Analysis
-
max time kernel
150s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 11:31
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
file.exe
-
Size
230KB
-
MD5
e2d70a44c2168a999e1f23ae7911cab2
-
SHA1
5dad08b13aa7135167d5dce1a0e081c98579ac53
-
SHA256
b58dd661a59e517c69e285c8af4f77ab6cfa87d2f5211a843b5b336db4f145ac
-
SHA512
55215b7d6a4f2c31604e7163d3517a7d4963f54639636c47454cce033579cfa67ee1586b6897ffc55435338c103a9e2d3b6dab43b3549e113bd836b56d1e7575
-
SSDEEP
6144:FP4cAoLPgP0Me4rbnS7iq+7ye4FJoSwdE:FP3Ao8sMeAzAUY0rK
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1192-57-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1192 file.exe 1192 file.exe 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found 1248 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1192 file.exe