Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 10:00
Static task
static1
Behavioral task
behavioral1
Sample
da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe
Resource
win10-en-20211208
General
-
Target
da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe
-
Size
189KB
-
MD5
398c1a197985daf7cb32f86a16deaa23
-
SHA1
5b8dd4313f7a4b1a4847b8a36b74acf127defc74
-
SHA256
da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8
-
SHA512
18117b27a86e3b1e44ff1769f698d77da7f664e2a9dd2434235b889cbd81d5a18b38f1ec0c87b8e740b79a35406847ba41b1f8789d90475a6fa2ddf937070d08
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 2712 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exedescription pid process target process PID 2848 set thread context of 1340 2848 da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exepid process 1340 da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe 1340 da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2712 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exepid process 1340 da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exedescription pid process target process PID 2848 wrote to memory of 1340 2848 da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe PID 2848 wrote to memory of 1340 2848 da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe PID 2848 wrote to memory of 1340 2848 da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe PID 2848 wrote to memory of 1340 2848 da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe PID 2848 wrote to memory of 1340 2848 da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe PID 2848 wrote to memory of 1340 2848 da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe"C:\Users\Admin\AppData\Local\Temp\da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe"C:\Users\Admin\AppData\Local\Temp\da4e25ba54eae8fa75f9babd1e8c98478334890eeabe30f5367d88ab68d64da8.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection