PID 2512 wrote to memory of 3156 2512 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe PID 2512 wrote to memory of 3156 2512 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe PID 2512 wrote to memory of 3156 2512 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe PID 2512 wrote to memory of 3156 2512 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe PID 2512 wrote to memory of 3156 2512 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe PID 2512 wrote to memory of 3156 2512 ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe"C:\Users\Admin\AppData\Local\Temp\ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe"C:\Users\Admin\AppData\Local\Temp\ce047160794f209e94e07eb2eabb04f08d876da7671e01c2f34dbb8bb82bed59.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3156
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2512-115-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/2512-116-0x0000000000460000-0x000000000050E000-memory.dmpFilesize
696KB
-
memory/3032-119-0x0000000001060000-0x0000000001076000-memory.dmpFilesize
88KB
-
memory/3156-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3156-118-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB