Analysis
-
max time kernel
155s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2022, 23:03
Static task
static1
Behavioral task
behavioral1
Sample
8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe
-
Size
339KB
-
MD5
d1657cc8c05209c91af88f0241819402
-
SHA1
df820b6ff5a265958cb3fad01fb185a6622a031c
-
SHA256
8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361
-
SHA512
21b822c3b1802ce68fce613aa9313e0f71c8aad9c631d409c84c1b2e8dfe01cbe9780b15325dcd9c8865a8888f50038e6acd9e585c670f3aba28f737b89a5929
-
SSDEEP
6144:wnW3WsyAjF/5aSWkKMwDaEoCsT7ITsq/:wnElyAjVYSzr63M7
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4364-134-0x0000000002C50000-0x0000000002C59000-memory.dmp family_smokeloader behavioral1/memory/3008-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3008-138-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3008-139-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4364 set thread context of 3008 4364 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe 79 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3008 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe 3008 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found 2724 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2724 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3008 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4364 wrote to memory of 3008 4364 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe 79 PID 4364 wrote to memory of 3008 4364 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe 79 PID 4364 wrote to memory of 3008 4364 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe 79 PID 4364 wrote to memory of 3008 4364 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe 79 PID 4364 wrote to memory of 3008 4364 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe 79 PID 4364 wrote to memory of 3008 4364 8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe"C:\Users\Admin\AppData\Local\Temp\8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe"C:\Users\Admin\AppData\Local\Temp\8574ed9d742ab7a3f83fa2ec354cf09757186974617d64bcb5a5a4ac09c48361.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3008
-