Analysis
-
max time kernel
183s -
max time network
173s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
29-01-2022 13:00
Static task
static1
Behavioral task
behavioral1
Sample
92bc3fd7578afed3c64ccf9fcbcf1e17.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
92bc3fd7578afed3c64ccf9fcbcf1e17.exe
Resource
win10-en-20211208
General
-
Target
92bc3fd7578afed3c64ccf9fcbcf1e17.exe
-
Size
317KB
-
MD5
92bc3fd7578afed3c64ccf9fcbcf1e17
-
SHA1
518dc5cf48bb613163856cf2ca815a42ba43f55c
-
SHA256
c5b0b8b86878e2fda1194d28b3e2b6923541de1719f8b96975de34cbbc9aa537
-
SHA512
b85e4190d6dd6f1845ab7fb2ac74503f19376b9e4e288db387dc9731e0f058fe985e2c79cc66e4be979815bcfc5aaa2683abea61229a22437f1e2fb941b3bbc9
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 3040 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
92bc3fd7578afed3c64ccf9fcbcf1e17.exedescription pid process target process PID 980 set thread context of 3220 980 92bc3fd7578afed3c64ccf9fcbcf1e17.exe 92bc3fd7578afed3c64ccf9fcbcf1e17.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
92bc3fd7578afed3c64ccf9fcbcf1e17.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92bc3fd7578afed3c64ccf9fcbcf1e17.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92bc3fd7578afed3c64ccf9fcbcf1e17.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 92bc3fd7578afed3c64ccf9fcbcf1e17.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
92bc3fd7578afed3c64ccf9fcbcf1e17.exepid process 3220 92bc3fd7578afed3c64ccf9fcbcf1e17.exe 3220 92bc3fd7578afed3c64ccf9fcbcf1e17.exe 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 3040 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3040 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
92bc3fd7578afed3c64ccf9fcbcf1e17.exepid process 3220 92bc3fd7578afed3c64ccf9fcbcf1e17.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
92bc3fd7578afed3c64ccf9fcbcf1e17.exedescription pid process target process PID 980 wrote to memory of 3220 980 92bc3fd7578afed3c64ccf9fcbcf1e17.exe 92bc3fd7578afed3c64ccf9fcbcf1e17.exe PID 980 wrote to memory of 3220 980 92bc3fd7578afed3c64ccf9fcbcf1e17.exe 92bc3fd7578afed3c64ccf9fcbcf1e17.exe PID 980 wrote to memory of 3220 980 92bc3fd7578afed3c64ccf9fcbcf1e17.exe 92bc3fd7578afed3c64ccf9fcbcf1e17.exe PID 980 wrote to memory of 3220 980 92bc3fd7578afed3c64ccf9fcbcf1e17.exe 92bc3fd7578afed3c64ccf9fcbcf1e17.exe PID 980 wrote to memory of 3220 980 92bc3fd7578afed3c64ccf9fcbcf1e17.exe 92bc3fd7578afed3c64ccf9fcbcf1e17.exe PID 980 wrote to memory of 3220 980 92bc3fd7578afed3c64ccf9fcbcf1e17.exe 92bc3fd7578afed3c64ccf9fcbcf1e17.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92bc3fd7578afed3c64ccf9fcbcf1e17.exe"C:\Users\Admin\AppData\Local\Temp\92bc3fd7578afed3c64ccf9fcbcf1e17.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\92bc3fd7578afed3c64ccf9fcbcf1e17.exe"C:\Users\Admin\AppData\Local\Temp\92bc3fd7578afed3c64ccf9fcbcf1e17.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/980-115-0x0000000000460000-0x000000000050E000-memory.dmpFilesize
696KB
-
memory/980-116-0x0000000000460000-0x000000000050E000-memory.dmpFilesize
696KB
-
memory/3040-119-0x0000000000DB0000-0x0000000000DC6000-memory.dmpFilesize
88KB
-
memory/3220-117-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3220-118-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB