Analysis
-
max time kernel
152s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:44
Static task
static1
Behavioral task
behavioral1
Sample
2c5779a71854d22c35fff2a8ee080c09.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
2c5779a71854d22c35fff2a8ee080c09.exe
Resource
win10v2004-20220812-en
General
-
Target
2c5779a71854d22c35fff2a8ee080c09.exe
-
Size
188KB
-
MD5
2c5779a71854d22c35fff2a8ee080c09
-
SHA1
e298451214511728866814fa03fa944d54eaab6d
-
SHA256
5b170fbc0ef97dcda6c73a909db99f0b68bcf82413d3b700d84b4186a86611ce
-
SHA512
fc20055dfbf3ae74ceae313284257418ffd870af68539ab4437290bee1b4514b3aa6be30fb54788121e47c7419bd36814fcc07a71e6a313b32bbf81585b8294a
-
SSDEEP
3072:4K9FUcgvEJYzsduzL/gSAMSHG5KaLgvWHJPKXRPH4BvP:jFuzzL/vAv7aXHJgBH4
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1108-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
2c5779a71854d22c35fff2a8ee080c09.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2c5779a71854d22c35fff2a8ee080c09.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2c5779a71854d22c35fff2a8ee080c09.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 2c5779a71854d22c35fff2a8ee080c09.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2c5779a71854d22c35fff2a8ee080c09.exepid process 1108 2c5779a71854d22c35fff2a8ee080c09.exe 1108 2c5779a71854d22c35fff2a8ee080c09.exe 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 1268 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1268 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
2c5779a71854d22c35fff2a8ee080c09.exepid process 1108 2c5779a71854d22c35fff2a8ee080c09.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1268
Processes
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-54-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/1108-55-0x000000000077B000-0x000000000078C000-memory.dmpFilesize
68KB
-
memory/1108-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1108-57-0x0000000000400000-0x000000000064D000-memory.dmpFilesize
2.3MB
-
memory/1108-58-0x0000000000400000-0x000000000064D000-memory.dmpFilesize
2.3MB
-
memory/1268-59-0x000007FEF6C90000-0x000007FEF6DD3000-memory.dmpFilesize
1.3MB
-
memory/1268-60-0x000007FF62B30000-0x000007FF62B3A000-memory.dmpFilesize
40KB