Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
19-12-2022 20:27
Static task
static1
Behavioral task
behavioral1
Sample
c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe
Resource
win10v2004-20221111-en
General
-
Target
c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe
-
Size
214KB
-
MD5
816287b83f2bcba44a103e227868ef1f
-
SHA1
4a57ff432e2f83bdbdb5c1d880728e02a47262bb
-
SHA256
c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc
-
SHA512
0235eaf331a51d8dccb1352769eb72545c36ead5ce5b988a279c795dc840cdc25a750b5b15c185df95fd4523bca45ab843a8f0c89baf4d2bad6ad3e0d5d062ea
-
SSDEEP
3072:IX4oLOH3aR6hPmyakx2fb+Siha+onfhe+aNRAtOba+oN2ZEzjcbImdzmuX:IIoLOHrhPmmx2T+SMinpex0RNjjcbXF
Malware Config
Signatures
-
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1216-56-0x0000000000220000-0x0000000000229000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exepid process 1216 c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe 1216 c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1208 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exepid process 1216 c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe"C:\Users\Admin\AppData\Local\Temp\c31618dee7fb1f9d3b5cdc3fd42a8a498695e062404d1a5244c3b09466e912fc.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1216