Analysis
-
max time kernel
153s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 11:00
Static task
static1
Behavioral task
behavioral1
Sample
cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe
Resource
win10-en-20211208
General
-
Target
cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe
-
Size
317KB
-
MD5
13083e7a22ed3e2b05bcaab4f0a5f700
-
SHA1
eb67efee663254cabf14fd6ab27a2ae90a66621f
-
SHA256
cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7
-
SHA512
3cf4851b2c6c84d674c7254a04863748c8c32ed027da021147c0e14abc9a28223fbe281d263f7632e50984811509a9a33108e1b5a7a68d87b5277cb25fc03601
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3056 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exedescription pid process target process PID 812 set thread context of 2512 812 cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exepid process 2512 cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe 2512 cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 3056 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3056 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exepid process 2512 cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exedescription pid process target process PID 812 wrote to memory of 2512 812 cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe PID 812 wrote to memory of 2512 812 cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe PID 812 wrote to memory of 2512 812 cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe PID 812 wrote to memory of 2512 812 cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe PID 812 wrote to memory of 2512 812 cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe PID 812 wrote to memory of 2512 812 cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe"C:\Users\Admin\AppData\Local\Temp\cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe"C:\Users\Admin\AppData\Local\Temp\cb08e342249853525166643fddc704672c02771ff763fd24e08cd3cf0512bec7.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2512
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/812-116-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/812-115-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/2512-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2512-118-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3056-119-0x0000000000E00000-0x0000000000E16000-memory.dmpFilesize
88KB