Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 10:06
Static task
static1
Behavioral task
behavioral1
Sample
ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe
Resource
win10v2004-20220812-en
General
-
Target
ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe
-
Size
187KB
-
MD5
da7cf91a9b196b15655775b92ef8d5a5
-
SHA1
6db66196fe8d2b0a6f100fb830bdb9345bf4dad3
-
SHA256
ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05
-
SHA512
6e012cf80f8eb9ef275b47bd3c27a200a885acdefb73d66a42e4a9a251ff6d48151db663d9f66e098a1c73f90b2b496ea6de239e872db88e3ce99064277f26b5
-
SSDEEP
3072:HcBJniL29rHLPA4WOSlD65U9yYvBsdMmvzRQK6jIx/m1DK4:Kn3zLPA4JSn9yYvLOzRQ6x/U
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3084-133-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2228-135-0x00000000007E0000-0x00000000007E9000-memory.dmp family_smokeloader behavioral1/memory/3084-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3084-137-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{A9EBA1CE-1697-4450-9511-4604DB9ED1E3}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1D2BD920-41D8-4516-B3FE-F2E4DEADEC20}.catalogItem svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exedescription pid process target process PID 2228 set thread context of 3084 2228 ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exepid process 3084 ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe 3084 ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 3004 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3004 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exepid process 3084 ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
pid process 3004 3004 3004 -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
pid process 3004 3004 3004 -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exedescription pid process target process PID 2228 wrote to memory of 3084 2228 ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe PID 2228 wrote to memory of 3084 2228 ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe PID 2228 wrote to memory of 3084 2228 ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe PID 2228 wrote to memory of 3084 2228 ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe PID 2228 wrote to memory of 3084 2228 ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe PID 2228 wrote to memory of 3084 2228 ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe"C:\Users\Admin\AppData\Local\Temp\ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe"C:\Users\Admin\AppData\Local\Temp\ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3084
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3452