Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2022 08:24
Static task
static1
Behavioral task
behavioral1
Sample
3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe
-
Size
266KB
-
MD5
63c1c1b1ac89d60316a6f4cf3552fc05
-
SHA1
7f461d391a0a53bec8c3a4de83249c5495c7b1a3
-
SHA256
3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959
-
SHA512
0c700a69bb496a515abbccc99c2e09d7e86b40b6c7e62869c60cf2bab661c1872a3393c5f0004f26cbfa854db560dde208a0d3478ca907940d9a811893229497
-
SSDEEP
3072:oaXjO2vT0rGtQYl5OLgs5wdTE4+ISEETS0tI+/0KP6XwL6VExNM/h3BsxkgaBChd:96rGtsgawdTaIqZtz/0oVXniga+
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/3988-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2764-135-0x0000000002180000-0x0000000002189000-memory.dmp family_smokeloader behavioral1/memory/3988-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3988-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2764 set thread context of 3988 2764 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe 81 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3988 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe 3988 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found 2348 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2348 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3988 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2764 wrote to memory of 3988 2764 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe 81 PID 2764 wrote to memory of 3988 2764 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe 81 PID 2764 wrote to memory of 3988 2764 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe 81 PID 2764 wrote to memory of 3988 2764 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe 81 PID 2764 wrote to memory of 3988 2764 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe 81 PID 2764 wrote to memory of 3988 2764 3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe"C:\Users\Admin\AppData\Local\Temp\3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\AppData\Local\Temp\3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe"C:\Users\Admin\AppData\Local\Temp\3c810705193b5d0b3e8d99a7fd5d614785af87837303b071db0de057dc887959.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3988
-