Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10/10/2022, 17:59
Static task
static1
Behavioral task
behavioral1
Sample
2e42b0bed4d0228cde60b27436b54eef.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
2e42b0bed4d0228cde60b27436b54eef.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
2e42b0bed4d0228cde60b27436b54eef.exe
-
Size
275KB
-
MD5
2e42b0bed4d0228cde60b27436b54eef
-
SHA1
0ad015065304467a659575eca8e322485982eda2
-
SHA256
7e24caf0355d2816bec83ce942643a52213d676f5ebf03f2ff40d46c2af8ce21
-
SHA512
1519f668f81b7fc412e29c0726b7c46a216dc8adb64117eb7533d8e0cc2e676a2510965d022e255384cf54d5b6c0f33c33ca0e38fef255bf5d21228f64300e27
-
SSDEEP
3072:uXrN9JMhlH3THrjUggq5fbn8+F2XNrEuZ29rBFrDv2i2bC0QhOM/h3qpZa9uD6Vq:2Z9JMTHbEYbnOXWNzr7HHhOrwVfquS
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1652-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e42b0bed4d0228cde60b27436b54eef.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e42b0bed4d0228cde60b27436b54eef.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2e42b0bed4d0228cde60b27436b54eef.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1652 2e42b0bed4d0228cde60b27436b54eef.exe 1652 2e42b0bed4d0228cde60b27436b54eef.exe 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1652 2e42b0bed4d0228cde60b27436b54eef.exe