Analysis
-
max time kernel
157s -
max time network
180s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 12:50
Static task
static1
Behavioral task
behavioral1
Sample
d89944dfaa2c67c475c079edb5646342.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d89944dfaa2c67c475c079edb5646342.exe
Resource
win10-en-20211208
General
-
Target
d89944dfaa2c67c475c079edb5646342.exe
-
Size
317KB
-
MD5
d89944dfaa2c67c475c079edb5646342
-
SHA1
d4ddd0aeb465bb1755d08168e427e1e1a22fe126
-
SHA256
f2e9475cbf8ad93f5762a2b5c02b552d5afe5247c9c14e2c1e72f507807ffbaa
-
SHA512
d4a10488e91ee248eb66614f0b8080fe18c3f06673e35f3a128c0a960f588f61b9b7562e0f99360a1f879868b17455a3410970f99a86e63ae0031fe67909cf23
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 2928 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d89944dfaa2c67c475c079edb5646342.exedescription pid process target process PID 2776 set thread context of 3048 2776 d89944dfaa2c67c475c079edb5646342.exe d89944dfaa2c67c475c079edb5646342.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d89944dfaa2c67c475c079edb5646342.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d89944dfaa2c67c475c079edb5646342.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d89944dfaa2c67c475c079edb5646342.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d89944dfaa2c67c475c079edb5646342.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d89944dfaa2c67c475c079edb5646342.exepid process 3048 d89944dfaa2c67c475c079edb5646342.exe 3048 d89944dfaa2c67c475c079edb5646342.exe 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 2928 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2928 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
d89944dfaa2c67c475c079edb5646342.exepid process 3048 d89944dfaa2c67c475c079edb5646342.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d89944dfaa2c67c475c079edb5646342.exedescription pid process target process PID 2776 wrote to memory of 3048 2776 d89944dfaa2c67c475c079edb5646342.exe d89944dfaa2c67c475c079edb5646342.exe PID 2776 wrote to memory of 3048 2776 d89944dfaa2c67c475c079edb5646342.exe d89944dfaa2c67c475c079edb5646342.exe PID 2776 wrote to memory of 3048 2776 d89944dfaa2c67c475c079edb5646342.exe d89944dfaa2c67c475c079edb5646342.exe PID 2776 wrote to memory of 3048 2776 d89944dfaa2c67c475c079edb5646342.exe d89944dfaa2c67c475c079edb5646342.exe PID 2776 wrote to memory of 3048 2776 d89944dfaa2c67c475c079edb5646342.exe d89944dfaa2c67c475c079edb5646342.exe PID 2776 wrote to memory of 3048 2776 d89944dfaa2c67c475c079edb5646342.exe d89944dfaa2c67c475c079edb5646342.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d89944dfaa2c67c475c079edb5646342.exe"C:\Users\Admin\AppData\Local\Temp\d89944dfaa2c67c475c079edb5646342.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d89944dfaa2c67c475c079edb5646342.exe"C:\Users\Admin\AppData\Local\Temp\d89944dfaa2c67c475c079edb5646342.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2776-116-0x0000000000580000-0x0000000000588000-memory.dmpFilesize
32KB
-
memory/2776-117-0x0000000000590000-0x0000000000599000-memory.dmpFilesize
36KB
-
memory/2928-119-0x0000000000670000-0x0000000000686000-memory.dmpFilesize
88KB
-
memory/3048-115-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3048-118-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB