Analysis

  • max time kernel
    150s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    20/12/2022, 11:59

General

  • Target

    file.exe

  • Size

    217KB

  • MD5

    159bf3c1b8387fdd3ccdc293b8d5e9d2

  • SHA1

    5b23664c1b8b6c835e5067b90e07687aab4979a4

  • SHA256

    3ac7b32c46a0fc9a6b97aaa3bb18c06c8212d8869f87f0d2bb712ffbcb826967

  • SHA512

    145435b9af204328fa2cb4f7823fe2cf74948fa7bfa1b82f910e3e9769d346dc7985730b526bc913d6286fb83de43e74d7a23c224ff3013069c9afc48ed137cf

  • SSDEEP

    3072:G1C22LVxA2/HRS3NgT79LC8OphRXrM8L77b/tQA4ANHCDml:Gg22LrA2eNg9PiIqr1yqCa

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1692

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1692-54-0x00000000763A1000-0x00000000763A3000-memory.dmp

    Filesize

    8KB

  • memory/1692-55-0x000000000053B000-0x000000000054B000-memory.dmp

    Filesize

    64KB

  • memory/1692-56-0x0000000000220000-0x0000000000229000-memory.dmp

    Filesize

    36KB

  • memory/1692-57-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB

  • memory/1692-58-0x0000000000400000-0x000000000045F000-memory.dmp

    Filesize

    380KB