Analysis
-
max time kernel
150s -
max time network
110s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
19/12/2022, 09:26
Static task
static1
Behavioral task
behavioral1
Sample
8b0f52e9c1e77d9a28a42c37b9e0f85e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8b0f52e9c1e77d9a28a42c37b9e0f85e.exe
Resource
win10v2004-20221111-en
General
-
Target
8b0f52e9c1e77d9a28a42c37b9e0f85e.exe
-
Size
215KB
-
MD5
8b0f52e9c1e77d9a28a42c37b9e0f85e
-
SHA1
2366e4199e5337a4372d70ad61e9b0b5b4ebcbd3
-
SHA256
5358987e29bbc904b8a14e89db649725e8fd97c2b2b369a30a3a3843357c76bf
-
SHA512
d683fb13efc93431a81ea9f98a37d95471df12bc10f5c7db66f9a309613a16e7c6c062bea473363c8e4fc3f67bd0508e51077be326926f265d9cb5c800b331c3
-
SSDEEP
3072:MhlgLV5saR9MAmVtSBS40za9JIOJXKaNRAtOba+OljcbImdzmuX:M3gLV5KAmVt5gnJX90/ljcbXF
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
resource yara_rule behavioral1/memory/1692-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1692 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe 1692 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found 1192 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1192 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1692 8b0f52e9c1e77d9a28a42c37b9e0f85e.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1192 Process not Found 1192 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1192 Process not Found 1192 Process not Found