Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-10-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe
-
Size
269KB
-
MD5
425538af8e268eb8ec8ca9fb3b0ac920
-
SHA1
066c6045c4691db9b3a51ea6e470e15c670ac3a3
-
SHA256
5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8
-
SHA512
02817db2f5b0a42e8e3890dc697bc5844e3e48fcf55175ac43cc2a89939b5126fca548b520f8b302eef9f22cc7450037e5836df2e9e0e7d26c3f4eb42f79ab24
-
SSDEEP
3072:FXKzdB+R/C+Y6N2ykWAKHga5q8Ukr4KD9YevTKq+ysUEr6PNM/h3qpZa9uD6VdyX:BwdB+RjKWAKEY829VTKq9s5KNrwVfXQ
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/2700-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/4940-135-0x00000000006A0000-0x00000000006A9000-memory.dmp family_smokeloader behavioral1/memory/2700-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2700-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4940 set thread context of 2700 4940 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe 85 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2700 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe 2700 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found 3048 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3048 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2700 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4940 wrote to memory of 2700 4940 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe 85 PID 4940 wrote to memory of 2700 4940 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe 85 PID 4940 wrote to memory of 2700 4940 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe 85 PID 4940 wrote to memory of 2700 4940 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe 85 PID 4940 wrote to memory of 2700 4940 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe 85 PID 4940 wrote to memory of 2700 4940 5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe"C:\Users\Admin\AppData\Local\Temp\5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe"C:\Users\Admin\AppData\Local\Temp\5c5f40f2a55e2c1fb578d60da9a61bae184c7c6aca69d92b8fa76cf37430d2d8.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2700
-