Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26/10/2022, 23:23
Static task
static1
Behavioral task
behavioral1
Sample
b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe
-
Size
217KB
-
MD5
5d9aed4c13b23046ddb13dea788a0d35
-
SHA1
0b6bf297150d24a7c3a78bc8177d53b3b7ba362d
-
SHA256
b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c
-
SHA512
76501dbc9f753bdf4de0d9998707cd12cf983ec060be73fb8b1f4183036f4956b6c37233ad9388d1b7d0c5bb2481689f5531638b92ff1f8365d16b271e622642
-
SSDEEP
3072:H4xJWpwy90JAOULLoL43JXdbBtRK67xvf55oChdAvrUsPIuYjojYe+vIYwdrSx:YxU79fLJDRKUxvfh2vrwREse+wfdrS
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/5072-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3916-135-0x00000000006F0000-0x00000000006F9000-memory.dmp family_smokeloader behavioral1/memory/5072-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/5072-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3916 set thread context of 5072 3916 b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe 79 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5072 b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe 5072 b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found 2376 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2376 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 5072 b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3916 wrote to memory of 5072 3916 b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe 79 PID 3916 wrote to memory of 5072 3916 b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe 79 PID 3916 wrote to memory of 5072 3916 b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe 79 PID 3916 wrote to memory of 5072 3916 b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe 79 PID 3916 wrote to memory of 5072 3916 b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe 79 PID 3916 wrote to memory of 5072 3916 b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe"C:\Users\Admin\AppData\Local\Temp\b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe"C:\Users\Admin\AppData\Local\Temp\b04730e2d55e6742d7b52b05cb7b5f5fcedafe4db616229445ee27cbe32f045c.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5072
-