Analysis
-
max time kernel
152s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 09:41
Static task
static1
Behavioral task
behavioral1
Sample
2e91c1e098c8f5d4d9709d07885a8369.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2e91c1e098c8f5d4d9709d07885a8369.exe
Resource
win10-en-20211208
General
-
Target
2e91c1e098c8f5d4d9709d07885a8369.exe
-
Size
333KB
-
MD5
2e91c1e098c8f5d4d9709d07885a8369
-
SHA1
be20caa1dc570e071dacb67396c7ddb5eb288a4d
-
SHA256
d2575826949eabb6051a8ad22c804494f0351688b444ae9e0c95905942a3c0e3
-
SHA512
5e24550d5fc80aa0f4188f04823fc08ec68a441beec09f4c194872b5fb6f9e0001a3365504bf6d32705847ad5f6f8f15cda72490742810dcb8c89b53e49c848f
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1380 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2e91c1e098c8f5d4d9709d07885a8369.exedescription pid process target process PID 828 set thread context of 1060 828 2e91c1e098c8f5d4d9709d07885a8369.exe 2e91c1e098c8f5d4d9709d07885a8369.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2e91c1e098c8f5d4d9709d07885a8369.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e91c1e098c8f5d4d9709d07885a8369.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e91c1e098c8f5d4d9709d07885a8369.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e91c1e098c8f5d4d9709d07885a8369.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2e91c1e098c8f5d4d9709d07885a8369.exepid process 1060 2e91c1e098c8f5d4d9709d07885a8369.exe 1060 2e91c1e098c8f5d4d9709d07885a8369.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1380 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2e91c1e098c8f5d4d9709d07885a8369.exepid process 1060 2e91c1e098c8f5d4d9709d07885a8369.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1380 1380 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1380 1380 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2e91c1e098c8f5d4d9709d07885a8369.exedescription pid process target process PID 828 wrote to memory of 1060 828 2e91c1e098c8f5d4d9709d07885a8369.exe 2e91c1e098c8f5d4d9709d07885a8369.exe PID 828 wrote to memory of 1060 828 2e91c1e098c8f5d4d9709d07885a8369.exe 2e91c1e098c8f5d4d9709d07885a8369.exe PID 828 wrote to memory of 1060 828 2e91c1e098c8f5d4d9709d07885a8369.exe 2e91c1e098c8f5d4d9709d07885a8369.exe PID 828 wrote to memory of 1060 828 2e91c1e098c8f5d4d9709d07885a8369.exe 2e91c1e098c8f5d4d9709d07885a8369.exe PID 828 wrote to memory of 1060 828 2e91c1e098c8f5d4d9709d07885a8369.exe 2e91c1e098c8f5d4d9709d07885a8369.exe PID 828 wrote to memory of 1060 828 2e91c1e098c8f5d4d9709d07885a8369.exe 2e91c1e098c8f5d4d9709d07885a8369.exe PID 828 wrote to memory of 1060 828 2e91c1e098c8f5d4d9709d07885a8369.exe 2e91c1e098c8f5d4d9709d07885a8369.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e91c1e098c8f5d4d9709d07885a8369.exe"C:\Users\Admin\AppData\Local\Temp\2e91c1e098c8f5d4d9709d07885a8369.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2e91c1e098c8f5d4d9709d07885a8369.exe"C:\Users\Admin\AppData\Local\Temp\2e91c1e098c8f5d4d9709d07885a8369.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/828-55-0x00000000005B0000-0x00000000005DF000-memory.dmpFilesize
188KB
-
memory/828-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1060-57-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1060-58-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1060-59-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1380-60-0x00000000025D0000-0x00000000025E6000-memory.dmpFilesize
88KB