Analysis
-
max time kernel
152s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 06:33
Static task
static1
Behavioral task
behavioral1
Sample
3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe
Resource
win10-en-20211208
General
-
Target
3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe
-
Size
241KB
-
MD5
b341d1a711a365f62f7e89f23871d53c
-
SHA1
4294e840238eef1c74be58659ab28974f2d17038
-
SHA256
3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159
-
SHA512
90da0e59befd5fbc2a78478bd883851a3c29d6cc7daf6c70e62f979d18238ef7296e71be7966eaef5cfdaa163b046ec4dc931d8b7bcb3bd09dcad5dc2fa5ebfd
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3040 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exedescription pid process target process PID 2668 set thread context of 3752 2668 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exepid process 3752 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe 3752 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3040 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exepid process 3752 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exedescription pid process target process PID 2668 wrote to memory of 3752 2668 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe PID 2668 wrote to memory of 3752 2668 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe PID 2668 wrote to memory of 3752 2668 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe PID 2668 wrote to memory of 3752 2668 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe PID 2668 wrote to memory of 3752 2668 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe PID 2668 wrote to memory of 3752 2668 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe 3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe"C:\Users\Admin\AppData\Local\Temp\3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe"C:\Users\Admin\AppData\Local\Temp\3af52c8b82da1b19bb393bea564e25e82dacaca7644242f8ec444ed0ab418159.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection