Analysis
-
max time kernel
210s -
max time network
229s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 20:30
Static task
static1
Behavioral task
behavioral1
Sample
ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe
Resource
win10v2004-20221111-en
General
-
Target
ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe
-
Size
147KB
-
MD5
261595612bf663a5ef5f96c02d51d66b
-
SHA1
e25c4cda538dab71f7973e1b75b4f9db80888910
-
SHA256
ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254
-
SHA512
76459bc5747642fd6ff88385e4b07cdf1fcce78e7ee9c7d315be478fdd676e58f81b3fdc3d38bf5dbca9e49b9ad28a70ecb861d669f5c9ff83abc143d485f39b
-
SSDEEP
3072:Qrbe7p3M5n5kJldsbcymhP+egCoupZ9v:Cet3MsVsbXUP+C
Malware Config
Signatures
-
Detects Smokeloader packer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3160-133-0x0000000000C60000-0x0000000000C69000-memory.dmp family_smokeloader behavioral2/memory/3160-137-0x0000000000C60000-0x0000000000C69000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exepid process 3160 ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe 3160 ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 2584 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2584 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exepid process 3160 ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe"C:\Users\Admin\AppData\Local\Temp\ed4b77f4fc63c9087159fa845de6e12cdcd51648583641ac767cc6f7db3df254.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3160-132-0x0000000000DCE000-0x0000000000DDE000-memory.dmpFilesize
64KB
-
memory/3160-133-0x0000000000C60000-0x0000000000C69000-memory.dmpFilesize
36KB
-
memory/3160-134-0x0000000000DCE000-0x0000000000DDE000-memory.dmpFilesize
64KB
-
memory/3160-135-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB
-
memory/3160-137-0x0000000000C60000-0x0000000000C69000-memory.dmpFilesize
36KB
-
memory/3160-136-0x0000000000DCE000-0x0000000000DDE000-memory.dmpFilesize
64KB
-
memory/3160-138-0x0000000000400000-0x0000000000AD6000-memory.dmpFilesize
6.8MB