Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08/10/2022, 22:25
Static task
static1
Behavioral task
behavioral1
Sample
4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe
-
Size
270KB
-
MD5
49f3c2d2fdb5040098e9a8ed102ebf93
-
SHA1
e4b4412ba00656f3f7b2a480d1e24e7edd5bf6cc
-
SHA256
4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa
-
SHA512
9ed3531a4f2d9b981af1f4742e9cc84ec042723c7fbf8825d36d7e918257d5dc93da081fd8668f8cfd7e1cfef93bf88d03f249dca2d7b784ee9d9a0da33723b6
-
SSDEEP
3072:IXK2+eOz7w2w7x/fBzedh9DUCrh5Iqbr5dS37qaNAeuF8QIHKLyaM/h3qpZa9uDQ:cZ+zu7xg9DmWS7qLeuF85qLTrwVfX
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/1356-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/384-135-0x00000000006A0000-0x00000000006A9000-memory.dmp family_smokeloader behavioral1/memory/1356-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/1356-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 384 set thread context of 1356 384 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe 85 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1356 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe 1356 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3048 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1356 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 384 wrote to memory of 1356 384 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe 85 PID 384 wrote to memory of 1356 384 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe 85 PID 384 wrote to memory of 1356 384 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe 85 PID 384 wrote to memory of 1356 384 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe 85 PID 384 wrote to memory of 1356 384 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe 85 PID 384 wrote to memory of 1356 384 4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe"C:\Users\Admin\AppData\Local\Temp\4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Users\Admin\AppData\Local\Temp\4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe"C:\Users\Admin\AppData\Local\Temp\4245e74e8e4b9ab9f52c655e194b66b5b37a2a242da1cca1250f1458561399fa.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1356
-