Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24/09/2022, 04:05
Static task
static1
Behavioral task
behavioral1
Sample
3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9.exe
-
Size
200KB
-
MD5
33ff95cd358e83db7d5333f39c5311f9
-
SHA1
bbf4eac70a253bb899dc10e8a619a28348dd4cf1
-
SHA256
3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9
-
SHA512
0bb484dfb230f9a1d1d601f8221415bd10ef46d5945e74e27d0223d36805b848e0335e29534bdbc692e9d687ca2888ab1bc3ff59463a54fc8b16d1791f269ef5
-
SSDEEP
3072:zwh/3CQMLltiZkTe6H85RxWTNHAJmZ15+cOyGy6uzt6KF5yeBbOH/Pkj4x:zoK/LlTvyIHAJmZ/Ojuzt6Ku
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/4436-133-0x0000000000740000-0x0000000000749000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4436 3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9.exe 4436 3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9.exe 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found 1996 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1996 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4436 3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9.exe"C:\Users\Admin\AppData\Local\Temp\3579d8b3c35507d8097f9bbb66db0e2b3117f39f8258a6f9103d53cb7fab47d9.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4436