Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2022 02:23
Static task
static1
Behavioral task
behavioral1
Sample
1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e.exe
-
Size
146KB
-
MD5
c996f2ce94b5a591d26be7f60a9a9ab8
-
SHA1
1fe10b561ff6012f2b210c5cc77a56c0bf8dcb94
-
SHA256
1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e
-
SHA512
e9bbedf1bc7de70e7add149586660871bf58ad4a073fa4e0f4de01c1460cbbd512d6db0349befde7bcdcba4221c8bfd39fc107cb007d2569e9654e47bc142631
-
SSDEEP
1536:ZKWU+QJ8cU3J/Tscctrp2PRaZBihhV7adc9sGpBFIMKJuYmOrk5OlmI4d:ZKWUjM22PRgBiT7sGpBXaZkQl+d
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/2876-133-0x00000000006E0000-0x00000000006E9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2876 1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e.exe 2876 1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e.exe 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found 2740 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2740 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2876 1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e.exe"C:\Users\Admin\AppData\Local\Temp\1eaa5660c4788cb14faa2020027f7cbf4f1398bf74ebdb862b548246b0dd111e.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2876