Analysis
-
max time kernel
153s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 22:55
Static task
static1
Behavioral task
behavioral1
Sample
91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe
Resource
win10v2004-20220812-en
General
-
Target
91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe
-
Size
148KB
-
MD5
fa907316045e5f7bfb76ecdd647e0beb
-
SHA1
8e7a1fa58f0177bbd6481c5bac4e84e9d563abf4
-
SHA256
91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88
-
SHA512
1464560191cdedb62fdcd53028b15eba2a59d84f3d267332b2c07b076c142c9c1bfa27bc41d99b1c9b5a0a89c86fa765a5847832c157e4c2ed323e050d00c114
-
SSDEEP
3072:SXUzDjSuaWh5OvRZlf8x+ThQ20NxhgTx:ckD2ua/vzV+20NbQ
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/548-56-0x0000000000230000-0x0000000000239000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exepid process 548 91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe 548 91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 1380 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exepid process 548 91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe"C:\Users\Admin\AppData\Local\Temp\91f652990763a1ab5d84684790c5b5594028fec3801f38c69a2d58c0d91e1f88.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:548