Analysis
-
max time kernel
162s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
29-01-2022 13:11
Static task
static1
Behavioral task
behavioral1
Sample
583707ca6b0c9206f66db2e02df0715d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
583707ca6b0c9206f66db2e02df0715d.exe
Resource
win10-en-20211208
General
-
Target
583707ca6b0c9206f66db2e02df0715d.exe
-
Size
318KB
-
MD5
583707ca6b0c9206f66db2e02df0715d
-
SHA1
0021d125ebb8f4553f217c5904e9e17be4619795
-
SHA256
04821c93b97a6b6ffdf80bcaf3e6491b6de39eff2caed87c19c1531a0c5c87d6
-
SHA512
71f6ce278ca8d8cef61676de7b021074ddc76745bc8d08ebfb2b3d9fbc1c32a4aac6db13df00ce06e083a2e55e521f5dca0190608191157b958885c2d4d6002d
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
Processes:
pid process 1412 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
583707ca6b0c9206f66db2e02df0715d.exedescription pid process target process PID 748 set thread context of 1404 748 583707ca6b0c9206f66db2e02df0715d.exe 583707ca6b0c9206f66db2e02df0715d.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
583707ca6b0c9206f66db2e02df0715d.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 583707ca6b0c9206f66db2e02df0715d.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 583707ca6b0c9206f66db2e02df0715d.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 583707ca6b0c9206f66db2e02df0715d.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
583707ca6b0c9206f66db2e02df0715d.exepid process 1404 583707ca6b0c9206f66db2e02df0715d.exe 1404 583707ca6b0c9206f66db2e02df0715d.exe 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 1412 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1412 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
583707ca6b0c9206f66db2e02df0715d.exepid process 1404 583707ca6b0c9206f66db2e02df0715d.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1412 1412 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1412 1412 -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
583707ca6b0c9206f66db2e02df0715d.exedescription pid process target process PID 748 wrote to memory of 1404 748 583707ca6b0c9206f66db2e02df0715d.exe 583707ca6b0c9206f66db2e02df0715d.exe PID 748 wrote to memory of 1404 748 583707ca6b0c9206f66db2e02df0715d.exe 583707ca6b0c9206f66db2e02df0715d.exe PID 748 wrote to memory of 1404 748 583707ca6b0c9206f66db2e02df0715d.exe 583707ca6b0c9206f66db2e02df0715d.exe PID 748 wrote to memory of 1404 748 583707ca6b0c9206f66db2e02df0715d.exe 583707ca6b0c9206f66db2e02df0715d.exe PID 748 wrote to memory of 1404 748 583707ca6b0c9206f66db2e02df0715d.exe 583707ca6b0c9206f66db2e02df0715d.exe PID 748 wrote to memory of 1404 748 583707ca6b0c9206f66db2e02df0715d.exe 583707ca6b0c9206f66db2e02df0715d.exe PID 748 wrote to memory of 1404 748 583707ca6b0c9206f66db2e02df0715d.exe 583707ca6b0c9206f66db2e02df0715d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\583707ca6b0c9206f66db2e02df0715d.exe"C:\Users\Admin\AppData\Local\Temp\583707ca6b0c9206f66db2e02df0715d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\583707ca6b0c9206f66db2e02df0715d.exe"C:\Users\Admin\AppData\Local\Temp\583707ca6b0c9206f66db2e02df0715d.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/748-54-0x00000000001B0000-0x00000000001B8000-memory.dmpFilesize
32KB
-
memory/748-55-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/1404-56-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1404-57-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1404-58-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1412-59-0x0000000002170000-0x0000000002186000-memory.dmpFilesize
88KB