Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2022 09:03
Static task
static1
Behavioral task
behavioral1
Sample
7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe
-
Size
163KB
-
MD5
b3b837e0c442cfe5a952f7d161726220
-
SHA1
9f3e370d1a31e87974c45e04c9b300ad348a968b
-
SHA256
7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69
-
SHA512
eb7e03c2a589198fd650ba20164f529b00b5575d4047d06796c51d6e5f87ec71e2c05f7a9d061c947aa8743d566537bc2b5c673d32990277eac538f9dd759a09
-
SSDEEP
3072:x6qdnK5lgFd2poUe5yOp5PgxnaSmoIvJ4AZQ4vbQh2g86537T36:kX5wd2poH5TgxaxoIxJZTcTY
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1964-133-0x00000000006E0000-0x00000000006E9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1964 7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe 1964 7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found 3020 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3020 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1964 7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe"C:\Users\Admin\AppData\Local\Temp\7b74f7a383e53db77de12baf859b2b679b60e7195caab961bc6950ca66eb2c69.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1964