Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-11-2022 10:35
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
17 signatures
150 seconds
General
-
Target
file.exe
-
Size
286KB
-
MD5
be50ca237f863bdba5da3a8611d35bc2
-
SHA1
ed2cecd55057023782f216aeb296a3a7eae0f92f
-
SHA256
ede1c9f32404351fc3dbd389b7dc0734b95586f2827dffa01dc0482549855202
-
SHA512
536e2dff104fd043441a1a48531e4e86039165d28b342a7f550d7f2078a99ba6e0609dea2665c6e532caaeb15c65a57fe3f2dbcae7a64025183460b966674548
-
SSDEEP
3072:YYqDquggQLf5q0fTrraXB75J8Nu/ttYmd7eUXDw/AnUs:/qfQk0fmPeiKAlDwIUs
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral2/memory/1976-133-0x0000000002440000-0x0000000002449000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 54 780 rundll32.exe 59 780 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4348 FF35.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4348 set thread context of 4460 4348 FF35.exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
pid pid_target Process procid_target 4468 4348 WerFault.exe 87 4176 4348 WerFault.exe 87 2936 4348 WerFault.exe 87 4520 4348 WerFault.exe 87 2336 4460 WerFault.exe 98 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Checks processor information in registry 2 TTPs 46 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision FF35.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz FF35.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor FF35.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz FF35.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier FF35.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier FF35.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet FF35.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor FF35.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1976 file.exe 1976 file.exe 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found 376 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 376 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1976 file.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found Token: SeShutdownPrivilege 376 Process not Found Token: SeCreatePagefilePrivilege 376 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4460 rundll32.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 376 wrote to memory of 4348 376 Process not Found 87 PID 376 wrote to memory of 4348 376 Process not Found 87 PID 376 wrote to memory of 4348 376 Process not Found 87 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 780 4348 FF35.exe 89 PID 4348 wrote to memory of 4460 4348 FF35.exe 98 PID 4348 wrote to memory of 4460 4348 FF35.exe 98 PID 4348 wrote to memory of 4460 4348 FF35.exe 98 PID 4348 wrote to memory of 4460 4348 FF35.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1976
-
C:\Users\Admin\AppData\Local\Temp\FF35.exeC:\Users\Admin\AppData\Local\Temp\FF35.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
PID:780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 6202⤵
- Program crash
PID:4468
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 9482⤵
- Program crash
PID:4176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 10002⤵
- Program crash
PID:2936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 9922⤵
- Program crash
PID:4520
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
PID:4460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 14643⤵
- Program crash
PID:2336
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4348 -ip 43481⤵PID:2392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4348 -ip 43481⤵PID:4272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4348 -ip 43481⤵PID:960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4348 -ip 43481⤵PID:3128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4460 -ip 44601⤵PID:3380
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5e61dc22de3289357caf18ec84341f2e1
SHA139573e49bdaf6c7959384605c78c6417cc494569
SHA256c8e96cc5fd4a053395182baa57dbbf469a76e98fe84de77fbeb64707d79f0189
SHA5124a8a9a4c8904c52dbdd923aa950bf23029ecf3411a50ee75a2e7c8cdc3d192a0276dea74caea626298416c7e9f5306a2b0da1550152f78902ce5a8680f41ed06
-
Filesize
1.3MB
MD5e61dc22de3289357caf18ec84341f2e1
SHA139573e49bdaf6c7959384605c78c6417cc494569
SHA256c8e96cc5fd4a053395182baa57dbbf469a76e98fe84de77fbeb64707d79f0189
SHA5124a8a9a4c8904c52dbdd923aa950bf23029ecf3411a50ee75a2e7c8cdc3d192a0276dea74caea626298416c7e9f5306a2b0da1550152f78902ce5a8680f41ed06
-
Filesize
3.5MB
MD5a7d875022bb5e3a34d034b947003d1b3
SHA15905ca93fea101ce80e5bf8925eb2a7eec1e333d
SHA256bcdf4c540c4289f81c98448d0a4482a96522fb767ab6015e76288afce148226a
SHA512f2b78a100cf0fa84909629b892e548d7ef9797621623a96aa75f15241d7350eecca117c3793056c30dc317ade8ecc0023c2b875516d9c25ac9bb0d880bb3149a