Analysis
-
max time kernel
161s -
max time network
130s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 12:08
Static task
static1
Behavioral task
behavioral1
Sample
ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe
Resource
win10-en-20211208
General
-
Target
ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe
-
Size
191KB
-
MD5
4c8435b480189d501c2e76fda59f69f9
-
SHA1
e10ba38cb071c14ea3a822e715add46f6016012f
-
SHA256
ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f
-
SHA512
63e36d20879b921c65c35daf2ac796d92b8137c5b7fb5608c2f371d105359507785dde2b3f696580551088c30fb2e16e935ffe5755284d3cbb01abac1bf328a1
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1876 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exedescription pid process target process PID 3620 set thread context of 2940 3620 ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exepid process 2940 ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe 2940 ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 1876 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1876 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exepid process 2940 ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exedescription pid process target process PID 3620 wrote to memory of 2940 3620 ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe PID 3620 wrote to memory of 2940 3620 ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe PID 3620 wrote to memory of 2940 3620 ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe PID 3620 wrote to memory of 2940 3620 ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe PID 3620 wrote to memory of 2940 3620 ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe PID 3620 wrote to memory of 2940 3620 ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe"C:\Users\Admin\AppData\Local\Temp\ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe"C:\Users\Admin\AppData\Local\Temp\ea73a6811887921ca2dbbd107e41be2a7249bf2ea73700fa87b051a367c36c3f.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1876-119-0x00000000013F0000-0x0000000001406000-memory.dmpFilesize
88KB
-
memory/2940-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2940-118-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3620-115-0x0000000000589000-0x0000000000592000-memory.dmpFilesize
36KB
-
memory/3620-116-0x0000000000490000-0x0000000000499000-memory.dmpFilesize
36KB