Analysis
-
max time kernel
150s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
20-12-2022 13:35
Behavioral task
behavioral1
Sample
cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe
Resource
win10v2004-20221111-en
General
-
Target
cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe
-
Size
29KB
-
MD5
cb4573fa9acae5c637fced7e7cb8192c
-
SHA1
d2145f53a192e768b8bfbf9b633941790424ff7f
-
SHA256
cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383
-
SHA512
450a7dd225a0534c78073fc4fd519af2a82fc86f78ce1e9ce92a990cc1132f26546182ec6e26880cfa75ff405bf0a682b1f0ed9cdfc3a9579b598294f89cc3cc
-
SSDEEP
768:0BCzbIqVpKx3Vy2C0Jjfp/zX+Y9Kw5LG3OILRSwEqqmhAZPg5W:0+Iqqx3VyExprXl9Kw5LGBcPma0W
Malware Config
Signatures
-
Detects Smokeloader packer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2040-55-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader behavioral1/memory/2040-56-0x0000000000400000-0x0000000000409000-memory.dmp family_smokeloader -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exepid process 2040 cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe 2040 cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 1208 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exepid process 2040 cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe"C:\Users\Admin\AppData\Local\Temp\cb029abb2b41e175e1d5f9e9d37247e50569005c18158f133e1917a5fe1f5383.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection