Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2022, 17:19
Static task
static1
Behavioral task
behavioral1
Sample
2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe
-
Size
271KB
-
MD5
732e0ec093620377e172f4c361f95cdd
-
SHA1
e0060884ab06c5ba12f3351012544a3459441eff
-
SHA256
2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e
-
SHA512
3cd6db0c21d7edc33497f6c9c953d80890636ff09841d71bfd632badf3d54d708910dba1efdca8929ec88a2e7256984d7090825a69d678cbf1003804edefb1c7
-
SSDEEP
6144:u36DMBLUaZ+Rmn8jeiTWGmuzbgwuitqwVfUl:uJBAaZJn8jtqbunntYl
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/2816-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3740-135-0x0000000000590000-0x0000000000599000-memory.dmp family_smokeloader behavioral1/memory/2816-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2816-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3740 set thread context of 2816 3740 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe 83 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2816 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe 2816 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found 3060 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3060 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2816 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3740 wrote to memory of 2816 3740 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe 83 PID 3740 wrote to memory of 2816 3740 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe 83 PID 3740 wrote to memory of 2816 3740 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe 83 PID 3740 wrote to memory of 2816 3740 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe 83 PID 3740 wrote to memory of 2816 3740 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe 83 PID 3740 wrote to memory of 2816 3740 2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe"C:\Users\Admin\AppData\Local\Temp\2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe"C:\Users\Admin\AppData\Local\Temp\2815e8ff95e35e002b489581d1d8642b73a33ed86a64941f6baa2f9099afb57e.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2816
-