Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/11/2022, 10:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    187KB

  • MD5

    489c542faa295d022be460c502aff210

  • SHA1

    37f4591403e477e3a8ce9eec502aa6b3b35bd549

  • SHA256

    a0c4747fcf2a1de2b4c9d9367342fb495c34f6250400c68ee76b2f5c35991b01

  • SHA512

    d74062694d4d53120d149092d5f99b93533e6bbe8a6485f86b16e4e35785f083dbe29ddd2f45782b3c6f47b0c67f2ad11b651853c00000fcaa76739dbf38a508

  • SSDEEP

    3072:fNOkXn/d3YoHDLeLSpUkhBoui05zxiQ2uEZUVJscBlJOCWFyAf:0kdFHeLSpU2Ouh2upJDCyAf

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Executes dropped EXE 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1048
  • C:\Users\Admin\AppData\Roaming\dstghjt
    C:\Users\Admin\AppData\Roaming\dstghjt
    1⤵
    • Executes dropped EXE
    • Checks SCSI registry key(s)
    • Suspicious behavior: MapViewOfSection
    PID:3784

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\dstghjt
    Filesize

    187KB

    MD5

    489c542faa295d022be460c502aff210

    SHA1

    37f4591403e477e3a8ce9eec502aa6b3b35bd549

    SHA256

    a0c4747fcf2a1de2b4c9d9367342fb495c34f6250400c68ee76b2f5c35991b01

    SHA512

    d74062694d4d53120d149092d5f99b93533e6bbe8a6485f86b16e4e35785f083dbe29ddd2f45782b3c6f47b0c67f2ad11b651853c00000fcaa76739dbf38a508

    Download Submit

  • C:\Users\Admin\AppData\Roaming\dstghjt
    Filesize

    187KB

    MD5

    489c542faa295d022be460c502aff210

    SHA1

    37f4591403e477e3a8ce9eec502aa6b3b35bd549

    SHA256

    a0c4747fcf2a1de2b4c9d9367342fb495c34f6250400c68ee76b2f5c35991b01

    SHA512

    d74062694d4d53120d149092d5f99b93533e6bbe8a6485f86b16e4e35785f083dbe29ddd2f45782b3c6f47b0c67f2ad11b651853c00000fcaa76739dbf38a508

    Download Submit

  • memory/1048-132-0x00000000008ED000-0x00000000008FE000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1048-133-0x00000000007D0000-0x00000000007D9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1048-134-0x0000000000400000-0x000000000064D000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1048-135-0x00000000008ED000-0x00000000008FE000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1048-136-0x00000000007D0000-0x00000000007D9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1048-137-0x0000000000400000-0x000000000064D000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3784-140-0x000000000094D000-0x000000000095E000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3784-141-0x0000000000400000-0x000000000064D000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3784-142-0x0000000000400000-0x000000000064D000-memory.dmp

    Filesize

    2.3MB

    Download