Analysis
-
max time kernel
151s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-11-2022 14:57
Static task
static1
Behavioral task
behavioral1
Sample
6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe
-
Size
162KB
-
MD5
10321d39a95cdccc1677c3bcca6cc5f1
-
SHA1
c4f63a737452a7ec50a2d5aa07622b94f65f9be5
-
SHA256
6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba
-
SHA512
9c630f14b8895da71876fd1e2c7e6d28821348be0c54eae9552651fa8c3747fc47f1967c7c0b9199dcf91794215c06a07c2ac1eddf71b5ad6fb2e5b152a8ae5d
-
SSDEEP
3072:bRECnqOi2JzXbNOp5C3KrGFlOVJ8qIolb1jOOIbXViK:VYOi4buAlO8qIovjs7V
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/900-56-0x00000000001B0000-0x00000000001B9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 900 6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe 900 6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found 1424 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 900 6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe"C:\Users\Admin\AppData\Local\Temp\6215c136be1a9335085303fa1eb855563b273dd275b9c6e320691a3045c72dba.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:900