Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2022, 20:36
Static task
static1
Behavioral task
behavioral1
Sample
815c29c2f0574f832df3ceb02c153050.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
815c29c2f0574f832df3ceb02c153050.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
815c29c2f0574f832df3ceb02c153050.exe
-
Size
328KB
-
MD5
815c29c2f0574f832df3ceb02c153050
-
SHA1
de1ba5b27fd12a9c5a12e5e0fcf96b307b1f07eb
-
SHA256
1729cc3a6ea534fa1316f61079bf2bc26562d798f7be3dfc38e70b8688ad5433
-
SHA512
e7cdfa9e7c382e834c521442332db389dce7da20fcac906437fd388583f1b2e189d51dceb9af4cc320662ede249e22bc793398d3f4030d92601e41f9cbf2e3cf
-
SSDEEP
6144:RCc/A/f6q5he1OUREB640jNiHtnigabwVfs:RCcoX6Qhe1OU6B8jNWtiB
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/4180-133-0x0000000000610000-0x0000000000619000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 815c29c2f0574f832df3ceb02c153050.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 815c29c2f0574f832df3ceb02c153050.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 815c29c2f0574f832df3ceb02c153050.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4180 815c29c2f0574f832df3ceb02c153050.exe 4180 815c29c2f0574f832df3ceb02c153050.exe 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found 3092 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3092 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4180 815c29c2f0574f832df3ceb02c153050.exe