Analysis
-
max time kernel
151s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
22/11/2022, 16:28
Static task
static1
Behavioral task
behavioral1
Sample
28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
General
-
Target
28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259.exe
-
Size
303KB
-
MD5
fd5756155b06ca69cc499ec9d6e695b1
-
SHA1
bb072ae8b2acc490e4edaf1ddf9c517b9ad868d5
-
SHA256
28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259
-
SHA512
4c8f54f1f2624323968a793c3861e6f4f1ee96bee4f695a2f3c4191ecc30e2b8494ef4d7d81eed08f89d7b59dea8b514ab32475cfea56ee1441545c522a78021
-
SSDEEP
6144:JFV2Vqke3XQE9ux+LWFvviu22tThsIeGjY6:gk70+k3l22ZVE
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1604-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1604 28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259.exe 1604 28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259.exe 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1604 28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259.exe"C:\Users\Admin\AppData\Local\Temp\28194aab838d42d44d039b2532c6af754db65d25453d583d491d785245589259.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1604