Analysis
-
max time kernel
152s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 01:05
Static task
static1
Behavioral task
behavioral1
Sample
e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exe
Resource
win10v2004-20221111-en
General
-
Target
e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exe
-
Size
139KB
-
MD5
a10aa0c17258a44e759636c4e9234833
-
SHA1
51a65c4d4daaf902e6df6af23d7ea4448ce9daeb
-
SHA256
e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc
-
SHA512
88d56c3b88467876a026a4826087c9a205bcbf4190573a80c2cff3a261059edce43ecb83b2e5c5594d5bfb5f7caf18cc418ed2cd53f207cddba67893e0eca9c4
-
SSDEEP
1536:Bpu4PL102VxDCsmSr5d6oOJl9G9RBOZ0UP36mXbltxAGd7X1QjujFnew0m3iLMJe:7T+Qr5kYUGo7X1lQkWgJ7XNS
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2252-133-0x00000000005F0000-0x00000000005F9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exepid process 2252 e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exe 2252 e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exe 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 1028 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1028 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exepid process 2252 e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 1028 Token: SeCreatePagefilePrivilege 1028 Token: SeShutdownPrivilege 1028 Token: SeCreatePagefilePrivilege 1028 Token: SeShutdownPrivilege 1028 Token: SeCreatePagefilePrivilege 1028 Token: SeShutdownPrivilege 1028 Token: SeCreatePagefilePrivilege 1028 Token: SeShutdownPrivilege 1028 Token: SeCreatePagefilePrivilege 1028 Token: SeShutdownPrivilege 1028 Token: SeCreatePagefilePrivilege 1028 -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
pid process 1028 1028
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exe"C:\Users\Admin\AppData\Local\Temp\e4861d80302f48027074eccc07b464c721c0e31876ecf77b73ca06397c9111bc.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2252-132-0x000000000064D000-0x000000000065D000-memory.dmpFilesize
64KB
-
memory/2252-133-0x00000000005F0000-0x00000000005F9000-memory.dmpFilesize
36KB
-
memory/2252-134-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/2252-135-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB