Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-10-2022 11:14
Static task
static1
Behavioral task
behavioral1
Sample
edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe
-
Size
216KB
-
MD5
06c40ed6ff6706e599656fd4af0280a0
-
SHA1
f85b0302cf06983a8dfe9417566845843e24be19
-
SHA256
edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee
-
SHA512
6420daed264db5aba86fe627b410a7100474bc1b77b79f77fa4689709ef760e59341e26052cf8bb4d3cb255b5c6aa545ef36d31d516bd0f2f2d2762e4776a98f
-
SSDEEP
3072:gLArHwG1mJNNWgKXvVMLBCViGI2uTCFsEuPMrfsv+GQVssRsTM7:gErd4WFGLBHGIssj+GQF
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1116-57-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1116 edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe 1116 edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found 1272 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1116 edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe"C:\Users\Admin\AppData\Local\Temp\edd62022ecde1069e890468d494a635614a1ec82e196bd4750994e4c2f863aee.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1116