Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2022, 22:43
Static task
static1
Behavioral task
behavioral1
Sample
8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe
-
Size
146KB
-
MD5
3c656a4ac21d3bfd1537cda5dfab57d2
-
SHA1
6de0484f605f7222e4c78f0c247cbe0a49fcd502
-
SHA256
8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f
-
SHA512
4c53f517f0c6ac2f828b7c4a258d2ce1588f11db283e9422f4e98847d58c8a3191860c990d22431598e274c4200aa1ccdf0dfe4d0162f70910758e2963a3c69c
-
SSDEEP
3072:ehBU1MZ/SWkNPR7xoGUAkGNaQPAFKxAVbSblcdNYd:KKl5oGUAkGkcAFVbSxcLi
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4772-135-0x00000000022C0000-0x00000000022C9000-memory.dmp family_smokeloader behavioral1/memory/4620-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4620-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4620-138-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4772 set thread context of 4620 4772 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe 78 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4620 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe 4620 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3060 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4620 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4772 wrote to memory of 4620 4772 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe 78 PID 4772 wrote to memory of 4620 4772 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe 78 PID 4772 wrote to memory of 4620 4772 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe 78 PID 4772 wrote to memory of 4620 4772 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe 78 PID 4772 wrote to memory of 4620 4772 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe 78 PID 4772 wrote to memory of 4620 4772 8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe"C:\Users\Admin\AppData\Local\Temp\8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe"C:\Users\Admin\AppData\Local\Temp\8060e5096b055d3a61cc2c609400acf137912bca51fde31e246b16fb398d5d6f.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4620
-