Analysis
-
max time kernel
155s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 05:06
Static task
static1
Behavioral task
behavioral1
Sample
7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe
Resource
win10-en-20211208
General
-
Target
7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe
-
Size
240KB
-
MD5
1b5bdb87102bf606efc39d7202ee1eaa
-
SHA1
60b62302aa784d1de2e00acc8a75e2f1a2ddc75d
-
SHA256
7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0
-
SHA512
cd978cdda39a5b5592de335357666d82358309f632be4d4e229cd77bb6359c727e70e92951616b9c8d0ba0ac7c082164ac37bafb71d3677ef877a39c785e7012
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 2072 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exedescription pid process target process PID 556 set thread context of 820 556 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exepid process 820 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe 820 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 2072 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2072 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exepid process 820 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exedescription pid process target process PID 556 wrote to memory of 820 556 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe PID 556 wrote to memory of 820 556 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe PID 556 wrote to memory of 820 556 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe PID 556 wrote to memory of 820 556 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe PID 556 wrote to memory of 820 556 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe PID 556 wrote to memory of 820 556 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe 7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe"C:\Users\Admin\AppData\Local\Temp\7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe"C:\Users\Admin\AppData\Local\Temp\7cf4cef3d46eece2e7e3a0eba33785720d387b2872aaf6c1ed0d679c146c41e0.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/556-115-0x0000000000780000-0x00000000007A3000-memory.dmpFilesize
140KB
-
memory/556-116-0x00000000005B0000-0x00000000005B9000-memory.dmpFilesize
36KB
-
memory/820-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/820-118-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2072-119-0x0000000000DF0000-0x0000000000E06000-memory.dmpFilesize
88KB