Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/09/2022, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe
-
Size
288KB
-
MD5
844e626a3c2749843437f3b1ec371bcf
-
SHA1
947afc2ab7159cdaded42e3ba20d7a0b170c609e
-
SHA256
b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd
-
SHA512
faaf6c139eea708ac602f4fd46cb45cedae40e84391967dc481137ff85c318a9798d50ff15145904a10959b572562ba541e02c8c094975f27474ba6ca6f598c9
-
SSDEEP
6144:oqWNTqz4O0bzvHsD9IBcwi3W8qLNYacZy2POBaKij4E2jUV:oXTiiWqBcwi3W8qLNwZy2PO0kEQU
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/3652-133-0x00000000001C0000-0x00000000001C9000-memory.dmp family_smokeloader behavioral1/memory/512-135-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/512-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/512-138-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3652 set thread context of 512 3652 b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe 108 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 512 b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe 512 b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found 3032 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 512 b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3652 wrote to memory of 512 3652 b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe 108 PID 3652 wrote to memory of 512 3652 b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe 108 PID 3652 wrote to memory of 512 3652 b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe 108 PID 3652 wrote to memory of 512 3652 b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe 108 PID 3652 wrote to memory of 512 3652 b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe 108 PID 3652 wrote to memory of 512 3652 b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe"C:\Users\Admin\AppData\Local\Temp\b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Users\Admin\AppData\Local\Temp\b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe"C:\Users\Admin\AppData\Local\Temp\b42e89679216a5bdcdcc38a37a612092988246928e9d22f055d040b6614944dd.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:512
-