Analysis
-
max time kernel
209s -
max time network
249s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
27/11/2022, 06:36
Static task
static1
Behavioral task
behavioral1
Sample
9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe
-
Size
147KB
-
MD5
5db119ce603aae4b28af5436a9ccdd61
-
SHA1
7f7dde665b3ce84ab5e61ad82ec0f8f11d4c75cd
-
SHA256
9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556
-
SHA512
4d733e42da053b3c472d1c3c67d2151b2f4f95dcfa074fff1e1dc9269bb558afcdcc8792121a66d86cef3ddf6c7d78e4a86de5148cfde8ca0ab55b9f47998bbd
-
SSDEEP
3072:czIq50/Zqd3cB5imBXUQHCW6i3VEbgknwCFY2Bx7YL8b:tqwqd3kU86iU7wX2jc
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 6 IoCs
resource yara_rule behavioral1/memory/3660-133-0x00000000005B0000-0x00000000005B9000-memory.dmp family_smokeloader behavioral1/memory/2080-135-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2080-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2080-138-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/5108-146-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/5108-147-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Executes dropped EXE 2 IoCs
pid Process 4952 cgriwej 5108 cgriwej -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3660 set thread context of 2080 3660 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe 82 PID 4952 set thread context of 5108 4952 cgriwej 93 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cgriwej Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cgriwej Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cgriwej -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2080 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe 2080 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found 2688 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2688 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2080 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe 5108 cgriwej -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found Token: SeShutdownPrivilege 2688 Process not Found Token: SeCreatePagefilePrivilege 2688 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2688 Process not Found 2688 Process not Found -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3660 wrote to memory of 2080 3660 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe 82 PID 3660 wrote to memory of 2080 3660 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe 82 PID 3660 wrote to memory of 2080 3660 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe 82 PID 3660 wrote to memory of 2080 3660 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe 82 PID 3660 wrote to memory of 2080 3660 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe 82 PID 3660 wrote to memory of 2080 3660 9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe 82 PID 4952 wrote to memory of 5108 4952 cgriwej 93 PID 4952 wrote to memory of 5108 4952 cgriwej 93 PID 4952 wrote to memory of 5108 4952 cgriwej 93 PID 4952 wrote to memory of 5108 4952 cgriwej 93 PID 4952 wrote to memory of 5108 4952 cgriwej 93 PID 4952 wrote to memory of 5108 4952 cgriwej 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe"C:\Users\Admin\AppData\Local\Temp\9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe"C:\Users\Admin\AppData\Local\Temp\9a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2080
-
-
C:\Users\Admin\AppData\Roaming\cgriwejC:\Users\Admin\AppData\Roaming\cgriwej1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Roaming\cgriwejC:\Users\Admin\AppData\Roaming\cgriwej2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5108
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
147KB
MD55db119ce603aae4b28af5436a9ccdd61
SHA17f7dde665b3ce84ab5e61ad82ec0f8f11d4c75cd
SHA2569a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556
SHA5124d733e42da053b3c472d1c3c67d2151b2f4f95dcfa074fff1e1dc9269bb558afcdcc8792121a66d86cef3ddf6c7d78e4a86de5148cfde8ca0ab55b9f47998bbd
-
Filesize
147KB
MD55db119ce603aae4b28af5436a9ccdd61
SHA17f7dde665b3ce84ab5e61ad82ec0f8f11d4c75cd
SHA2569a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556
SHA5124d733e42da053b3c472d1c3c67d2151b2f4f95dcfa074fff1e1dc9269bb558afcdcc8792121a66d86cef3ddf6c7d78e4a86de5148cfde8ca0ab55b9f47998bbd
-
Filesize
147KB
MD55db119ce603aae4b28af5436a9ccdd61
SHA17f7dde665b3ce84ab5e61ad82ec0f8f11d4c75cd
SHA2569a9e0539675664353532a14f3d10f6a4e0f98e225f70d272c8c8d49cfc793556
SHA5124d733e42da053b3c472d1c3c67d2151b2f4f95dcfa074fff1e1dc9269bb558afcdcc8792121a66d86cef3ddf6c7d78e4a86de5148cfde8ca0ab55b9f47998bbd