Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2022, 19:16
Static task
static1
Behavioral task
behavioral1
Sample
9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4.exe
-
Size
173KB
-
MD5
e3887e38fa7702f33d9bbd80796dfaa2
-
SHA1
c1feaf82e0024b6a8c3ea85a5e4e1b22f61d63a1
-
SHA256
9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4
-
SHA512
8e4f8ebe5dbf1c88b377995a6cb8f840358f3b385166799ee90855986cf7bb961ab11f9917122dbb18f011c6aed6921c04479e79429dc42b9a1d9bc5786988ff
-
SSDEEP
3072:Ub7LMW5HQ00T8Zezz3QSu9ePm0JkJJB4kykJnHh7/Pk9Dn:4LMR00K18SJ0Fe
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/5072-133-0x00000000006D0000-0x00000000006D9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5072 9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4.exe 5072 9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4.exe 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found 760 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 760 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 5072 9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4.exe"C:\Users\Admin\AppData\Local\Temp\9833460477f862341ed4eac6923cb43883b96ab4ff6c041ef8c51c817f518fc4.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5072