Analysis
-
max time kernel
154s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14/10/2022, 22:36
Static task
static1
Behavioral task
behavioral1
Sample
ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
General
-
Target
ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe
-
Size
215KB
-
MD5
69915ce48f0fe497dadf17029b30cff4
-
SHA1
fdff238c75541b81e281948c33abd974987ae776
-
SHA256
ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b
-
SHA512
77e1d5d2c2f9729e5f94d0f012ecfca3c3d1d9c8c1444bab8dfc8ea405ccda6e7d8b904b042528693f9ad8613119ce23eb63d533b86d5bf868e5f3fd28aabc80
-
SSDEEP
3072:zVW/p+5D5zopLjgJ1A6t81XofZgOAFyMw12J3XqrywjRuSWO:zM8iLjg1Aa+RyMw129pwsSW
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1920-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1920 ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe 1920 ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found 1256 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1920 ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe"C:\Users\Admin\AppData\Local\Temp\ef3212d415f79fdc069b605fb6dc615528115bcd0ce86f6e8ce60e0807d9d33b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1920