Analysis
-
max time kernel
150s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 06:09
Static task
static1
Behavioral task
behavioral1
Sample
6b032f37a141755fc6c5ccb2c35c3b58.exe
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
6b032f37a141755fc6c5ccb2c35c3b58.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
6b032f37a141755fc6c5ccb2c35c3b58.exe
-
Size
260KB
-
MD5
6b032f37a141755fc6c5ccb2c35c3b58
-
SHA1
feab8c9bacf55a56f0eb756edf0fce732d7c9ef1
-
SHA256
b0fdd48026350f8d67ef2025569f027b67ecc4ff72d2923640f4d15003e986de
-
SHA512
519783a41caa83e0e3a2f56aba3580470ba0c0519f721a59780aaa42c3fb47eb8f35ebaa8d5c409d9655f54d1ec959ec272ff0c85cdcf8a61e622b9923f3be1a
-
SSDEEP
3072:/3LrFsBYm6LjJzzf2z5bRK7/tCYZzjQX1U4RfQCLmb6fCBM/h3:nFsBb6LVzzsK4YZfsnRfQsmmKB
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/2028-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6b032f37a141755fc6c5ccb2c35c3b58.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6b032f37a141755fc6c5ccb2c35c3b58.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6b032f37a141755fc6c5ccb2c35c3b58.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2028 6b032f37a141755fc6c5ccb2c35c3b58.exe 2028 6b032f37a141755fc6c5ccb2c35c3b58.exe 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1400 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2028 6b032f37a141755fc6c5ccb2c35c3b58.exe