Analysis
-
max time kernel
164s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 14:00
Static task
static1
Behavioral task
behavioral1
Sample
319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe
Resource
win10-en-20211208
General
-
Target
319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe
-
Size
352KB
-
MD5
18dbc0e743976c1022fb7771166615b1
-
SHA1
cc7abc9575c6f1f3186a64cb43ca8cf79af31641
-
SHA256
319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879
-
SHA512
3354987965551155898c03ddf826990637f17ecedb33688a02fe04040e0ede5e91334a9ab2d26879228048e4ebce4a070dc3bea5c71a84d578f41c189dcce76c
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1880 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exedescription pid process target process PID 2468 set thread context of 2732 2468 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exepid process 2732 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe 2732 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 1880 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1880 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exepid process 2732 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exedescription pid process target process PID 2468 wrote to memory of 2732 2468 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe PID 2468 wrote to memory of 2732 2468 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe PID 2468 wrote to memory of 2732 2468 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe PID 2468 wrote to memory of 2732 2468 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe PID 2468 wrote to memory of 2732 2468 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe PID 2468 wrote to memory of 2732 2468 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe 319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe"C:\Users\Admin\AppData\Local\Temp\319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe"C:\Users\Admin\AppData\Local\Temp\319a1b87e38833ae34bb501e0954b3a5d4baa081063fa0f89a4962fa4a700879.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1880-122-0x0000000000660000-0x0000000000676000-memory.dmpFilesize
88KB
-
memory/2468-118-0x00000000007C0000-0x00000000007E9000-memory.dmpFilesize
164KB
-
memory/2468-119-0x0000000000670000-0x0000000000679000-memory.dmpFilesize
36KB
-
memory/2732-120-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2732-121-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB