Analysis
-
max time kernel
150s -
max time network
74s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
27-09-2022 16:51
Static task
static1
Behavioral task
behavioral1
Sample
bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe
Resource
win10-20220812-en
windows10-1703-x64
9 signatures
150 seconds
General
-
Target
bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe
-
Size
328KB
-
MD5
e38b95da23a56bc3ef267713a5807903
-
SHA1
40fc9ab918879cd500e7384dc80b0525fcbe7dd0
-
SHA256
bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56
-
SHA512
127396194bded0b5b43be5011af4d9197c3365764b94ca60b19cc7aee5820cd2da7cc6f49547ced9371fc988389971d22df3f1607fee1cc04053d19b737eb98f
-
SSDEEP
6144:F7VtzOz7TU+hJGEcTfPJJHBqF0MQnigabwVfs:F7VBu7T7JafPJJHBfNiB
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 5 IoCs
resource yara_rule behavioral1/memory/3540-152-0x00000000001E0000-0x00000000001E9000-memory.dmp family_smokeloader behavioral1/memory/4788-147-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4788-148-0x0000000000402DD8-mapping.dmp family_smokeloader behavioral1/memory/4788-168-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4788-181-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Deletes itself 1 IoCs
pid Process 2112 Process not Found -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3540 set thread context of 4788 3540 bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe 66 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4788 bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe 4788 bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found 2112 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2112 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4788 bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3540 wrote to memory of 4788 3540 bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe 66 PID 3540 wrote to memory of 4788 3540 bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe 66 PID 3540 wrote to memory of 4788 3540 bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe 66 PID 3540 wrote to memory of 4788 3540 bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe 66 PID 3540 wrote to memory of 4788 3540 bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe 66 PID 3540 wrote to memory of 4788 3540 bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe 66
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe"C:\Users\Admin\AppData\Local\Temp\bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe"C:\Users\Admin\AppData\Local\Temp\bb9f980edc07ad67ef415ecae51d6433e1423a2e4b7a7a905b814607454fec56.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4788
-