Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 10:06

General

  • Target

    ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe

  • Size

    187KB

  • MD5

    da7cf91a9b196b15655775b92ef8d5a5

  • SHA1

    6db66196fe8d2b0a6f100fb830bdb9345bf4dad3

  • SHA256

    ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05

  • SHA512

    6e012cf80f8eb9ef275b47bd3c27a200a885acdefb73d66a42e4a9a251ff6d48151db663d9f66e098a1c73f90b2b496ea6de239e872db88e3ce99064277f26b5

  • SSDEEP

    3072:HcBJniL29rHLPA4WOSlD65U9yYvBsdMmvzRQK6jIx/m1DK4:Kn3zLPA4JSn9yYvLOzRQ6x/U

Malware Config

Signatures

  • Detects Smokeloader packer 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe
    "C:\Users\Admin\AppData\Local\Temp\ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Local\Temp\ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe
      "C:\Users\Admin\AppData\Local\Temp\ac632790e3d97b844bbd1258626596d69fbf840206bbbe3fd780aba1862a4b05.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3084
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k netsvcs -p
    1⤵
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    PID:3452

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2228-134-0x00000000008CE000-0x00000000008DF000-memory.dmp

    Filesize

    68KB

  • memory/2228-135-0x00000000007E0000-0x00000000007E9000-memory.dmp

    Filesize

    36KB

  • memory/3084-132-0x0000000000000000-mapping.dmp

  • memory/3084-133-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/3084-136-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB

  • memory/3084-137-0x0000000000400000-0x0000000000409000-memory.dmp

    Filesize

    36KB