Analysis
-
max time kernel
165s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 15:44
Static task
static1
Behavioral task
behavioral1
Sample
462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe
-
Size
274KB
-
MD5
f4d933eba93d06e885e32ae227fe113b
-
SHA1
d4e6d857a348eabe4c3a0cf508248fe7f50c737f
-
SHA256
462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98
-
SHA512
9c41ad7a7716a4077b4d10b0ed23298b87a15f086404b3516060a3c4ef18ac4687dff4da3d9176f8708887632accc5d9dfd675bdf9e1eb53ed27462ad3c67869
-
SSDEEP
3072:z/xXVsttpYVWSRv/C/WW5KaMqRqqqWYCYZhaPV6nqmhTDw02rwkGpv02ZeXGMh0r:DVp/CiNzWIhaQql02sk8vve2U
Score
10/10
Malware Config
Signatures
-
Detects Smokeloader packer 4 IoCs
resource yara_rule behavioral1/memory/4796-133-0x0000000002060000-0x0000000002069000-memory.dmp family_smokeloader behavioral1/memory/3512-136-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3512-138-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/3512-139-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4796 set thread context of 3512 4796 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe 85 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3512 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe 3512 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found 764 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 764 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3512 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4796 wrote to memory of 3512 4796 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe 85 PID 4796 wrote to memory of 3512 4796 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe 85 PID 4796 wrote to memory of 3512 4796 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe 85 PID 4796 wrote to memory of 3512 4796 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe 85 PID 4796 wrote to memory of 3512 4796 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe 85 PID 4796 wrote to memory of 3512 4796 462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe"C:\Users\Admin\AppData\Local\Temp\462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe"C:\Users\Admin\AppData\Local\Temp\462318633e7d48f3462e76f08a6f5fa5d46552ec82f9810c430ccb1646209a98.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3512
-