Overview

overview

10

Static

static

929882be0f...c8.exe

windows7-x64

10

929882be0f...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    35s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 07:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    929882be0fa5b77a571251f3698d0bc8.exe

  • Size

    301KB

  • MD5

    929882be0fa5b77a571251f3698d0bc8

  • SHA1

    065434ea50364cfb31727af153bc887e33a8c8a4

  • SHA256

    082a06d914150e8388b803745507a56f8387d6f3dea943f44525e58955de9019

  • SHA512

    ad8d4344debc2c7a78d45bc98aeee7d1be04197e0e7d35a7cbf8742575cd04a9e79f2c375512306a5d2af9b20a37425239480d0db4417145981bb03baab9f0b8

  • SSDEEP

    6144:ia7t2SlY1ZvPhn4Tfxq+TZ2KNauCflrX4lO6fE6Nn:t8Wyv14TfxJdcuQlrDJ6N

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 5 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\929882be0fa5b77a571251f3698d0bc8.exe
    "C:\Users\Admin\AppData\Local\Temp\929882be0fa5b77a571251f3698d0bc8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\929882be0fa5b77a571251f3698d0bc8.exe
      "C:\Users\Admin\AppData\Local\Temp\929882be0fa5b77a571251f3698d0bc8.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1832

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1220-61-0x000007FEF60A0000-0x000007FEF61E3000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1220-62-0x000007FEE0A30000-0x000007FEE0A3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1264-58-0x00000000002A0000-0x00000000002A9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1264-56-0x00000000004EC000-0x0000000000501000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1832-54-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1832-55-0x0000000000402DD8-mapping.dmp

    Download

  • memory/1832-57-0x0000000074E01000-0x0000000074E03000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1832-59-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1832-60-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

    Download