Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
02-09-2022 21:21
Behavioral task
behavioral1
Sample
7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe
Resource
win10v2004-20220812-en
General
-
Target
7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe
-
Size
30KB
-
MD5
0d7eb2137c2d696071df27cc6a601a5a
-
SHA1
f3e487886630e0729fb4b4967cd11c2ee0daa989
-
SHA256
7fa0fc4b901ff3bb9002f33b4a7f0a01aef10f36c8304d26cdbf0934a9fd816f
-
SHA512
1b6f45cd581d3cd8292d8b97b840473eddb5239ce07037a8d34cf1530dc6c35613591e1d06f56453b50060d0df8d6066cc675a8cde3018220547597515e8f662
-
SSDEEP
768:8t6+ztmVfbHmHS8/ckpKd75wiqjUKPO6AAb3vM8pYwA:2ztmJbHmHT/zKdVwigUAAK3qw
Malware Config
Signatures
-
Detects Smokeloader packer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-55-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2032-56-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exepid Process 2032 7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe 2032 7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 1368 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid Process 1368 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exepid Process 2032 7FA0FC4B901FF3BB9002F33B4A7F0A01AEF10F36C8304.exe