Analysis
-
max time kernel
264s -
max time network
336s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 07:58
Static task
static1
Behavioral task
behavioral1
Sample
f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe
Resource
win10v2004-20220812-en
General
-
Target
f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe
-
Size
139KB
-
MD5
32191aee56b30023f3cd0a6f4e484163
-
SHA1
2711cc113a1b85117f8794190187f37f69af0a4b
-
SHA256
f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2
-
SHA512
0ac31edbd70062e51876e91c51595cf17dde0f19ff174c3403c81c0a019dc789c0fc2a4ea88cb89f7e6f5ee76925c481ff3a937b762ece2658cf16f851611607
-
SSDEEP
1536:Tpu4lLGd2l/Tq7Kmgwr56HgAk91k5V/WW/jwHZwSotgGcGCiDRhO+yBLAriIyC3D:dTI2+r5RAEC+F5wp9CiDR1Yt63
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/516-57-0x00000000003A0000-0x00000000003A9000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exepid process 516 f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe 516 f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 1264 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1264 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exepid process 516 f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe"C:\Users\Admin\AppData\Local\Temp\f58752f637bec33f5c6032a0b001f7f6fb3f8ffc6b16be12e69e7a7c42260bc2.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:516