Analysis
-
max time kernel
162s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 01:32
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
General
-
Target
file.exe
-
Size
132KB
-
MD5
926238fef3b1f2cec926608a5a11afee
-
SHA1
14179ceb2bf3450c48dc8259d9cad24956274459
-
SHA256
eb1f43e5e0a9668d7c25cc6fe98c6b17c75c3c0b333b2721b5a2d95458bd022c
-
SHA512
03cac8b5ee7603bb38ea4262156031603fd37e026100091da20eb9525dd87502daa2cd4c4b761379078285f72199e661eb07a9ff13215ae02120c4468122022f
-
SSDEEP
1536:mn3rA49bsX+CORTIqrIubtij59C4GjHRWz8Twefz8WEI5dTvH2nzIL5ahEmkVZ45:mn3EOWORlr5tiS43YTlzhDdTyzI1H4
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/784-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid process 784 file.exe 784 file.exe 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 1360 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file.exepid process 784 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1360 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1360 1360 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 1360 1360
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmpFilesize
8KB
-
memory/784-55-0x000000000071D000-0x000000000072E000-memory.dmpFilesize
68KB
-
memory/784-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/784-57-0x0000000000400000-0x000000000057E000-memory.dmpFilesize
1.5MB
-
memory/784-58-0x0000000000400000-0x000000000057E000-memory.dmpFilesize
1.5MB