Analysis
-
max time kernel
155s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 08:46
Static task
static1
Behavioral task
behavioral1
Sample
d9507b17acd6de906acd4253ca9cb967.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d9507b17acd6de906acd4253ca9cb967.exe
Resource
win10-en-20211208
General
-
Target
d9507b17acd6de906acd4253ca9cb967.exe
-
Size
356KB
-
MD5
d9507b17acd6de906acd4253ca9cb967
-
SHA1
b1028196128897ce20cd795280e392a9b3220c2f
-
SHA256
4e1f743b60d65732d43e6a8c064016369a2cb6d03e81e04e114ed6a31297a2a7
-
SHA512
49c44996feda66cb09dcd9d2057d9de8f0d71183ee1871c0fa79d86891843540f6c630469b098cd69fe013f08b824a5baaec5e68f1ae6cdaa9019f85f65a18ab
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 2712 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d9507b17acd6de906acd4253ca9cb967.exedescription pid process target process PID 3972 set thread context of 3824 3972 d9507b17acd6de906acd4253ca9cb967.exe d9507b17acd6de906acd4253ca9cb967.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d9507b17acd6de906acd4253ca9cb967.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d9507b17acd6de906acd4253ca9cb967.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d9507b17acd6de906acd4253ca9cb967.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d9507b17acd6de906acd4253ca9cb967.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d9507b17acd6de906acd4253ca9cb967.exepid process 3824 d9507b17acd6de906acd4253ca9cb967.exe 3824 d9507b17acd6de906acd4253ca9cb967.exe 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2712 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
d9507b17acd6de906acd4253ca9cb967.exepid process 3824 d9507b17acd6de906acd4253ca9cb967.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d9507b17acd6de906acd4253ca9cb967.exedescription pid process target process PID 3972 wrote to memory of 3824 3972 d9507b17acd6de906acd4253ca9cb967.exe d9507b17acd6de906acd4253ca9cb967.exe PID 3972 wrote to memory of 3824 3972 d9507b17acd6de906acd4253ca9cb967.exe d9507b17acd6de906acd4253ca9cb967.exe PID 3972 wrote to memory of 3824 3972 d9507b17acd6de906acd4253ca9cb967.exe d9507b17acd6de906acd4253ca9cb967.exe PID 3972 wrote to memory of 3824 3972 d9507b17acd6de906acd4253ca9cb967.exe d9507b17acd6de906acd4253ca9cb967.exe PID 3972 wrote to memory of 3824 3972 d9507b17acd6de906acd4253ca9cb967.exe d9507b17acd6de906acd4253ca9cb967.exe PID 3972 wrote to memory of 3824 3972 d9507b17acd6de906acd4253ca9cb967.exe d9507b17acd6de906acd4253ca9cb967.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9507b17acd6de906acd4253ca9cb967.exe"C:\Users\Admin\AppData\Local\Temp\d9507b17acd6de906acd4253ca9cb967.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d9507b17acd6de906acd4253ca9cb967.exe"C:\Users\Admin\AppData\Local\Temp\d9507b17acd6de906acd4253ca9cb967.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2712-119-0x0000000000720000-0x0000000000736000-memory.dmpFilesize
88KB
-
memory/3824-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3824-118-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3972-116-0x0000000000620000-0x0000000000629000-memory.dmpFilesize
36KB